Cyber security for SME’s – Can your MSP be an attack verctor into your Business


If you remember the old adage from the 70’s and 80’s, the worst car on the road was usually a mechanics.   This use to be routine, but if you now apply that to today’s Internet, is my outsourced IT Support MSP less secure than my own data.   To some businesses this is yes.   It is a sign of business maturity and it is something that comes across in a number of tells when talking to people.

All Managed Service Providers (MSP), the ones who actually know what they are doing, have some type of monitoring and management component on their clients computer systems.   These systems called RMM (Remote Monitoring and Management) are used to manage, monitor and access the computers, servers and mobile devices so that they can do one of three things.

  • Protect the clients against problems with those devices with thresholds and alerts.
  • Make the management of those devices possible remotely.
  • Allow access to them so that they can also support the users.

This component is either manufactured by companies like Kasaya, level platforms, NAble or manufactured in house.   In most cases the software is relatively secure and stable.   But there have been times when it hasn’t.    Most of them are reputable and good at keeping up to date with security patches and updates.

If you have an MSP: what systems are they using to access your information and systems?  An MSP, just in what they are, have access to your most important and critical information.   The problem is how secure are their systems.    Can someone use your MSP as a attack vector to gain access to their clients data?

How secure is the MSP’s access or is it a cyber security nightmare

The relationship between a clients and its MSP is based on TRUST.    That trust is what keeps the relationship going and makes sure that all parties are in a beneficial partnership.

For a client, the trust is based on a number of things:

  • Who in the MSP has access to my systems
  • Who in the MSP has access to my data
  • Is everything being kept up to date
  • Am I being informed about any problems with my system.
  • Are they reputable and keeping that information as secure as you want it kept.

Most MSP’s have a tiered access process within a clients network.   Certain users being able to do only certain things, for instance the help desk only being allowed to see and do minimal levels of administration.   They can see the event logs and can diagnose problems but may need level 2 or 3 access to resolve the problems, which are passed up to level 2 and 3 to complete.   In addition to this, every access is audited, creating a trail for the client to follow.

How secure are the systems

RMM systems have high level access to the clients most precious and critical information, IP and systems, so it is very important that this access cannot be compromised.   One of the things that we do is set up firewall access so that only certain Internet based IP addresses can access the ports on a clients system.    All access is only from those addresses and access to them is only from our own systems.

This creates an in depth protection envelope that is very hard to compromise.   Further to this, access to this system is also very restricted and protected.

Questions to ask your MSP

One of the most important questions that you need to ask your MSP is do they practice what they preach.

  • Do they use the four pillars of  security to protect their systems.
  • Do they use secure processes and procedures to gain access to your site.
  • Do they regularly update their  RMM software.
  • Do they have a number of layers of access before they get to your sensitive data.
  • Do they keep you informed with regular reports.

These type of questions are very important when it cames to making sure that your data is well protected.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.