Is YOUR MSP Secure? … And Why You Should Care!

17 Dec. 2024 - Ben O'Neill

IT Managed Service Providers (MSPs) bring a great deal of value to your organisation, offering IT management services, handling your requests, managing your website, and a host of other tasks that save you the cost and hassle of hiring IT staff and free up your time to focus on achieving your business goals. 

 

To deliver all these services, MSPs need highly privileged access to their customers’ IT systems, but how much do you really know about your MSP’s security practices? An insufficiently secure MSP could be your biggest unknown security risk that you have no direct control over. To take one example, in November 2023, CTS (a UK-based MSP supporting law firms) was targeted in a cyberattack that affected their customers, between 80 and 200 law firms, effectively paralysing their day-to-day operations. 

 

Netwrix 2024 security trends report claims that 76% of MSPs spotted a cyberattack on their infrastructure within the last 12 months, with the biggest threat vectors including phishing, user account compromise, and malware/ransomware. N-able analysis suggests 90% of MSPs have observed an increase in cyberattacks since 2020. 

The UK’s National Cyber Security Centre (NCSC) describes MSPs as ‘Juicy targets’ for cyber attacks, and It’s not hard to see why. With privileged access to the IT systems of potentially many customer organisations, an insecure MSP gives hackers privileged backdoor access to all those companies, enabling the hackers to steal sensitive data, compromise systems, launch ransomware attacks, or cripple their operations. 

 

This strategy is so attractive to hackers that the NCSC released a warning of global coordinated campaigns against MSPs by highly sophisticated nation-state sponsored hacker groups aiming to compromise their customers. Here are the 5 key methods that hackers exploit MSPs to gain access to their customers. 

 

Vulnerable MSP infrastructure 

 

Like any other company, MSPs have their own servers, networks, cloud services, and applications. And like any other company, if that infrastructure is vulnerable they can become victims to cyberattacks. 

 

Some MSPs falsely believe that because they aren’t directly public-facing they won’t be a target, which may be why Just 40% of MSPs implemented 2FA on their own systems – Despite usually offering it to customers! 

 

Unfortunately, this belief is mistaken, as shown by the chilling example of the MPS giant Cognizant, which was targeted in an attack using the Maze ransomware in 2020. The ransomware attackers stole sensitive data from Cognizant, potentially including sensitive Cognizant-managed customer data and credentials. It’s thought the attackers initially gained access to Cognizant’s infrastructure through a vulnerable Cirtix server. 

 

Shieldwall applies the same rigorous security standards internally that we advocate to our customers. We comply with ISO 27001 and NCSC Cyber Essentials, harden all our systems, mandate MFA and other security policies, and routinely audit our systems. In doing so we hope not only to protect ourselves, but to set an example for our customers. 

 

MSP Insider Threats 

 

In any company, insider threats are a major concern, with 83% of organisations reporting at least one insider threat incident in 2024. With the privileged access that insiders have, some cybercriminal groups have even taken to directly recruiting corporate insiders to launch attacks. 

 

But most insider  threats aren’t even deliberate - according to Ponemon institute analysis, 56% of insider attacks are due to employee/contractor negligence, with 26% due to criminal/malicious insiders, and 18% imposters. The risk of MSP insiders accidentally losing credentials or misconfiguring infrastructure can’t be understated. 

 

It goes without saying that insider threats in MSPs can have wide-ranging impacts on all the MSP’s customers! Do you know if your MSP has suitable practices to mitigate the risk of insiders threats to your infrastructure? 

 

At Shieldwall, we apply rigorous internal controls to mitigate insider threats, including but not limited to personnel vetting, privileged access management, internal access monitoring, data loss prevention, and data compartmentalisation. 

 

MSP using vulnerable or compromised tools

 

MSPs use a range of tools to deliver services to customers, such as monitoring & visibility, remote access, endpoint management, and more. These are often essential tools of the trade, but they aren’t immune to the kinds of vulnerabilities that can affect any software. In fact, the privileged access these tools give to company infrastructure can make them very attractive targets for hackers. 

 

In one high-profile example, In 2021 the ransomware group REvil exploited critical vulnerabilities in Kaseya VSA (a remote management tool used by many MSPs) to target up to 50 MSPs and up to 1500 of their customers. 

 

To take another example, in 2020 the IT world was rocked by revelations of a major supply chain attack on SolarWinds, a very popular IT Service Management solution. Nation-state backed hackers compromised SolarWinds and embedded a backdoor in a software update, which when installed on customer networks gave them privileged backdoor access to potentially thousands of organisations! Whether SolarWinds was operated by companies themselves or by MSPs on their behalf, the breach put all users at risk.  

 

Some companies were safer than others though – if the permissions assigned to SolarWinds on a company’s network were suitably scoped, and the network was properly monitored, the impact could be contained.  

 

At Shieldwall, we know that nobody can predict which tools will be exploited, which is why we apply the strategy of Defence in Depth with our customers. All our tools are risk-assessed and mitigated in various ways to minimise the likelihood that vulnerabilities can be exploited, and the blast radius. 

 

Not securing your infrastructure 

 

If you hire an MSP MSPs to manage your IT infrastructure, you are placing a great deal of implicit trust in that MSPs to do a good job.  

 

Unfortunately, incentives are often misaligned. A lack of robust infrastructure security may only become apparent if a breach occurs, whereas operational disruption is immediately obvious, so the MSP’s main incentive is to make things work smoothly, with minimum downtime and maintenance requirements, often not allocating the right skills or effort to securely configure, patch and monitor customer infrastructure, potentially leaving them vulnerable. 

 

In fairness, this problem is certainly not limited to MSPs. Security teams in most organisations complain of not being allocated enough resources to keep their company secure. When a breach occurs, security/IT teams and MSPs engage in a game of post-match finger pointing, none of which will turn back the hands of time. This story sadly repeats itself all too often. 

 

Shieldwall are determined to be a force for change in this regard. Security must be an essential component of service delivery, not an optional extra. That’s why we include Shieldwall Secure for FREE with all our IT service packages, as our guarantee to our customers that their security is always a priority. 

 

Social Engineering 

 

It’s a security truism that humans are the biggest unpatched vulnerability in any organisation. Most major security breaches involve humans at some stage in the attack chain. You may believe you’re managing the human security risk in your own organisation, but what about your MSP?  

 

Famously, one of the most popular social engineering techniques with hackers is phishing,  and the risk is clear when looking at the case of the Indian service provider giant Wipro was hacked as a result of a successful phishing campaign. The hackers then exploited their access to Wipro’s systems to launch attacks on WiPro’s customer networks.  

 

Another major attack vector against MSPs is through support requests – attackers may simply try to convince technicians to grant them access to a customer network – for example, by posing as a legitimate employee who has lost their device or credentials, an attacker could convince the MSP to send them a password reset for a legitimate user, or even create them a new account with access to the victim’s systems! That’s why our security experts apply Threat Modelling to all our service procedures, implementing measures to ensure that we can keep your organisation safe while delivering the service you need. 

 

What to look for in an MSP 

 

Security is not just a product. A discerning customer knows that an MSPs use of antivirus software or firewalls is not sufficient to consider them a secure service provider.  

 

If you have an MSP, or are looking for one, it’s important to ask the right questions to ascertain how they mitigate the types of threats outlined above in all aspects of service delivery, applying Defence in Depth combined with appropriate monitoring and incident response planning to keep your company safe in the face of unforeseen threats. 

 

Security is a shared responsibility between you and your MSP. Both parties need to be clear on their respective security responsibilities and apply them diligently. As the owner of your company’s sensitive data, and the custodian of your clients’ data, it is your responsibility, and your right, to remain vigilant with your MSP and ensure that they are fulfilling their security responsibilities to you. 

At Shieldwall, we know what it takes to keep our customers secure. We service small to medium clients of all shapes.  If you represent a business with 100 employees or fewer and would like to discuss how we can help you run your IT effective AND securely to serve and protect your clients, book your free consultation with our experts today!