A managed service provider can maintain an organization’s network better than many IT departments can. It benefits from economies of scale and full-time specialists. Using an MSP is especially attractive for small to medium businesses that can’t keep a 24-hour IT staff and security specialists. Regular updates, monitoring, and backups help to keep systems running properly, with little downtime.
However, MSPs are themselves targets. Threat groups go after them in the hope of getting access to all their clients at once. To keep clients safe, MSPs need to observe the highest security standards for their own systems. When you’re choosing a company to handle your IT, you have to be sure it takes its own security seriously.
Breaches of MSPs
In February 2019, a massive ransomware attack encrypted data on 1,500 to 2,000 computers belonging to clients of an MSP. The attack took advantage of a flaw in a remote management tool that the MSP used. The attackers gained control of the tool and were able to use it as if they were administrators. The MSP received a demand for $2.6 million to repair the damage. This particular flaw will be fixed, but managers at other MSPs have expressed concern that they could have been the victims.
On September 19, 2018, a different ransomware attack got into an MSP’s server. The server hosted protected health records, and the records for 16,055 patients were affected. The information was all recovered with the help of a computer forensics firm, but all the patients had to be notified because of HIPAA requirements. Regulatory requirements for the security of personal health records are especially strict, and breaches due to negligence can result in huge fines.
Perhaps the biggest attack on MSPs ever was Operation Cloud Hopper, which PwC called “one of the largest ever sustained global cyber espionage campaigns.” The perpetrator was a group called APT10, believed to be based in China. It attacked MSPs in many countries, including the United States, Japan, Australia, South Africa, and Brazil. It used a variety of tools, distributed with the help of spearphishing email messages that looked legitimate.
What to do
Not all MSPs are equally good at security. The ones that aren’t good amount to one-stop shopping for criminals. It’s important to choose one that uses the best practices and has a proven record. Look at each prospective provider carefully, and ask some pointed questions.
- Do they protect their own systems as carefully as they protect client systems?
- What happens when an MSP’s employee leaves, to ensure he or she can no longer access the MSP’s clients and client information?
- Are their own tools kept up to date with all security patches?
- Do they encrypt sensitive data, at-rest, and in-transit?
- Is multi-factor authentication required for access to sensitive data?
- Is remote access logged, recorded, and audited?
- Does each client have separate credentials, or is there a “master password” common to multiple clients and systems?
- Do they have disaster recovery in place for their own systems, and are they ransomware-resistant?
- How often are backup systems tested?
Ask to talk to the technical people, not just sales representatives. They’ll be able to give you the answers you need.
Even with an MSP, you have to be vigilant about your own organization’s security. A good provider will give you advice on what you need to do.
Reasons to consider Pegasus
If you’re concerned about the security of your managed services, contact Pegasus. We have a thorough system of protections against client breaches, including the following:
- Security awareness training for your staff. Employees need to be aware of risks and how to avoid them.
- Callback verification for password resets and other changes. We make sure it’s really you.
- Encryption and multi-factor authentication. We take strong measures to protect client credentials, remote access, work history, and service requests.
- Logging and auditing. Analysis of our logs can point at problems so we can fix them quickly.
- Encryption at rest. We encrypt all onsite data, as well as offsite backup data.
- Detailed employee exit procedures that include automatic resets of known client credentials
When the security of your data matters, you need to be confident it’s in good hands. Talk to us to find out how Pegasus can give you the level of service and safety you need.