Along with social distancing, fragmented teams and the skyrocketed use of video meetings, the ongoing corona crisis is driving gigantic changes in business behavior. In times like these, MSPs know that they must invest in new digital tools and leverage cloud services to stay competitive. This shift is good news, but it is coming at a cost. As the remote working spreads its roots deeper in the new MSP landscape, cyberattacks are growing at an alarming pace.
In March and April 2020 alone, 192,000+ cyberattacks were reported each week. There have been significant changes in the timing of these attacks, too. In late March and early April, the timing of these attacks included all hours of the day and weekends compared to prior normal day hours. This makes 24×7 businesses like MSP even more vulnerable to constant threats from external sources.
While the ongoing crisis continues to drive a distributed workforce, securing the way your MSP traffics its data across home networks should be a top-of-mind concern. For this, consider the ongoing crisis as an opportunity for full-blown innovation and the adoption of secure operating processes. The focus your MSP brings to your cybersecurity strategy today will determine if this opportunity adds to your bottom line or compromises your clients’ confidence.
Make some serious changes to your existing IT policy
Have strict Bring Your Own Device (BYOD) guidelines and policies for engineers wanting to use personal devices to access corporate networks. These policies should require every BYOD device – smartphone, tablet, laptop, etc. – to receive authorization by the IT department before connection to the network is allowed.
Cloud applications in the ongoing business environment can offer significant cost efficiency and potential security benefits over conventional data storage and application hosting. To strategically adopt and manage cloud services, develop complete inventories of current cloud usage in your MSP, and update data storage policies accordingly, outlining the conditions required for the use of cloud application and data center/local storage.
Along with this, be sure to review third-party agreements, including SLAs with your vendors. This will help you ensure that they meet revised security requirements and have “acceptable” liability provisions.
Turn vulnerable VPNs into Managed VPNs
Anticipating a permanent increase in remote work in the post-COVID-19 business world, your MSP should consider increasing VPN capacity through the deployment of more IPsec-based VPN clients to your engineers’ workstations.
While you may be offering secure VPN access to your engineers, they are still connecting via home wireless routers, which at best have rudimentary security for traffic encryption. A simple malicious code could extract valid corporate credentials while a work-from-home user logs into the VPN via keylogging, thereby compromising the security of the entire MSP. This is why it is time to revisit your VPN security measures and focus on deploying new processes to fortify your IT infrastructure going forward. To do so, ask your IT team to:
- Enable multi-factor authentication for VPN.
- Encrypt any company hard drives.
- Turn the spam filter up.
- Share confidential documents via secure cloud-based platforms over emailing them.
Always have a CIBR plan in place
MSPs with strong and current Cyber Incident Breach Response (CIBR) plans should consider incorporating lessons from the contingency operations brought about by the pandemic. If there was no pre-existing CIBR plan, you must create one, keeping the current operational context in mind.
Coordinate and cross-reference this plan with disaster recovery, business continuity, and enterprise crisis management plans so you can create comprehensive crisis planning document sets.
Final Thought: With more businesses switching to permanent remote working culture, your MSP needs to “de-risk” and adapt operations to the new normal. This will require a thorough evaluation of crisis-driven IT infrastructure, followed by strategic changes in cybersecurity controls and business processes.