When MSPs are the weakest security link

An abstract image of a chain breaking in half to represent a weak link

Traditionally, the customers of managed services providers (MSPs) have been painted as the key targets for cyber criminals. The logic follows that those needing to outsource their IT are also those with gaps in their expertise - which the bad guys can exploit.

The systematic targeting of service providers is on the rise, however, with research from 2019 showing that MSPs are the leading source of third-party risks in IT security. Cyber criminals are on the constant hunt for new network entry points, and MSPs are especially enticing. After gaining access to an MSP’s network, hackers also gain access to the networks of their customers by weaponising their systems.

This form of attack has been rife over the years. PwC UK and BAE Systems uncovered a Chinese espionage campaign dubbed Cloud Hopper in 2017, for instance. The campaign targeted MSPs around the world, compromising their intellectual property and sensitive data, along with their clients’ data.

MSPs must accept the reality that they’re just as much, or sometimes even more, of a target than their customers. As a foundational component of their obligation to protect their customers, MSPs must be diligent about securing their own networks.

The warning signs are flashing

If an MSP isn’t aware they’re a target, it cannot be because they haven’t been warned. In addition to a string of headlines, governments have been actively issuing warnings about the targeting of IT service providers.

The US Department of Homeland Security, for example, in 2018 issued a public warning that advanced persistent threat (APT) actors are actively exploiting the trust relationships in IT service providers’ networks around the world.

For the channel, the growing number of businesses seeking an MSP partner is obviously a good thing. When embracing new customers, however, MSPs must also evaluate the heightened risk that comes with new business wins.

For a hacker, it’s tempting to target those MSPs that hold the most valuable customer keys. With new business, MSPs’ networks can also become complex and, as a result, hard to manage, as well as being more susceptible to exploitation. Weighing these risks should be part of an assessment that will ideally take place before onboarding new customers.

Practice what you preach

Most MSPs will already know how to implement and maintain good levels of cyber hygiene, meaning there’s no excuse to not be applying this kind of security best practice internally.

MSPs should tier access so that employees only have the access they need to do their job - and no more. When it comes to remote access, in addition to multi-factor authentication (MFA), MSPs should have policies in place that force technicians to terminate remote access as soon as IT issues emerge. They should also monitor all access and look for potential misuse.

When MSPs are evaluating the valuable assets that a customer holds, it’s important to think bigger picture than financial and account information. If a customer holds particularly sensitive data, such as medical records, then it’s the MSP’s job to ensure that this data is properly protected. If a customer could be a target of a sophisticated state-sponsored attack - as a critical infrastructure provider, for example - then an MSP must fully understand the particulars of defending this infrastructure.

Associating risk to individual customers in this way brings us to a zero-trust philosophy, which proposes that organisations evaluate and assign user rights in a way that balances operational need with risk. It’s not just something MSPs should preach to their customers, but applied to their own networks. MSPs must establish the “crown jewels” that they hold, whether it’s customer data, information, credentials or otherwise, and restrict access. In zero-trust networks, it typically takes the form of an 80/20 split-with 80% of users having limited general access and 20% of special users having roles-based privileges.

Steering clear of extinction events

When we warn of “extinction events”, we’re referring to security incidents so catastrophic that they leave businesses with no choice but to close their doors for good. In addition to the customer, they can force MSPs to shut up shop too.

MSPs are in the crosshairs as much as their customers today, possibly more so. To address this, MSPs must ensure their own security measures are not just meeting best practice standards but go beyond those.

If an MSP fails to take its security seriously, its customers most certainly will. A security incident that compromises customers can negatively impact the MSP-client relationship, and a major incident can easily lead to a mass exodus of customers given the loss of faith.

Security needs to start with the MSP and the MSP must set the example for the customers. Those MSPs that embrace security internally and for their customers will be the MSP leaders of tomorrow.

Tim Brown is VP of Security with SolarWinds MSP