When you outsource your IT needs to Managed Service Providers (MSPs), you hand over control of critical internal systems and administrator accounts. With that level of access, MSPs inevitably manage many client credentials - often hundreds or thousands of them. With privileged access to customer systems and countless passwords, your MSP is an attractive target for hackers looking to get “the keys to the kingdom.” Password management is therefore critical for MSPs looking to ensure credentials are correctly kept track of and protected.
How hackers target MSPs
Hackers target MSPs with a range of cyberattacks that attempt to gain access to accounts, networks, and databases. With the rise in remote work, hackers take advantage of employees beyond the traditional purview of IT.
Password spraying, for example, is a type of brute-force attack where hackers try to log in to lots of different user accounts using a single password guess. Then they rotate through all the user accounts again, with a second password guess, thereby avoiding detection of many account-lockout settings. Strong, unique passwords are a deterrent for password spraying.
Credential stuffing, on the other hand, leverages usernames and passwords leaked in a data breach. Because people frequently reuse passwords, hackers can use the leaked usernames and passwords and automate the guesses to check which logins will work. Again, unique passwords for every account can mitigate this standard cyber attack.
Ransomware is a popular choice, where hackers exploit known vulnerabilities to deploy malicious software on company computers or trick employees into clicking a download link. Hackers hold the data hostage until the victims pay a ransom or an organization complies with a hacker’s request. Not only is training on phishing necessary, properly managing and securing passwords reduces the likelihood someone can gain a foothold in the system to deploy ransomware.
These types of automated attacks are common. Usually, hackers are looking for easy hacks that can be programmed with software and require little work on their part. But if hackers know an MSP provides a service to a particular company, they may intentionally target that MSP to find a way into their customer’s system. For example, several years ago, hackers broke into a third-party vendor and stole Target’s network credentials used by that vendor. The result was one of the largest data breaches up to that date and a lengthy, costly lawsuit.
Why MSPs need a password manager
Given how attractive MSPs are as a target and the range of tactics hackers employ to steal data from MSPs, you should confirm that your MSP is indeed using a password manager. Achieving strong security means thinking about how an attacker may find a way in, and how MSPs can inadvertently supply that access. It’s not enough to document credentials in a password-protected spreadsheet.
Enterprise password management software not only captures and encrypts all credentials in use to manage client services, but it also facilitates secure and encrypted password sharing among team members while tying actions to individuals. That last part is essential because it maintains accountability and a “paper trail” for auditing purposes.
An MSP is critical to their clients’ daily operations, with access to lots of sensitive data. MSPs should therefore make reasonable efforts to mitigate the risk of breach and reduce any possibility of downtime. A data breach can suspend operations for hours or days, and it can, of course, result in lost customers, poor PR, legal fees, lost revenue, and other damage to the business.
Next steps for MSPs
Any MSP providing services to clients needs to have enterprise password management (EPM) software in place.
An EPM solution tracks password security across all MSP employees. Features like a built-in password generator, secure credential storage, and automatic credential filling help the MSP use strong, unique passwords to protect both the MSP’s systems and their clients’ systems.
Passwords can be securely shared with clients and colleagues via the password manager while maintaining high security standards with encryption and reporting. Usage of the password manager features and improvement of password security over time can be centrally tracked and administered.
In summary, an EPM solution takes many of the annoyances out of passwords for MSPs while helping them provide the highest levels of password security for their clients.
LastPass provides MSPs a tailored solution that offers visibility and control over every access point of their clients’ businesses via a unified admin console. If your MSP is ready to tackle password security, learn more about our business solutions and the benefits of using LastPass as an MSP.