A series of high-profile attacks have prompted businesses to examine their technology partners with more scrutiny
What happens when your IT service firm, the one who is supposed to be keeping you safe from hackers, is themselves the target of a cybercrime? Businesses across the country are struggling to answer this question after discovering that not only had their IT partner been hacked, but that their data had been violated or stolen as a result.
Many of these attacks have followed a similar pattern. State-sponsored attackers from Russia or China compromise the weak cybersecurity at a vulnerable managed IT services (MSP) firm, then moved laterally through that network to attack the networks of their clients. Some of these attacks lasted for months or years without being discovered.
In just 2019, there have been several important cases.
- April 2019 – Global IT solution provider WiPro admits that “a few” of its user accounts had fallen victim to a state-sponsored phishing attack, leading to a subsequent attack on at least a dozen of its multinational clients.
- June 2019 – A “cloud hopping” attack perpetuated by Chinese hacking group APT10 penetrated major IT service providers, including Dimension Data, HP Enterprise, and Fujitsu.
- August 2019 – Texas-based TSM Consulting is compromised in an attack that ends up affecting 22 municipal governments.
The Department of Homeland Security issued a warning about attacks on MSPs and other IT services firms in October of 2018, but that warning seems to have had little effect in stopping the attacks mentioned above.
So, a new frontier in the war on cybercrime has opened. How can you help ensure that your security partner is up to the challenge of protecting their own network? As with many matters related to IT, it pays to be proactive.
Don’t Be Afraid to Ask Your IT Service Partner About Their Security
This new threat demands that businesses see their IT service providers as a potential cybersecurity vulnerability, learn about the security protocols they have in place, and take a more active role in picking a partner whose cybersecurity vigilance meets their requirements.
It’s important to clarify that no technology system — no matter how protected or well-funded — is 100% resistant to cyberattack. But there are important steps that an MSP can take to mitigate the risk of cyberattack to their systems.
What questions should you ask an IT service provider to make sure they’re taking their security seriously? Here are some good places to start:
Question 1: What processes and procedures do you have to secure your systems?
Start with a general inquiry into the firm’s cybersecurity. While most service providers will talk openly about the many ways that they can help you achieve greater security, see if they’re willing to talk about their procedures for internal security with the same degree of openness.
Confident answers that touch on the following topics is a good indicator they take security seriously.
- Detailed tracking of their software and hardware assets
- Strong perimeter defenses, such as firewalls and intrusion detection (IDS) systems
- A secure network interior, including designated pathways for sensitive data
- Limitations on administrator access systems
- Strong password management processes in place
- Documented incidence response plan and list of prioritized incidents
Question 2: Do you have two-factor authentication (2FA) enabled across your organization?
Two-factor authentication (2FA) is the process by which a user is required to use something they know (like a password) along with something they have (like a cell phone) in order to verify their identity and gain access to an account.
While not a silver bullet to security, it’s one of the single greatest tools companies can use to secure their systems. Most of the recent incidents have involved stolen credentials. That means rigorous 2FA implementation, especially on sensitive systems, could have greatly reduced or eliminated the damage done from those attacks.
Question 3: How do you maintain your back-up systems?
Having backed-up data is the last line of defense against a successful attack. But hackers know that these systems are one of the most important ways that both companies and MSPs defend themselves, and have started disabling them in advance of an attack. This ensures that when they ask for a ransom later, the victim lacks easy access to an escape route and must pay.
In order to minimize such risks, ask your MSPs how they maintain their back-up systems. Are they changing important passwords to ensure that the service hasn’t been tampered with after employees leave the company? That’s a security best practice. They should also run regular audits to make sure the back-up systems are running properly, which many providers won’t do.
Don’t Settle for “Average” Security
You can also help secure your business by demanding a high standard of service for yourself. Any provider who tries to sell you cut-rate security services is certainly not taking their own security very seriously and should be replaced. This often applies to providers who offer tiered “silver,” “gold” or “platinum,” security plans. In the worlds of IT veteran Paul Dippell, there is no “low-tier” security, there is either the best security or no security at all.
To that end, if you want to inquire deeply into your IT partner’s level of internal security, here are some more questions you can ask them:
How often do you patch your software and network devices?
What software tools are you using to ensure strong security?
What data from my company will you keep on your systems, how will it be secured?
Do you use encryption for all at-rest data, how about in-transit data?
How do you log remote access to your systems?
We Founded Complete Network on Strong Cybersecurity
Our team has helped countless businesses in both Albany, NY and Charlotte, NC take control of their network technology and mitigate cybersecurity risk, while also maintaining the highest standard of security on our own systems.
If you’d like to ask us questions about how we help organizations discover greater cybersecurity confidence — or how we mitigate risk in our own networks — we’d be happy to tell you more. Contact us any time at 877.877.1840 or by email at [email protected]. We look forward to speaking with you!