In early April, the U.K.’s National Cyber Security Centre and cyber units at PwC and BAE Systems discovered that a Chinese group called APT 10 had been using custom malware and spear phishing to secure access to sensitive information held by target companies. The interesting thing about APT 10’s approach? Rather than hacking target companies themselves, they went through managed-service providers (MSPs), which have deep access to data from multiple organizations. Although it may be too early to say whether this event is indicative of a larger trend, it serves as a call to action for MSPs to enhance their security offerings.
MSPs’ Make or Break Moment
Historically, businesses have viewed MSPs as trusted mission-critical IT advisors. These providers have proved hugely valuable—so much so that a 2016 Comptia report found that 64 percent of organizations are using some sort of managed service. MSPs have uniquely offered unmatched insight into organizations’ data center environments, service portfolios, applications requirements, and service and compliance levels, along with the technology to act on these insights.
But in today’s cloud-dominated world, we’re seeing new demands from businesses. Delivering actionable insights is no longer enough for MSPs to maintain their position in the value chain. What’s become increasingly evident is that MSPs must get serious about information security. According to a Sonian survey of more than 320 MSPs, 64 percent said they are seeing strong customer interest in security offerings.
We’re seeing this security need in two forms: data preservation and data access. On the data-preservation front, MSPs must ensure that the data has not been tampered with or altered. Such a violation usually becomes a ransomware issue. MSPs must also ensure that the data can’t leak or be stolen by unauthorized parties. This kind of violation typically becomes a negative public-relations or political issue.
Best Practices for Rolling Out Security Measures
Although making security a priority may seem like a daunting task, MSPs can follow certain best practices to seamlessly roll out security enhancements.
1. Implement measures to prevent hackers from accessing or altering customer data. One simple step all MSPs should take is to review their current email-security settings. Increasing protection strength to “maximum” is an incredibly easy but highly effective way to prevent hackers from gaining data access.
MSPs that store customer data in the cloud must use a reliable cloud vendor. They should start by seeking out vendors that employ security specialists and architects to design battle-tested environments that ensure resiliency and privacy. Indicators of a good vendor include security-control offerings, best-practice checklists, website “support” tabs, product manuals, security advisories and technical papers that can help MSPs navigate their cloud journey.
MSPs should also keep an eye out for vendors that hold third-party certifications, including SOC2, PCI, HIPAA and FedRAMP. These certifications indicate that the vendors meet important criteria related to factors such as structural organization, policy and procedural communications, risk management, control monitoring, systems operations, and change maintenance.
2. Take advantage of new security services that specifically target MSPs. Certain third-party security offerings from vendors such as Kaseya, Continuum and Pax8 can help MSPs increase protection against phishing and ransomware attacks, which can compromise user and password credentials.
3. Prioritize security training and awareness. Training employees on security is always important—but it’s especially crucial at MSPs, which have high staff turnover and more-junior skills.
Employers should train their teams on common hacking tricks to help them better identify suspicious activity. For instance, many security compromises happen when employees receive what appears to be a password-reset email. Even if it looks legitimate, it can contain rogue messages. If employees open these rogue messages and follow the instructions listed in the email, they are essentially handing their inbox—and all the sensitive information it contains—to a hacker.
To effectively educate employees on cloud-based email security, MSPs might consider having them take a web-based training course. The classes typically last no more than an hour and cover topics such as configuration management, virtualization security and application security. They can also cover approaches for data encryption, network encryption, key management and data life-cycle concerns—all of which helps team members understand the challenges and solutions related to cloud security.
By following these best practices, MSPs will finally deliver the security that their customers increasingly demand. Not only will the MSPs improve customer relationships, but they’ll also position themselves as a higher-value player in the market, ultimately fueling growth. In fact, Sonian’s survey of MSPs found that of those that had implemented security offerings, more than half said these offerings had served as large business drivers in the past year. With all this information in mind, security is truly an investment MSPs can’t afford to ignore.
About the Author
Greg Arnette is founder and CTO of Sonian, Inc. Greg has been a messaging, collaboration, Internet and networking expert for over 15 years, and he advised leading corporations on the management and administration of email systems. He has also worked with AWS infrastructure as a service since 2006, creating innovative software applications for an enterprise audience. Before Sonian, Greg was founder and CTO for IntelliReach Corporation, an SaaS email-governance service that was acquired by Infocrossing.