Misconfiguration remains the most common IT mistake made by small and medium businesses (SMB), PAV IT services managing director Jason Fry told SC Media UK.
"When I say misconfiguration, it is really things such as weak passwords, leaving devices configured with default usernames and passwords, not locking down your credentials or services that don't need to be running. You can eliminate an awful lot of the threats just by doing those very basic things right," the MSP executive said, discussing SMB security on the sidelines of DattoCon Paris last week.
"Most of the security breach instances can be avoided by doing something that's really simple: basic hygiene around configuration, around password management, device access. It's really super simple stuff. And if you've got that covered off, you take yourself out of the category of low hanging fruit. Attackers then typically move on to something which is easier to get into," he told SC Media UK.
The process of assessing and updating security starts when the MSP engages with a new customer, he said.
"Whenever we engage with a new customer, we go through an onboarding process. It is very important to us to understand a lot about that customer, more than just what hardware and software they have, but also how they use that in their business," Fry said.
"We try to analyse and understand their business process as well as their technology. And as part of that, we try to assess what their security risks might be, and also what their current security maturity is, and what their appetite to it is as well."
Risks of security incidents usually fall into two categories - opportunist ransomware attacks where the SMB just happens to be in the line of fire, and targeted impersonation attacks where the attacker strikes the business after stalking them for a while.
"We've seen quite a lot of impersonation attacks where they are trying to impersonate people within the business to divert funds. Attackers intercept the target’s communication and then impersonate the solicitor, or the lawyer, and trick the individual client into sending funds into a different bank account."
Customers quite often come with very low maturity in security, with no or improper understanding of the risks. The MSP has to step in and make them aware about those risks and the steps to be taken to mitigate them.
"We don't say ‘you have to do this immediately’, because we recognise that increasing that maturity costs money, and it takes time. And it's disruptive to the business. So we sort of report back to the customer where we think they could make improvements. And then we try to set out a strategy with them, to get them to a better place," he said.
Another bone of contention is patching, observed Fry.
"Whenever you're patching, you're impacting the business. You're potentially taking the systems down to apply those patches, which means disruption. There is also risk because that patch could upset the equipment or the software and introduce a problem, which further impacts the business," he explained.
Patching becomes an inconvenience when you apply a patching policy to an environment without consideration of its impact to the end user, said Ryan Weeks, chief information security officer at Datto Inc.
"We build tools for MSPs. They go and tell the end customer that they're going to manage patching and the end customer says ‘okay, but I don't want downtime’. Our solutions allow them to schedule patching into times of the day when it's more acceptable for the end user," he told SC Media UK.
When it comes to MSPs, misconfiguration of the remote monitoring and management (RMM) software also poses a sizeable threat, observed Weeks.
"RMM is a double edged sword. They're a completely necessary tool for MSP to manage their end customers. But if improperly managed or maintained, they could also become a liability because it becomes a built-in command and control infrastructure for an attacker," he said.
"I don't think there is one right solution for patching for everyone. MSPs need flexibility. We focus on providing flexible solutions with MSPs at the centre."
The right process is about finding the right sort of balance of risk and disruption that fits well with that customer, agreed Fry.
"You don't need to spend hundreds of thousands of pounds on the very best security products and technologies, when really you can give yourself a very good level of protection by following the basic steps: patching, hygiene rules of disabling and deleting accounts that aren't being used anymore, and not leaving things as default," Fry said.