MSPs: The masters of SMB cybersecurity (but what about themselves?)

MSPs are amazing at crafting defenses for their SMB clients to keep them aware and as protected as possible from cyber-attacks. We preach MFA, endpoint defense, security awareness, and proper backup, helping our clients focus on growing their business instead of cyber threats.

But here’s an uncomfortable truth: sometimes, MSPs don’t follow their own advice.  MSPs handle some seriously sensitive stuff including client data and access to their critical systems. A slip-up with security for an MSP could open the door for hackers gaining access to their client’s environments.

With the financial, reputational, and community impact of an MSP breach being so high, we’ve listed a few security solutions below, that every MSP should consider implementing in their Microsoft 365 environment to help protect themselves and their clients from data loss or extortion.

1. Muti-factor Authentication – Ok, we all know this is a minimum, but consider how your MFA is deployed and how susceptible it is to man-in-the-middle or SIM attacks.  While we may lose a bit of efficiency, the positive impact of limiting access and refresh tokens to shorten the window between multi-factor authentication requests significantly outweighs a few 2FA requests throughout a day.
2. Location Based Restrictions – Consider untrusting specific countries or risky locations from accessing M365 environments.
3. Device-Based Restrictions – Only allow access from trusted devices and applications.

1. Multi-factor Authentication Part II – Enhance traditional MFA to leverage FID02 hardware-based authenticators for administrative access.
2. Location Based Restrictions Part II – Enhance locations by disallowing public wi-fi or forcing SASE connections to ensure end to end security.
3. Set Time Limits – Set a strict time limit for administrative functions.
4. Require Approval – Define a list of activities that would require approval to ensure it limits client risks.

Monthly account reviews, performed by the Service or Operations Leader, are critical to ensure that security is properly maintained and any Move/Add/Change operations inside your MSP did not create an unknown risk.  Keeping a list of these reviews and having new team member attend the review process can also provide education for Client account reviews.

1. User Account Inventory – Ensure all active users are still active.
2. Admin Account Inventory – Ensure all administrators still need this level of access.
3. Conditional Access Policy Review – Review all conditional access rules to ensure they are enforced, up to date, and meet current security demands.
4. Microsoft Security Baseline – Measure baseline to monitor progress and changes to the underlying platform that could add risk with current configuration.

MSPs are so busy building protection for others, they can sometimes miss the mark on their own internal security processes and procedures that keep them from exposing themselves and their clients to third-party risk.  While security for an MSP has many more steps and solutions to maximize protection, adding Conditional Access, Privileged Access Management, and Regular account reviews to your Microsoft 365 environment can both increase your cyber resilience while also giving you bragging rights to your prospects and clients on how you protect their information.

If you are looking for a straightforward way to check and update security in your M365 environment, check out ConnectWise SaaS Security. By leveraging the Microsoft Secure Score framework report, or any of the 8 IT security frameworks we support, you can run baselines on a regular basis against your own M365 tenant giving you the ability to see and manage security changes that effect security.  In addition to setting your own baseline, you will also have the option to use ConnectWise SaaS Security to remediate open issues, or to change the status of non-compliant controls, and document how/if they are addressed.           

Click here for more information on Microsoft 365 Security Baseline