Q: Lately I’ve been hearing a lot about a group of Chinese hackers called APT10 and how they target MSPs. My MSP work with customers in highly regulated industries, so we have a lot of sensitive data to protect. What should I do if my MSP gets hacked?
Data breaches can certainly be alarming, and many other MSPs have the same fear— especially when they’re helping small businesses protect highly sensitive information. However, implementing best practices and looking for potential vulnerabilities can help protect your SMB customers —and your MSP — from getting breached.
To help you mitigate the risks and protect your MSP, we spoke to Chris Johnson, the director of business development and strategy at Wheelhouse IT. He has been working hands on with managed IT in the healthcare field since 2008, and he has worked in regulated industries in the IT field for 20 years. Chris shared his insight on both mitigation tactics and steps you need to take if your MSP is compromised.
Prepare for the inevitable
When you’re running an MSP, it’s not a question of if you’ll get hacked but when, and all you can think about is what information would be compromised. If someone can get access to my mother-in-law’s address book after the Yahoo data breach and send malware as if it’s coming from her, the same thing can happen to an MSP. Looking at it on that scale—the idea of malware coming from an MSP — is quite scary.
Getting hacked happens all the time, but you can’t become calloused. You need to understand what you’re doing, how the attack may have happened, and what you’re doing to reduce the likelihood of it happening again.
The first thing you should develop is your incident response protocol. Internally, we notify our essential people first, and then deliberate on how to handle the situation. It is better to handle the situation top down and brace yourself for the storm that might be coming. That way you can discuss and determine if you have the correct infrastructure in place currently to handle the situation.
However, I’m a firm believer that if something were to happen, you need to communicate about the breach with all your employees. This way they know how to handle an issue in the future. For example, if someone on the phones was responsible for enabling the breach, you need to communicate what happened and what they can do to prevent it from happening again.
Standardize policies and procedures
Unfortunately, there is no way to measure your policies and procedures until something happens. Then you can make the necessary adjustments to prevent the same mistake moving forward. Regulations in the healthcare industry can seem like a burden and can often be overwhelming, but these policies have become a necessary evil. If you procrastinate putting these polices to prevent data breaches into effect and hackers break into the system, it will be a much bigger problem.
HIPAA started off very vague in their requirements and left policies more open to interpretation. Now there are more specific regulations in place. HIPAA is designed to help standardize and organize security efforts, and it helps businesses create a baseline for security measures and processes.
Create teaching moments
Cyber security is the responsibility of the entire organization, so it’s important to train employees on an ongoing basis. For example, if you see an article about a recent breach, study the situation and learn from it. Discover what basic principles are involved and what can you do as a company to avoid a similar situation. It’s important to use this type of news as teaching moments for the whole company.
As an MSP, you also need to look in the mirror and ask yourself if you’re implementing the best practices you ask your customers to follow. Most of the time, if you had done your due diligence, breaches could have been avoided—and sadly, there’s no excuse for an MSP not to be properly informed has about security best practices.
You need to be your own client. Don’t ask a business to implement something if you haven’t done so yourself. This can help you develop your business by having your own best practices that you routinely follow in your organization. This allows you to be an advocate for your clients, and you can use your MSP as an example of how to do things the right way. It changes the conversation from do as I say to do as I do. This helps you build trust with customers on a more personal level.
Know your products
No product is perfect, and as an MSP you need to know the ins and outs of the services you’re offering to your customers. Know where the protection starts and stops. Being uninformed about your tools can really hurt you.
For example, if there is a new Office 365 policy, and if it’s turned off for a client, does your staff know why it isn’t turned on? If no one can speak to why you didn’t communicate this with the client, it is important to speak internally and understand why it might be important to tell them. To do this, you need to know your products and services well.
Features are added to products all the time. Ensure that your entire staff knows about any new features your products have. Try to stay up to date on new features and talk to your clients about if it’s something they should implement.
Preventing a data breach may be challenging, but having the right policies and procedures in place can help you in the long run. Following Chris’ advice on open communication and creating teaching moments can help you and your employees have valuable conversations before something happens to your business — instead of leaving you scrambling after a breach happens.