MSPs: Building an IT Security Practice
MSPs have an enormous opportunity to build effective IT security practices. IT security, and specifically network security, is one of the most critical components of running a network these days. Traditionally, MSPs have taken the approach of leveraging a wide range of security solutions to accomplish the goal of protecting their clients. The more security solutions used, the more time and training requirements for MSP technicians, and the greater the uphill battle for convincing clients to devote significant portions of their cash flow.
Key Trends in Modern Security
As the security models have evolved and more research has been done on how to best secure IT environments, a new approach to IT security practices is evolving. This new, more modern approach to IT security is based on some fundamental tenets that we’ve broken into four tips below:
Research has shown that the fastest way to hack into a network is to compromise the right identities. Target, Sony, and countless other large companies know this all too well, yet SMBs have actually emerged as the primary target for cyber attacks. Considering that 54% of the United States had their identities compromised in 2017 alone, identity breaches can be a major problem for any organization. Once they obtain an employees credentials, hackers can bypass all of the security controls MSPs and IT organizations have put in place.
Systems are the Gateway to Digital Assets
While much has been made of mobile devices and tablets, MSPs know that most work gets done on laptops and desktops. For this reason, a compromised system can be the conduit to the entire suite of applications and data for an organization. Unfortunately, hackers know this to be true as well, and are actively looking for system vulnerabilities.
Basics Have Never Been More Important
With over 1,000 security companies on the market, there is a gadget or tool for everything that an MSP can think of. While many of these offer “next-generation” security solutions, the basics are being overlooked more than ever. Long, strong passwords, multi-factor authentication (MFA), anti-malware software, firewalls, and patching can take an MSP’s client a very long way down the path before considerations of the next new thing make sense.
Security Training is Essential
End users are now the linchpin to ensuring great security. End users are also more savvy than ever when it comes to technology, but letting them try to do their best without guidance is a recipe for disaster. MSPs can dramatically step up security for their clients through rigorous security training. The good news is that the training doesn’t need to take a long time, nor does it need to be overly complicated. MSPs can quickly deliver the core steps end users can take to protect themselves and their organization.
These four fundamental beliefs about security can form the backbone for a new type of IT security practice for MSPs. The good news is that MSPs don’t need to run out and find a lot more vendors, but rather, leverage the core partners they have and invest in materials to help teach their clients about the best approach to security. The best approach is to use a layered in-depth defense to fortify security.
Layers of Your IT Security Defense
As mentioned above, identities are the number one attack vector for hackers. It is always easier to look for the right set of credentials than searching for weaknesses due to vulnerabilities in the application, system, or network. For MSPs, the best advice to share with clients is to implement a centralized identity and access management solution—i.e. directory services—that controls access to virtually all IT resources. Along with that comes a number of critical security functions: the ability to enforce long, strong passwords, SSH key management, and multi-factor authentication (MFA or 2FA). Encourage your clients to take identity security seriously—protection here stems the number one path to a compromise.
Ultimately, hackers are after your data—confidential materials, credit cards, healthcare records, and more. Ideally, all of your clients’ data is encrypted when at rest. That means databases are encrypted, application data is encrypted, and hard drives on user machines are encrypted. There are any number of tools and solutions that can help make this happen, and many of them come included with the solutions that you and your clients are already using. You just need to leverage these tools and solutions into your security workflow as much as possible.
These days, most SMBs are leveraging web applications wherever possible. The good news is that much of the application-level security is handled by providers such as Google with G Suite, Microsoft with Office 365, Slack, GitHub, and thousands more. Providing guidance to your clients to select applications that take security seriously is good advice. Couple that with application level multi-factor authentication for access control and your clients will be making strong strides in this category.
With the mixed platform environments of most SMBs, MSPs are challenged to effectively lock down these systems. That means ensuring that systems are secure, hard drives are encrypted, anti-malware software is installed, patches are in place, and other security policies are in order. Taken in isolation—i.e. one platform—it is fairly straightforward to manage system security and access, but across platforms, locations, and user types, the problem becomes exacerbated and much more significant. Of course, excellent endpoint management can be a significant differentiator for MSPs. Happy, secure end users are always an ideal goal for businesses.
Most SMBs are leveraging WiFi for their internal networks. MSPs know that WiFi networks are far less secure than the wired networks of the past. The good news is that it is straightforward for MSPs to secure WiFi networks with techniques such as unique authentication and VLAN assignments. Both of these dramatically step up security, provide a significant revenue opportunity for MSPs, and are largely invisible to end users.
Despite all of the different solutions that MSPs can put in place, perhaps the one thing that can be most valuable is training a client’s employees. While there may be pushback to the training, the best trainings have end users taking the information and applying it to their personal lives. If a client’s end users can ingrain what they’ve learned, the chances of a breach decrease significantly.
In the end, MSPs have a tremendous opportunity to not only help their clients with IT security, but also to build a significant practice and revenue stream for their own business.
Learn More About Building an IT Security Practice
Interested in hearing more about building an IT security practice for your clients? Send us a note, and feel free to scan through these MSP-specific Resources. If you’re ready to become a JumpCloud Partner, apply here today and our Partner Support Team will follow up with further details to get you up and running with Directory-as-a-Service.
JumpCloud’s Partner Program empowers MSPs with central identity management from the cloud. Fine-tuned for MSPs with cloud security offerings and/or clients moving to the cloud, Directory-as-a-Service can be easily bundled at the center of any product stack to make customers more secure, efficient, and scalable. Make Work Happen™ for your clients while improving the bottom line for your business.