The Top Four Security Mistakes MSPs Make

The growing number of cyber threats across the globe have caused many IT service providers to strengthen their security posture. Despite this positive trend, there are some chronic problems that plague countless MSPs. Luckily, most of these are simple to remedy.

1. Neglecting to eat their own dog food. Likely the biggest mistake technology business owners make is a neglect of their own network. Sometimes IT companies are distracted or too busy. Other times, the owner assumes the software tools or policies were deployed in-house, but they never verify that the task was completed. Shockingly, some companies still believe they’re not a target for cybercrime! (So they decide to save a few dollars and not deploy to their own company.) No matter the cause, MSPs don’t always practice what they preach.

   They give their customers timely advice; but those same security-focused companies don’t listen to themselves. They fail to audit themselves or put themselves through their own onboarding process; which means that security risks go undiscovered for far too long. The answer to this challenge lies in auditing your own company. Verify that all policies and software tools are deployed to 100% of your company machines.

2. Running around in circles. Every week, we talk to business owners who KNOW they need to focus on security, but they haven’t invested in a single security solution. Instead, they are in perpetual research mode – an endless cycle of research and testing, which often leads to overwhelm. The “paralysis by analysis” isn’t really their fault! Many vendors’ solutions sound identical; new vendors are being created every week; there are few answers and many questions.

   However, a critical leadership principle is to make sound and timely decisions. The reality is that there is no perfect, bulletproof cybersecurity plan. Your first plan may have gaps and missing pieces. Software components may fail, and you may make mistakes. But if you have based your decisions on logic, research, and wisdom, you will learn from (and improve on) your initial failure.

3. Ignoring the obvious. The Number One attack vector is email. Yet most people overlook email security. One of your clients has likely experienced an account takeover or has admitted to clicking on a phishing email. These unintentional “threat actors” are partly to blame for the rise in data breaches, since almost half of all data breaches are the result of human error and system glitches.

   User education and training is an important part of a security stack, which will reduce human error. But your goal should be to layer both employee training and email security in tandem. A quality email security solution will block harmful emails, thus providing the user with significantly fewer opportunities to click a bad link. In other words, email protection first. Education second.

4. Fundamental Flaws. For years, security evangelists have been preaching about RDP ports. We all know the truth: RDP ports should never be open to the internet. But knowing what to do is very different from acting on that knowledge. If your ports aren’t secure, you’ve just sent hackers the equivalent of an engraved invitation to a party, where you (or your client) covers the entire bill. We consistently see threats that leverage open RDP ports. While the existence of these threats isn’t a huge surprise, what might surprise you is this: our threat analysts continue to see ports wide open nearly ever week! Close the port. Don’t merely change the port number; hackers are smart enough to get around that trick.

   As you become more security savvy, you must make sure you build on a solid foundation. Address each of these common challenges, and become a much more cyber ready company.