Are MSPs Ignoring Best Practices for the Sake of Time
In the podcast "Gone Phishing," Adam Evans highlights that MSPs often compromise cybersecurity best practices—such as credential management and rotation—due to budget and time constraints, leading to increased risks and breaches, and advocates for investing in staff training, automation, and community knowledge sharing to improve security despite industry challenges.
Welcome to Gone Phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals.
Podcast Guests:
- Connor Swarm (Host, CEO at Phin Security)
- Adam Evans (Security Director, Simplex IT)
Are MSPs Ignoring Best Practices for the Sake of Time?
Adam Evans:
- Security incidents continue to occur frequently in the industry, with data breaches happening regularly.
- External entities, such as CISA, are recognizing the risks associated with MSPs, especially regarding remote management software and supply chain vulnerabilities.
- Despite many vendors offering "easy" solutions, risks and attacks persist, and costs for small to medium businesses are increasing.
- The industry faces challenges such as budget constraints, talent shortages, and the complexity of security.
- MSPs may be cutting corners to meet budgetary requirements, potentially sacrificing best practices.
Examples of Ignored Best Practices:
- Credential sharing: Some MSPs use the same credentials across multiple clients, which is risky.
- Failure to rotate credentials after staff changes or potential compromises.
- Manual processes for credential management are time-consuming, especially as client numbers grow.
- Not all MSPs have the resources for automation or dedicated staff for these tasks.
Addressing the Issue:
- Invest in MSP communities and knowledge sharing (e.g., tech degenerates, MSP geek).
- Empower and train staff who are interested in security.
- Fund certifications and training to build internal expertise.
- Investing in employee development can be more cost-effective than dealing with the aftermath of a security incident.
Client Mindset Challenges:
- Many small business owners believe they won't be targeted or affected by breaches.
- The reality is that no business is too small to be hacked; they may just not make the news.
- Real-world incidents (e.g., Robert Coffey's experience) highlight that breaches can happen to anyone.
Efficient vs. Effective Security:
- Start with basics: CISA's catalog of bad practices includes lack of MFA, use of end-of-life systems, and default credentials.
- Implement MFA, patch systems, and avoid default/admin credentials.
- Use frameworks like CIS Controls or NIST CSF to guide security maturity.
- Even basic practices like asset inventory and patch management are often overlooked.
- Small businesses may not have Fortune 500 resources, but starting with the basics is essential.
Vendor and Third-Party Risk:
- Evaluate vendors based on the data they access and their own security practices.
- Hold vendors accountable for their security claims; verify their compliance and security measures.
- MSPs should push for transparency and proper security controls from their vendors.
Final Advice:
- If you don't have time to do it right the first time, you won't have time to do it a second time.
- Invest the extra time to follow best practices and build reasonable defensibility.
- The risks and liabilities of not doing so are too great, and clients expect diligence from their MSPs.
- "If you don't make time to maintain your equipment, it'll make time for you."
- "The best time to plant a tree was 20 years ago. The second best time is today."
Thank you for listening to another episode of Gone Phishing. For more information about high-quality security awareness training campaigns and how to engage employees to change their habits, visit Phin Security at phinsec.io.