ON THE HORIZON
MSP SECURITY
PUT TO THE TEST
CYBERSECURITY ATTACKS CONTINUE TO TARGET MSPs IN AN ATTEMPT TO MASS-INFECT CUSTOMERS
Data breaches and hacks plague the IT industry . Ever-present but unpredictable , they represent massive challenges for MSPs and their clients , requiring vigilance and continual monitoring and bolstering of defenses .
In June , the Sodinokibi ransomware made headlines when hackers used it to compromise multiple MSPs . These ransomeware attacks were reportedly executed through MSPs , whereby adversaries who were accessing MSP networks via remote desktop services were then pushing the ransomeware to client endpoints using various management consoles , such as Webroot , ConnectWise , and Kaseya . While some were quick to blame this breach on weaknesses in the solution providers ’ security , the reality is that these systems were compromised not because of shortcomings in the software but because of poor cybersecurity hygiene on the part of the MSP .
Simply put , MSPs are being directly targeted because attackers realize that compromising the credentials of a single MSP can ultimately provide them with “ the keys to the kingdom ” of hundreds of businesses .
These recent attacks highlight the importance of not relying solely on usernames and passwords to protect critical IT systems ; how users log in is typically the weakest point in the protective chain of IT security . This isn ’ t as much a technical issue as it is simply a combination of human nature and the delicate balance between ease of use and proper security protocols .
Don ' t Poke Holes In Password-based Protection .
Usernames and passwords are soft targets for malcontents . Over and over again , these credentials are the top target for data breaches because they can unlock access to so many different places . Nearly every week , there ’ s another report of massive compromises , from 50 million Instagram accounts to 1.5 billion WhatsApp credentials .
Usernames are consistently reused across multiple systems and websites , and passwords are also frequently recycled or “ iterated ” upon in predictable ways , even when users are forced to change them regularly , creating a disincentive for the user to get creative and use unique passwords . So , when a data breach extracts a haul of these credentials , it not only represents a threat to the organization that was hacked but also to any other site or system where those individuals might use the same or similar usernames and passwords .
Even when individuals aren ’ t reusing and recycling passwords , they ’ re typically far too weak to begin with . The vast majority of passwords ( 80 – 90 %) are eight characters in length and include a special character , number , or capitalized letter . But those eight characters are no match for the software available to hackers — particularly if the dictionaries and encryption keys are also available — who can crack them in just a few minutes .
By contrast , a 12 – 14-character password can take upward of a decade to decipher , proving for once that bigger really is better . But longer passwords highlight the challenge on the human side of the equation : People are lazy and don ’ t want to put in the effort to create unique passwords for every site and system , and , given the sheer number of websites that a person logs into on a routine basis , they definitely won ’ t remember them if passwords are twice as long .
This is where MSPs can offer additional value by not only educating , recommending , and ( potentially ) requiring longer passwords but also by providing password management as part of their service offering . These tools stop users from recycling predictable passwords while simultaneously removing the burden of having to remember and keep track of them all .
While this is great advice for MSP customers , it ’ s also a best practice for MSPs themselves . MSP employees have access to a ton of sensitive information across multiple clients , so there ’ s no excuse for taking shortcuts in-house while preaching better policies to others .
Great Passwords Aren ’ t Enough .
Even the best password hygiene is still only scratching the surface of what MSPs and their clients can do to protect themselves from hackers and malware . To provide a better buffer between hackers and critical data , MSPs must get their customers to utilize two-factor authentication .
Requiring an additional step in the authentication process is the perfect preventive strategy for phishing emails and counteracting data breaches that allow credentials to fall into the wrong hands . Unfortunately , there ’ s a lot of inherent resistance to adopting this superior security mechanism because
6 | MSPSUCCESSMAGAZINE . COM • VOLUME 1 ISSUE 3