MSPs are often targeted by cybercriminals since they can be used as gateways to deploy ransomware into the infrastructure of multiple companies at the same time. In case of an unexpected ransomware attack, simply employing preventive measures isn’t enough. You also need to focus on containing the threat and ensuring business continuity as quickly as possible.

Let’s discuss some of the strategies that can help you get back on track should you experience an unavoidable breach.

Mitigating the Impact of Ransomware

Business continuity is of critical importance no matter what line of business you are in. However, many organizations tend to prioritize other initiatives over IT investments. Sometimes, it can take a full-blown crisis for organizations to take business continuity seriously.

Here’s a list of best practices you need to incorporate to mitigate the effects of ransomware:

• Use secure remote access tools: This is one of the best methods at the disposal of MSPs to mitigate the impact of ransomware. Always ensure that your remote access tools are as secure as possible. Enforce multifactor authentication (MFA) for all critical applications and consider using IP restrictions to access only secure networks. Also, keep your RMM software up to date since it can help you monitor your IT infrastructure effectively and contain threats before they turn into serious issues.
• Restrict network access: Many ransomware attacks involve stolen credentials, which is something MSPs should be aware of. Know that your credentials could be compromised at any time and implement the necessary controls to mitigate the damage. For instance, adopt the principle of least privilege to ensure only the right people have access to critical information. Also, enforce strict password hygiene to prevent unauthorized entry and prevent lateral movement. Consider using a strong password manager and enforce MFAwherever possible.
• Secure your endpoints: Phishing is still one of the most popular modes of delivery when it comes to deploying all types of malware including ransomware. All it takes is a naïve employee to click a phishing link to compromise an entire network. Secure the endpoints of your employees with measures like email security, web filtering, endpoint security and more.
• Prioritize patch management: Patching is as critical as any other security measure. Many cybercriminals try to exploit vulnerabilities in an outdated software tool to gain entry into a network. You need to keep all your software up to date without fail. Manual patching is no longer an option when managing multiple networks. You need a strong patching engine to automate the patching process and secure your endpoints.
• Set alerts: Mitigating a breach requires getting alerts before something gets out of hand. You need to configure your networks in order to receive proper alerts about unusual activity. This helps you stay ahead of security threats and proactively mitigate risks.
• Create off-site data backup: When an IT infrastructure is compromised, it is more likely that the data backups are also compromised. Ransomware attacks take control of critical business data and encrypt it to hold for a ransom. This is why off-site data backup is crucial for a solid business continuity strategy. Try creating multiple copies and use strategies like 3-2-1 to ensure business continuity after a breach.
• Implement BYOD policies: Company-issued devices are always preferable when it comes to security. However, in this age of remote and hybrid work environments, employees also tend to use their own devices for work. You need a strong policy regarding the use of personal devices. Enforcing network restriction and VPN usage could also curb the use of personal devices for work purposes.
• Develop and test incident response plans: Do you have a plan in place if an unexpected breach occurs? If you don’t, you need to get on it right away. You need to have plans outlined for communication, containment, mitigation and remediation. Your key employees should be aware of this and start recovery procedures immediately.
• Document and review the processes: Documentation plays a significant role when it comes to filling up the gap in your cybersecurity measures. With clearly documented processes, you know what actions need to be taken and how to incorporate them. To keep your documentation up to date, you need to regularly review it and make necessary modifications.

A Resilient Infrastructure

Cyberthreats can come from anywhere in today’s world. A proactive approach is a great way to not only prevent security threats but also contain unavoidable breaches. The stakes are higher than ever for MSPs in this digital world. Make sure you have a strong security foundation that can bounce back from any threat. The time to build a resilient IT infrastructure is now!

Resources

As an MSP, you manage a lot of sensitive client data and protecting this data is of paramount importance. You can use the following resources to mitigate the impact of an attack and secure your critical data:

• Use the MSP Discovery Checklist as a framework to record the critical aspects of your clients’ IT environment.
• Get an overview of business continuity issues with the help of the Business Continuity Planning for MSPs Ebook.
• Check if your IT documentation solution is secure enough with the Secure Documentation Checklist.
• Learn all about IT Glue’s infrastructure, platform, security features and more with the IT Glue Security Whitepaper.
• Do you have the right compliance policies in place? Use our Data Privacy Compliance Checklist  to check it out.
• Download the Quick Start Guide to Data Privacy Compliance and IT Documentation Ebook to develop a strong compliance program.

Request a Demo

Found this article helpful? Share it with your social network using the icons below.

The post Mitigating Ransomware Attack Risks appeared first on IT Glue.

Do we really understand the risk?

If you categorize Wannacry as simple ransomware, the impact wasn’t as bad as other outbreaks. Yes, it spread quickly, but anti-virus vendors were quick to respond and its progress was greatly slowed by a lucky researcher.

But Wannacry isn’t just a simple ransomware outbreak. It’s the first of something new.

Hackers and their ilk have been becoming more mature and sophisticated for a long time, but groups like the Shadow Brokers are taking it to a much scarier level. Their recent announcement of a 0-day vulnerability subscription service should increase your cyber-risk level to an all-new level.

The good news

For all the hair-on-fire and running-around-in-circles caused by Wannacry, when you take a breath and look back, it’s clearly an opportunity for companies and MSPs to make space in the budget and put the right protection in place. Sometimes you need a big scare to change.

The fear and pain are still fresh. It’s the right time to review security controls with your client and make recommendations to reduce the risk.

What we need to do better

It’s interesting when you look at the statistics for this attack and try to break out what we need to do better.

Better road-mapping and retirement of old operating systems? 98% of the infections were on Windows 7 systems, which is still supported by Microsoft.

Improve antivirus? Anti-spam? If you’re using a tier 1 vendor, they were catching Wannacry very quickly. Symantec blocked more than 22,000,000 infection attempts across 300,000 endpoints.

The answer is not one of technology. Technology isn’t the root cause of the spread. It’s not where some of us fell down.

We need to improve our security processes and better train people.  

Incident response planning

What do you do when an incident like Wannacry happens to a client? How do you respond quickly and effectively? 

Even if you didn’t get infected, as soon as Wannacry started to spread, your risk level should have gone to an 11. What did you do to ensure that your clients were safe? How did you communicate that safety to them?

If your client(s) did get infected, what did you do to lock down the issue quickly and get them back up and running? How quick was the recovery? How did you resolve the root cause of the issue?

Incident response planning is very important for MSPs. Develop clear process maps for your incident response process, including the technical, communications and human elements and write SOPs for every stage (store it all in IT Glue, of course).

Just writing SOPs isn’t effective though – run practice sessions regularly so you team knows what to do. If you’re really keen, do some tabletop gaming of incidents. Done right, tabletop gaming is both incredibly effective and a ton of fun for your team.

Security Operations

There’s many key security operations that MSPs need to be doing very well to ensure their clients are safe.

Patching needs to be at the forefront. With Wannacry, Microsoft had released patches for most operating systems months before. Strangely, I heard of many late-night emergency patching processes from several companies. Patching doesn’t just mean workstations and servers – all systems need to be included. Firewalls, websites, productivity applications, IoT devices, and anything with an external IP. PCI-DSS requires that critical patches be installed within 2 weeks. We should aim for better to ensure our clients stay safe.

Are you sure the front door is closed and locked? If you’re not doing external vulnerability scanning for your clients, you should be. There’s many vendors that provide this service – it’s even built into Network Detective, which many MSPs already use.

For many businesses, even if they didn’t get infected, confidence is shaken. This is when having good security conversations is vitally important. If you’re already doing quarterly reviews and don’t have a strong security component in it, it’s time to develop one.

Security Awareness Training

Forewarned is forearmed.

The bad guys focus on what gets results – and people are the weakest link. Why put in the effort at breaching a firewall when 30% of phishing emails are opened, and 12% of links clicked?

It’s vital that we train staff of all levels to recognize cybersecurity threats and know their role in the security puzzle.

Launch a cybersecurity awareness program for your clients. Do lunch and learns, webinars, and/or newsletters. According to a survey by ISACA, using multiple mediums is the most effective.

Do a post-mortem yourself

Now that the incident is past, you should be doing an internal post-mortem for yourself.

The normal parts of a post mortem include:

• Summarize what happened
  • Include impact analysis where possible.
  • Do not blame-storm! This is about being self-reflective and improving process. If it’s someone’s fault, the team will disengage completely.
• Determine root cause
  • “Uhh wannacry?” is not a root cause. Look at each impact and determine why that impact occurred.
• Review actions
  • What was done during the incident?
  • Include every part of the incident response, including communications with clients, processes and technological factors.
• Learnings
  • What could we do better? How do we ensure this doesn’t happen again?
  • Be open to ideas and inclusive through this process.

Post-mortems are a vital part of incident response. Doing them well can massively reduce the impact of incidents and improve the effectiveness of your whole team.

About the Author

Mike Knapp is an IT Project Superhero and Cyber-Security Simplifier focused on helping business increase success through technology and reducing the risk of cyber-attacks. He is a partner with Incrementa Consulting and the founder of Simple Security.

The post Wannacry Post-Mortem: Lessons for MSPs appeared first on IT Glue.