You know security is important and you spend time educating your customers, so why are your customers more secure than you? Continuing in the spirit of October being Cyber Security month, you should allocate some time to review your own environment for improvements. Here are just a few areas that should raise some concerns and/or questions:
Do your IT staff browse the internet from customer servers?
While Internet Explorer generally takes a beating, just remember that other browsers such as Chrome, Firefox, and their associated plugins have had vulnerabilities from time to time. Best practice is to prohibit use of any internet browser on servers that don’t specifically need it.
Do you store sensitive information in Connectwise note fields? Device configurations? Service ticket notes?
Passwords shouldn’t be stored in plaintext even in a database, but plenty of IT Companies and MSPs are still putting sensitive information in there despite the dangers. Consider an integrated platform like ITGlue to solve these issues.
Do you rotate customer passwords after employee turnover?
I’ve witnessed a number of companies using the same username/password across all their company sites and others who have credentials assigned per customer. No matter the case, you should be rotating passwords to protect your company and the employee who left. Password managers link Thycotic Secret Server can solve this problem easily.
Do your Kaseya or Labtech scripts contain credentials?
If the scripts you wrote contain embedded credentials, then you should know that the scripts can be viewed and/or exported by any user. Start investigating how you can pass credentials into the script via a variable.
Test your own security?
Today’s virtualization platforms give you the capability of being able to duplicate your production environment into an isolated lab where you can challenge your in-house staff to “hack the lab” using metasploit, kali linux, or any other known safe hacking tools.
Employee laptops encrypted?
What would happen if your employee’s laptop was stolen? Would you be confident they didn’t have any sensitive information? If not, consider using bitlocker with a password as a minimum layer of encryption for their mobile devices.
Just remember your customer depend on you to protect their environments, so your customers will expect your security to be better than theirs!