Many businesses rely on the services of an MSP, and for good reason.  An MSP can provide great IT services for any business, at the fraction of a price it would take for a business to secure themselves.  Unfortunately, this can come at a steep price.  MSPs are among the most prized targets of cybercriminals.  They have the deepest level of access to all of their clients’ systems, and a criminal that gains access to a security business’s network can potentially breach hundreds of business and organization networks, as the recent SolarWinds breach proved.  So, what is an MSP to do if their business of providing security is, in itself, not secure? 

One of the most important steps to take is multi-factor authentication on every level, wherever it is possible.  Having multiple steps required to gain access to a system means that any criminal that does manage to succeed at a lucky phishing attempt, or happens to guess Joe from accounting’s password, will still require physical access to either a system or a mobile device it’s tied to.  This isn’t always fool-proof, and many systems have ways of removing multi-factor authentication that a particularly clever cybercriminal might have access to, but it is by far the best and easiest way to secure a system. 

Secondly, it’s important to limit access to systems only to those that should have it.  Joe from accounting might need to be able to get into an MSP’s financial records, but he shouldn’t have access to clients’ security profiles, for example.  Likewise, even the owner should restrict their access to those records if they don’t regularly require access.  A criminal who gets into an employee’s profile shouldn’t have free rein to do as they please across an entire network. 

“Eat your own dog food.”  Well, don’t eat dog food.  But your security practices and implementations should be at least as tight as for those of your most secure client.  As CMMC rules become more common, it’s just as important for an MSP to implement those rules for themselves.  A criminal gaining access to the wrong system means that all of the effort of securing your clients goes to waste.  A security-minded MSP must have strong security of its own if it wants to stay that way. 

Security is a constant, ever-changing problem that needs to be met with an equal amount of adaptability.  Regular security checkups, network monitoring, frequent password changes and employee training are all required in order to stay ahead of the cybercriminals.  If your MSP hasn’t yet adopted best-practice security measures, now is the time to do it.  The second-best time, and also the worst time, is after you’ve already suffered from a disastrous breach.