MSPs: The masters of SMB cybersecurity (but what about themselves?)
MSPs are amazing at crafting defenses for their SMB clients to keep them aware of and protected from cyberattacks. We preach MFA, endpoint defense, security awareness, and proper backup, helping our clients focus on growing their businesses instead of worrying about cyberthreats.
But here’s an uncomfortable truth: sometimes, MSPs don’t follow their own advice.
MSPs handle some seriously sensitive stuff, including client data and access to their critical systems. A slip-up with security for an MSP could open the door for hackers to gain access to their client’s environments.
With the financial, reputational, and community impact of an MSP breach being so high, we’ve listed three security solutions below that every MSP should consider implementing in their Microsoft 365® environment to help protect themselves and their clients from data loss or extortion.
Conditional access policies: Enforcing security standards
- Muti-factor authentication: This is often a minimum for MSPs, but consider how your MFA is deployed and how susceptible it is to man-in-the-middle or SIM attacks. While we may lose a bit of efficiency, the positive impact of limiting access and refresh tokens to shorten the window between multi-factor authentication requests significantly outweighs a few 2FA requests throughout the day.
- Location-based restrictions: Consider un-trusting specific countries or risky locations from accessing Microsoft 365 environments.
- Device-based restrictions: Only allow access from trusted devices and applications.
Privileged identity management: Just-in-time access for administrative functions
- Multi-factor authentication part two: Enhance traditional MFA to leverage FID02 hardware-based authenticators for administrative access.
- Location-based restrictions part two: Improve locations by disallowing public Wi-Fi or forcing SASE connections to ensure end-to-end security.
- Set time limits: Set a strict time limit for administrative functions.
- Require approval: Define a list of activities that would require approval to ensure it limits client risks.
Regular account reviews: Critical to finding and eradicating risk
Monthly account reviews performed by the service or operations leader are critical to ensure that security is properly maintained and that any “Move/Add/Change” operations inside your MSP did not create an unknown risk. Keeping a list of these reviews and having new team members attend the review process can also provide education for client account reviews.
- User account inventory: Ensure all active users are still active.
- Admin account inventory: Ensure all administrators still need this level of access.
- Conditional access policy review: Review all conditional access rules to ensure they are enforced, up to date, and meet current security demands.
- Microsoft cybersecurity baseline: Measure baseline to monitor progress and changes to the underlying platform that could add risk to the current configuration.
Conclusion
MSPs are so busy building protection for others that they can sometimes miss the mark with their own internal cybersecurity processes and procedures. However, keeping them from exposing themselves and their clients to third-party risk is crucial.
While security for an MSP has many more steps and solutions to maximize protection, adding conditional access, privileged access management, and regular account reviews to your Microsoft 365 environment can increase your cyber resilience while also giving you bragging rights to your prospects and clients on how you protect their information.
If you are looking for a straightforward way to check and update security in your Microsoft 365 environment, check out ConnectWise SaaS Security™.
By leveraging the Microsoft Secure Score framework report or any of the eight IT security frameworks we support, you can run baselines regularly against your own Microsoft 365 tenant, allowing you to see and manage changes that affect security. In addition to setting your own baseline, you can use ConnectWise SaaS Security to remediate open issues, change the status of non-compliant controls, and document how or if they are addressed.