Business models have been put into a blender and pulsed and pureed since the arrival of COVID-19 earlier this year. The resulting workplace environment has been unrecognizable in many cases with workforces hunkered down at home, businesses shuttered, and security teams scattered in far-flung corners of the world.
All of these changes have stretched many MSPs thin, resulting in a fly-by-the-seat of the pants approach to security whereby they are unintentionally ignoring cybersecurity basics and general IT security hygiene. As the saying goes, sometimes, especially when you are busy putting out forest fires, it’s easy to ignore the burning branch falling on you from above. Don’t do it.
Smarter MSP recently caught up with Cameron Williams, a cybersecurity consultant and former MSP owner in Miami, Florida, an area being hit hard by COVID-19. He offered up these five cybersecurity basic must haves that MSPs across the globe should not be neglecting:
“I’m seeing many CISO staff and MSPs just totally let their patching programs lapse,” laments Williams. Bad idea. For instance, researchers have discovered a new strain of malware – dubbed Lucifer – which is “wreaking havoc.” Researchers say that enterprise organizations are likely most at risk, partly because they do not always stay up to date with security patches. However, Lucifer exploits a range of vulnerabilities that also affect home PCs.
Williams concurs with researchers who advise that an aggressive and up-to-date patching regimen is key to stopping such an attack, along with the usual blend of a strong password to deter brute force logins.
“I am seeing an increased number of businesses being brought to their knees during the pandemic from lapsed patching regimens, and it was totally preventable,” observes Williams.
During the pre-pandemic era, human resources and IT often worked hand in glove to seamlessly onboard new employees and offboard departing ones. Badges need to be activated and deactivated, and tutorials given. Even if office personnel is scattered, that doesn’t mean that MSPs shouldn’t still be in the human resources loop.
“There are companies that are hiring new employees, setting them up at home, sometimes on their completely unprotected PC to log directly into the company network. That would never have been acceptable a few months ago, and it shouldn’t be now,” states Williams.
MSPs need to be proactive and – depending on the size of the client — do a weekly or monthly check-in with human resources staff to ensure that there have been no personnel changes that merit the deactivating of mailboxes or setting up of a secure home login.
Shine light in the shadows
Shadow IT has been a pesky issue for MSPs for years as cloud-based systems have allowed for people to assemble their ad hoc cybersecurity systems within the company system.
“But this can cause regular cybersecurity protocols to be circumvented,” warns Williams.
MSPs need to monitor Shadow IT in today’s blended work environment just as much as they would during the pre-pandemic era. McKinsey warns in a recent report that security professionals should:
“Keep an eye out for new Shadow IT systems that employees use or create to ease working from home, to compensate for in-office capabilities they can’t access, or to get around obstacles.”
“A consistent cybersecurity approach is more crucial than ever, but many MSPs are dropping the ball and allowing work-from-home employees too much latitude,” notes Williams.
MSPs who are busy managing clients that now have employees spread out all over may not think they have time for education, but this is when it is needed more than ever. “In proactive and positive ways, employees need to know what online behaviors constitute dangers,” Williams says.
Certain practices that would never be permitted pre-COVID are rampant now.
“People are home, they are toggling between their work and their social media accounts, and they are very careless,” details Williams. Sloppy social media, Williams says, can help create opportunities for very targeted phishing and social engineering campaigns.
There are quick fixes MSPs can implement like link scanning email messages, user-level anti-virus, and network scanning to hunt down unauthorized and insecure devices, but the most potent weapon is education. Do conference calls, send out email alerts, or video conference calls, but keep the information flowing.
“People are feeling isolated and disconnected, so making people feel like they are part of a group is crucial right now,” advises Williams. Now, hopefully, your corporate client is taking care of a lot of that, but at the MSP level, you need to make cybersecurity a priority and make client employees have a stake in it.
Regardless of your client’s size, whether it’s 2 employees or 2000, send a weekly cybersecurity bulletin. Make it fun and take a we’re-all-in-this-together approach, Williams says. This is the place where you can listen to employees’ concerns, invite feedback, and make sure they are heard.
Set up an easy system for people to report cybersecurity concerns or issues. Make communication channels easy and friendly. Some people are more likely to report a problem by text, so set up a special number. By making people feel connected, your client won’t become disconnected.
Photo: Pixel-Shot / Shutterstock