Since the beginning of the pandemic, IT managed service providers (MSPs) have increasingly found themselves prime targets for cyberattacks. Recent research revealed that since the onset of the pandemic, cyberattacks against MSPs increased by 90%, while attempted cyberattacks against MSP-customers increased by 82%. In response to these findings, the cybersecurity authorities of Australia, NZ, the UK, Canada and the USA last week issued a joint advisory containing specific recommendations for MSPs and their customers to help them reduce their exposure to cyberattacks and improve their overall data security.
In this article, we look at the key recommendations contained in the advisory. They provide a timely reminder of the key steps that MSPs and MSP-customers can take to help protect themselves. The recommendations should also guide contractual negotiations for new IT managed service agreements, as well as reviews of existing arrangements.
Key recommendations for MSPs and their customers:
- Prevent initial compromise by improving the security of vulnerable devices, protecting internet-facing services, defending against brute force and password spraying and defending against phishing.
- Enable and improve monitoring and logging processes by storing important logs for six months, implementing and maintaining a segregated logging regime to detect threats to networks, implementing endpoint detection and network defence monitoring capabilities (in addition to using allow / deny listings for applications).
- Enforce multi-factor authentication to increase security of remote access applications and review configuration policies to protect against “fail open” and “re-enrolment” scenarios.
- MSP-customers should take note that based on recent research, only 40% of MSPs have implemented multi-factor authentication across their own systems. Accordingly, MSP-customers should ensure that their agreements with their MSPs require the MSPs to (a) have multi-factor authentication systems in place; and (b) enforce such systems across their network.
- Manage internal architecture risks and segregate internal networks by identifying, grouping and isolating critical business systems and applying appropriate network security controls to them.
- Apply the principle of ‘least privilege’ throughout the organisation by implementing ‘tiering models’ for administrators’ accounts, immediately updating account privileges upon changes to administrators’ roles, only allowing full privileges when strictly necessary and limiting access privileges of high-risk devices, servers and user accounts.
- Deprecate obsolete accounts and infrastructure by disabling user accounts and re-setting passwords to any shared accounts immediately upon transition / turnover of personnel, regularly auditing network infrastructure (focussing on infrastructure along the MSP-customer boundary) and disabling any unused systems and services identified during those audits.
- Apply updates as soon as they become available, including to software, operating systems, applications and firmware and prioritise security updates applicable to software with known vulnerabilities.
- Backup systems and data, particularly critical systems, by regularly taking backup images, maintaining backups that are appropriately encrypted and separate from the organisation’s network (i.e. offsite, offline or in a cloud based server).
- MSP-customers should be aware that although backup services are a core offering of MSPs, recent research indicates that only 40% of MSPs are backing up workstations at intervals of 48 hours or less. MSP-customers should therefore consider whether to negotiate a minimum back-up frequency with their MSP.
- Develop and exercise incident response and recovery plans that are up-to-date, available in hard copy and clearly set out the roles and responsibilities of the MSP and the MSP-customer and specific personnel within each organisation in the event of a cyber incident.
- Understand and proactively manage supply chain risks by undertaking risk assessments with input from information security, legal and procurement personnel from across the organisation and ensuring that managed services contracts are clear as to whether the MSP or MSP-customer is responsible for key matters including hardening, detection and incident response.
- Promote transparency by ensuring contractual commitments between MSPs and MSP-customers are clearly defined. This means MSP-customers should understand which services they are obtaining from the MSP and which services are outside the scope of the arrangement. Where any of the organisation’s security requirements are not being met due to certain services sitting outside the scope of the arrangement with the MSP, appropriate alternative arrangements should be put in place.
- Manage account authentication and authorisation by adhering to ‘best practice’ standards for password and permissions management for all systems across the organisation. For example, ensure that logs of failed authentication attempts are reviewed, restrict MSP accounts to systems managed by the MSP, undertake audits to ensure that MSP accounts are only used for necessary purposes and that these accounts are disabled when not in use.
The full advisory contains practical guidance and further resources for each recommendation and is a must-read for MSPs and MSP-customers.
Authors: Karen Fanning, Michael Caplan