I’ve been concerned about this for awhile now, but never got around to really diving into the specifics behind how MSPs are putting themselves at jeopardy because of their websites.
Whether you use one of the templated platforms specifically designed for MSPs or have a more customized site one thing is clear: MSPs are NOT putting enough effort into showing a perception of security around one of their most visible assets— their websites.
As organizations continue to attune their attention to security, many are looking—especially when making decisions on your products, services and engagements—for any signs of weakness in your security posture. They view and perceive your external-facing presence as an indication or clue as to how you run your ship. If they see anything—even small things—that may alarm them to the fact that you are not taking security seriously, the likelihood that they sign a contract or work with you may dwindle.
This very example has come up several times in the past couple of weeks. That’s why I want to reiterate 7 basic steps you should be implementing or checking on today to make sure your website is secure.
Enable 2FA everywhere—you have probably already enabled 2FA in other places within your organizational accounts (good job here!). But did you ever think to do this with your website? Even if you rely on a second party that administers your site and the content on it, you can most definitely implement 2FA.
Backup your everything—I know you’re probably thinking, the content on my website isn’t that important compared to the rest of my data in my business. But what if your website actually got hacked? Would you have a place to restore from? A lot of MSPs I talk to have no backup plan here and that’s concerning because your websites are a growing portion of adding new and retaining business. If no one can get to your site, they may opt to go somewhere else.
Audit your DNS entries—every wonder how much information you are sharing on your website? Are there any subdomains that you lost track of? If you don’t audit your DNS, you might not know whether you’re unintentionally leaking information that you might want out there.
Don’t publish your tools—I’ve seen this time and again. Many MSPs use tools with their client for issuing tickets, reporting issues, or solving problems. If you directly link your tools to your website, you may be putting yourself at risk of an attack through your tools. I’d advice putting a barrier between your tools and your website.
Prevent brute force attacks—most website hacks begin with a brute force attack or a list of known passwords. The hacker will iterate through a known list if they have a list or start attempting passwords in hopes of finding the right one. If you leave your website access open with unlimited or a good number of password attempts, you are putting your site at risk of an attack. This is also one thing your prospect could easily check as an example of you protecting your data. It’s a big red flag when a password lockout doesn’t occur after a variety of failed attempts.
Audit your certificates—you may think to yourself that you’re using an SSL certificate already, but lately I’ve come across several MSP websites that have accidentally let their SSL certs lapse. If you don’t keep reminders getting you or someone on your team to renew your subscription, you may very well fall into this boat. The ‘not secured’ icon produced in Chrome or Firefox is alarming and can be the determining factor for a prospect to become disinterested in you and your brand.
Evaluate your façade—overall, keep tabs on yourself. If you don’t have Google alerts on you, your brand and key people on your team, you should set them up ASAP. Having a sense of what is out on the web about your company can help you control any negative news or misinformation. Be proactive about tracking that news down and make sure to share and promote the good stuff and figure out how to deal with any negative information as it arises. The more on top of your external presence, the more likelihood prospects and clients will see you in a glowing light.
These tips are only the tip of the iceberg when it comes to website security, and more generally, the security of your team and network. The best way to know if you are safe is to get a third party security assessment to check up on your cybersecurity posture.
