pogonici - Fotolia
Managed services providers have long preached to their customers the importance of implementing cybersecurity measures. Despite their sermons, however, many of those same MSPs have failed to strengthen their own security practices.
MSPs sometimes neglect internal security when they focus exclusively on customers. That was the case for New England Systems Inc. (NSI), an MSP based in Naugatuck, Conn., before retooling its approach. NSI's security deficits eventually caught up with the MSP in 2019, when the company suffered a data breach.
"Everything [was] customer first," said NSI President Tom McDonald. "You don't think your security and processes and controls are as critical to customers' successes."
Following the breach, NSI hired security firm Infosec Consulting to audit its internal processes. The audit led to several improvements, as well as to a joint venture. NSI and Infosec Consulting partnered to form NSI Infosec, which works with MSPs to ensure their data and systems are protected. The joint security assessments aim to identify vulnerabilities MSPs typically overlook, such as if past employees or clients still have access to an MSP's systems, McDonald said.
It can be difficult, however, to get MSPs on board. "It's not an easy thing to make happen because no one wants to admit they've had these issues or wants this help," he said.
Meanwhile, NSI's 2019 data breach has had long-term repercussions. McDonald said he recently spoke with NSI's insurance company to confirm the remaining settlements with clients affected by the breach. "It's months and years to get past it, and it never really ends," he said. "The fallout is devastating."
3 steps to improve internal security
MSPs can do a number of things to boost internal security. Here's a sampling of the cybersecurity measures MSPs can undertake.
Adopt a cybersecurity framework
An established framework can guide an internal security upgrade.
Of the various frameworks available, NSI chose to follow the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Prior to its breach, NSI had relied on NIST to perform vulnerability assessments for clients but hadn't applied it internally. "Internally, there wasn't a framework as much as basic housekeeping -- determining who had access to what," McDonald said.
Develop an incident response plan
With the support of Infosec Consulting, NSI developed a training program to educate sales and engineering staff on how to respond to cybersecurity incidents.
Infosec also helped NSI assign an employee to the role of "incident commander," a point person for the incident response process, McDonald said. "[Incident commander is] terminology we never thought of before we had internal security training," he added.
Lunavi Inc., an MSP based in Cheyenne, Wyo., applies the same customer-oriented incident response practices to internal incidents, according to Lunavi CIO Cortney Thompson. "We follow our same standard procedures we have had for years, and we continually iterate based on incidents," Thompson said. "We've had everything from natural disasters to security breaches to pandemics, by the nature of our business."
Evaluate security tools and skills
At the beginning of NSI's reboot, the MSP didn't need to invest in new security technologies or services. However, as its practices improved, NSI began to look at security products differently, McDonald said. Eventually, NSI decided to change DNS providers. Additionally, NSI realized its security operations center wasn't flagging important information, so McDonald decided to implement a different service.
The adoption of new security technologies can sometimes require hiring new staff, Thompson noted. Lunavi uses telemetry tools from Microsoft for internal security. Additionally, the MSP has developed capabilities around Azure Sentinel, Microsoft's security information and event management offering. To accommodate the tools, Lunavi has had to augment its security team, but it's challenging to find candidates in the competitive security talent market, Thompson said.
In lieu of hiring new employees, Lunavi instead focuses on developing skills in house. Upskilling employees has required formal instructor-led training and vendor-based training, Thompson noted.
"Someone in security for 10 years has skills for security but may not have skills around the new tools out there," he said. For example, when they added new tools like Azure Security Center and Microsoft Compliance Manager, there were few professionals with skills for those tools.
Tom McDonaldPresident, New England Systems
Cope with cybersecurity growing pains
McDonald and Thompson said security information sharing with other MSPs has helped to evolve their security practices.
NSI participates in a peer group of 10 companies that discusses security issues and best practices. "That's been a big help in terms of seeing [security issues] out there," McDonald said. "We're all very open about sharing things."
The biggest hurdle to the adoption of new cybersecurity measures tends to be employees changing their behaviors. "It takes time to get habits ingrained," he noted.
Thompson agreed. As Lunavi has added staff via acquisitions, it's been a challenge to bring new employees up to the MSP's level of compliance. "They have to go through the same security controls as Lunavi," Thompson said. "We have to educate users on [why we need] tools like [multifactor authentication]. While it may be a minor headache, it's for the greater good."
NSI's efforts have led to successful internal security procedures. After the company leveled up, it was put to the test with several incidents. "As we got better, things settled down, and we haven't had a client breach in about six to nine months," he said.
Additionally, its own security evolution has enabled NSI's team to discuss cybersecurity with customers at a more advanced level than competitors, McDonald noted.
"We don't shy away from explaining why we know what we know," he said. "We're just a better, much more secure organization than before."