What if you were getting prepped for some routine surgery—maybe an appendectomy—and the doctor walked into the operating room and plain out admitted that he hadn’t washed his hands as part of his preparation.
He had just washed them a couple of minutes ago after going to the bathroom. They’re clean enough!
Would that satisfy you? Would you go on with surgery?
A lot of times, our teams believe they’re similarly doing enough to have good cyber hygiene. They already know what’s happening—at least at some technical level—out in cyberspace and believe to have an idea of what is causing attacks, but what we’ve been seeing is that many knowledgeable technicians rarely stick to a cyber hygiene regime.
Perhaps user errors are the first thing to come to mind—most likely phishing attacks and other social engineering tactics that they confidently know is not going to impact them.
But as they start their routine—their day to day in this current climate of distraction after distraction (either in the media, at home, or in your office)—it’s very likely that they no longer are focused on avoiding an attack (or even a phish).
Especially with technical teams, I’ve found we need to reinforce what’s going on.
I recommend over-communication.
Over-communicate the security vulnerabilities that—in the upcoming weeks—you see and get everyone within your organization to start seeing them, too. No one will be vigilant if you aren’t.
What to focus on?
This might depend on areas where you need improvement. (We typically recommend a painless evaluation of your cybersecurity stack or a third-party audit to really dive into areas of prioritized focus). Just to give you a few starting points, here are some areas that many MSPs are devoting their time and energy:
Backing things up appropriately? – I know you might have invested in some of the state-of-the-art backup automation tools. The actual technology is not what I’m questioning; the practice is. If you’re not testing backups (going deeper than simply alerting if a backup failed), you might be in more jeopardy than you’d ever think from the standpoint of your backups being vulnerable to an attack. Do you have your data directly controlled by your RMM or on your network? Another big area that many MSPs are having to grapple with.
Updating or patching? – I know you are already aware of any outdated operating system issues within your environment. What we’ve been seeing in MSPs are patching levels that are not consistent across the environment. Every time I bring this up in an audit, the MSP owner says we must be mistaken. But every time that happens, the owner comes back to me admitting that something broke on his or her side. If you’re not keeping a close eye on updates, and making sure they’re actually applied (even though you have intended to do so), you may be more confident than you actually should.
Validating your cyber policy? – As an MSP or any business owner or operator, I’m sure you’re concerned enough about all of the risk related to cyber events that you’ve invested in cyber policies. Make sure you understand the fine print within those policies and create checks within your organization to see that you are doing everything the policies expects of you.
Regularly checking up? – While hand washing in healthcare may seem like a no-brainer, it wasn’t until the 1980’s until handwashing became a part of procedures within healthcare systems. Until they started communicating basic hygiene principles and reminding teams of the importance and necessity of hand washing with clear instructions, contamination and infection was rampant across health systems.
With continuous checkups and reminders, health procedures control for hygiene today so much better than before that post-surgery infections in many systems are nearly non-existent.
My question to you: shouldn’t our industry be doing the same things when it comes to cybersecurity basics? Is your team washing their hands before they put them on a network?
What hasn’t worked is a investing in completely reactive strategies. While reacting to an event is definitely part of your security strategy, relying on reactive tools will likely not lead to a ransomware or attack-free environment. Many MSPs are moving toward proactively identifying vulnerabilities and fixing them to avoid being low hanging attacks ready to happen.