By Tim Gillen, CNE, MCP, President, Terrapin Networks and ASCII Group Member Since 2010
As managed services providers (MSPs), it’s easy to read about the large-scale hacks and credit card breaches and think, “Well, that can’t happen to my customers.” However, while the stories about hacks that affect giant corporations are the ones we tend to hear about, it’s still important to ask yourself: Are my customers — the small-to-medium-sized businesses — susceptible to a similar attack?
If you care about your customers (of course you do!) chances are you have already installed proper perimeter security on their networks: starting with a firewall or UTM (unified threat management) device, then on to the desktop with top-line antivirus/antispyware software from a tier-1 provider, and on to email spam and malware protection whether premise or hosted. It just makes sense; there’s many ways to provide protection, and we definitely do not leave our customers with nothing, just dangling in the wind. We have ensured that something is there to protect them. But that doesn’t make it any less unsettling when the big players — with presumably the most state-of-the-art computer security available — are still getting tagged by prowling hackers.
I’m sure you’ve followed the challenges faced by a large national retailer during the 2013 Christmas holiday shopping season. As you may have heard, it appears the culprit allegedly came from Russia and was quite possibly a teenager. While all the facts haven’t yet been established, if true it wouldn’t be the first time a giant corporation was bested by an ingenious kid with too much time on his or her hands. Investigators are even speculating it could have been an email sent to an employee, who unknowingly downloaded malware that affected their point-of-sale systems. It's becoming an old story: social engineering to dupe employees resulting in big damage.
The fact is, there is no firewall or antivirus software in the world that will save you from someone’s poor judgment. You can bank that your customers will have someone on staff with bad — sometimes spectacularly bad — judgment about these issues. And the possibility that one wrong move or one opened email can compromise your big client’s sensitive data is enough to keep you up at night.
What steps can MSPs take to avoid these unsettling situations? I propose the following:
Educational material. Would your client’s staff know a phishing email if they saw it? Sometimes all it takes is a trained eye to catch some of the more classic phishing schemes, and a white paper or weekly newsletter that warns of these tactics is worth sending out once a month or once a quarter. Many of the top tech sites have information on spotting a phishing email that you can use to educate your customers.
Constant Network Monitoring and Checkups. Even if you’re comfortable with the perimeter security that is installed, don’t go too long without a good scrubbing. I suggest a semi-annual audit of your client’s network that gives each OS end-point the once-over, just to find anything out of the ordinary.
24/7 Support. If an employee at one of your accounts were to find something suspicious, whether in an email or elsewhere, would they know who to alert right away? And does your support team provide the coverage needed to respond? You want your team to be ready if someone passes along what looks like suspicious activity. Establish sound procedures for how to handle a breach so that when the notification comes in, your support team is ready.
My advice is to treat SMB installations as being just as susceptible to cyberattacks as the big players. With a combination of strong perimeter security using devices (firewalls and UTMs); software (antivirus/antispyware software); and end-user training all playing their part, you will then be ready to respond with effective and timely clean-up support.
Always have pieces in place to sniff out and shut down threats before they occur, and to respond quickly when they do. Protect your customers, validate their trust in you, and sleep well at night. That’s a pretty good prescription!