Master Your Passwords
Cyberattacks on large enterprises like NASA, CBS, and Facebook make the headlines, so it’s easy to assume that companies with deep pockets are the primary target, but the statistics indicate otherwise. Of all the cyberattacks in 2019, 43% of breach victims were small businesses. 1 Recently, a shift in the business ecosystem has resulted in updated tactics—MSPs are now seen as an access-point into large networks of SMBs. As your MSP grows and your client base broadens, so grows the target on your back.
The U.S. Department of Homeland Security is aware that cybercriminals are targeting MSPs for the purpose of “cyber espionage and intellectual property theft”. In the alert issued 2 , the Department highlights the use of “compromised legitimate MSP credentials” that allow attackers to “move bidirectionally between an MSP and its customers’ shared networks”. Evidently, a fundamental strategy to deter cyberattacks resides in smart password management.
Master your passwords, and don’t be an easy target. 1 2019 Verizon Breach Report 2 Alert (TA18-276B)
Of course, as an MSP you’re not the only one in the security equation. We’ve found that over 40% of MSPs don’t know how their clients manage passwords, and of MSPs that do know, 14% indicate that clients use a Microsoft Word document, and 25% use Post-It Notes.1
Though a service agreement dictates whether or not you’re contractually responsible for managing a client’s passwords, it’s in your and the client’s best interest to at least broach the topic of password management. The goal of the conversation? To determine whether they understand the gravity of the situation, what their current password management solution is, and whether or not they need support. Most small businesses actually have no idea the risks they face, so you can have full control over this conversation - explaining the risks and providing the solutions. 1 IT Glue’s 2019 Global MSP Benchmark Survey
Long, Complex Passwords
Nothing new here. We’ve all set a new password and been faced with the task of moving the little bar from the red into the green. That said, here’s a refresher on best practices to help you put them into practice.
- Tip 1 - Minimum 12-14 characters (the longer the better)
- Tip 2 - Use a mix of letters (upper and lowercase), numbers, special characters
- Tip 3 - Avoid common phrases and words (we know you love your pets/kids, but they don’t need to be your password.)
- Tip 4 - Avoid patterns, such as: abc, 123, qwerty
- Tip 5 - Avoid obvious substitutions, including: 0 for O, 5 for S, @ for a
- Tip 6 - Use an automated password generator
- Tip 7 - Do Not reuse passwords!
A moving target is harder to hit, but is this true for passwords?
There is a divide in opinion when it comes to password rotation. Advocates say that updating passwords regularly decreases the chances of a password being compromised, and minimizes the window of time during which compromised login information can be used. Naysayers site recent studies that point out the tendency for users to select weak passwords that only differ slightly, and argue that even if there’s a password rotation schedule, once a password is cracked an attacker will have sufficient time to cause havoc.
Regardless of your stance, the ability to execute bulk password rotation is necessary if credentials are compromised. A good rule of thumb is to think of your systems as security “zones”, some of which require higher levels of security than others. For credentials that gain access to highly sensitive information, it might be prudent to rotate those. The decision is up to you.
Change your passwords, the time is nigh.
Use a Password Manager
At this point, you may be feeling the pain of trying (and failing) to manage your clients’ passwords. Keeping track of long, complex passwords alone seems like a near-impossible task, and one that’s definitely unpleasant. Add on having to rotate them as frequently as after every use is definitely impossible.
The reality is that manual password management simply doesn’t cut it anymore.
A solution that specializes in password management is by far the easiest and most reliably way to mitigate risk. This is especially true when managing the credentials for multiple individuals at multiple companies. Not only is it unpleasant, when you compare the cost of doing this manually (hourly and opportunity cost) with using a password manager platform, it just makes sense to do so. It’s the only way to manage and scale operations without exposing yourself up to risk.
Protecting and managing passwords becomes far more manageable, and you can have peace of mind that you’ve got your bases covered. The best part is that many third-party password management platforms offer all of the previously mentioned functions plus additional features such as security auditing, event reporting, and industry security compliance.
Dark Web Monitoring
A good thief will be in and out without leaving a trace, and when it comes to damage control, time is of the essence. The faster you know when your or your client’s data has been compromised, the more time you have to re-secure accounts. In the first half of 2018 alone there were 945 data breaches compromising a total of 4.5 billion records.1
As the name implies, dark web monitoring surveils the darkest corners of the internet, including botnets, peer-to-peer networks, and illegal black market sites. The goal? To immediately alert you if there’s a nefarious actor on the dark web attempting to peddle your, or your client’s data to the highest bidder. 1 Data Breaches Compromised 4.5 Billion Records in First Half of 2018*
We all hope the worst-case scenario never becomes a reality but preparing for it ensures you can act fast when it (inevitably) happens. According to a Ponemon Institute study 1 , 76% of US companies experienced a cyberattack in the past 12 months, up from 70% in 2018, and 63% in 2017. How will you respond to a data breach? What will you tell your clients? Do you pay the ransom? Who do you call on for support? These are all things that are much easier to determine with a calm head and established playbook instead of in the heat of the moment.
Making all these decisions up front saves the added stress of doing it during the event and ensures everyone on your team is on the same page.
Your playbook will be specific to your company, but some considerations include:
1 Ponemon Institute study
- Being aware of governmentregulated timelines for self-reporting following a data breach.
- Establishing a response team and decision making process.
- Having a policy on whether to pay ransoms.
- Developing a corporate communication and PR plan.
- Creating a framework for documenting the event.
MyGlue Secures Your Clients’ Digital Footprints.
As an MSP, your business needs to be built on trust—which takes time to build up and an instant to break. Some catastrophes are unavoidable, but compromised passwords do not fall in that category.
Not only should you make sure to master your own passwords, but pass this knowledge along to your clients.
MyGlue is a client-facing application that brings the capabilities of IT Glue to your clients, enabling them to take control over their passwords.
Your expertise is valuable to them. it’s why they pay you.
By providing your clients with a secure password vault that will allow them to safely manage all of their passwords in a collaborative environment that you can help manage, you’re investing in the trust you’ve built by protecting both your business and theirs at the same time.
To learn more about how MyGlue can help extend your password mastery to your clients, sign up for a walk-through.