I think it would be a fun video for you and the guys from Huntress (and maybe some others) to do a very high-level top 10-20 tips for best network practices with regard to security. There are certain things that you mention from time to time that some of us have done for a while (no firewall access from regular machines), least-privilege user roles, etc. But I’m sure there are others that even those of us who’ve been doing it a while will miss.
I’m not in the security business, after all. With that being said, I think we all should be in the business of security. It would do us and our clients a lot of good. I’m a pilot and I was talking with a fellow pilot who made the statement “I’m not a professional pilot.”. What he meant was he didn’t fly corporate gigs or for the airlines. But would you want to get into a plane with a pilot who claims he’s not professional? No. And likewise, would any of our clients really want to hire us if we weren’t security-minded? We may not be a Huntress, but we can all learn to think like them. We can take our jobs seriously, like any professional.
So, again, I’d love to see your tips and dialogue around some of them. I know the concept of least privilege has been a super large thorn for one of my clients. They don’t like the fact that they don’t have access to do everything on their computers with their normal login. It’s a security nightmare. But I could list at least 20-30 different similar items. In the end, it’s the client’s network, but I let them know the risks. And there are some clients (i.e. schools) for which I have a minimum risk chart. I won’t be their MSP if they don’t adopt a minimum level of best practices because it’s a risk for ME to be THAT provider that had such bad practices that they got hacked. We can’t stop all attacks, but we can make sure that our clients don’t have an open door. Do you have similar minimums?
Within this forum I’m sure many are interested in getting to a secure level and remaining there, including myself. Security, networking etc. is a niche area for a very few.
However, on the homefront the majority of users don’t care they simply want the easiest solution to get online, if they are tracked, cracked or hacked is not something that keeps them up at night. They should simply spend the money on Apple products and they will have a good degree of security but no money in their account.
For sure businesses don’t care about security, they see it as a cost. I’ve seen MDs barely keep their eyes open when elliptic curves are discussed, if the CISO doesn’t understand the technology then it’s obvious the business won’t. To also be fair security is never their core business so why would they be interested ? Expand a division to increase sales or invest in hardware security modules, which would they pick ?
Having worked across Europe in various disguises, professionalism is really the difference between being 100% right and 100% terminated or “Yes Boss”
Personally if I encounter competency then I know a conversation can be had.
I would agree that there is a lack of desire to be secure, but with many of my clients, it’s an educational issue. The level of effort I put in depends on the client, but at least in my experiences so far, once I spend the time to educate them on what security risks are out there, they really adopt a security mindset. One of the things I do is really customize my talk to their business, showing real examples of how security events have impacted their types of businesses, as well as the costs or impacts from those events.
For some, having adequate backups is good enough for them. We leverage FreeNAS shadow copies for one level, and multiple off-site, offline backups for secondary efforts. Those clients are really not worried about any realtime impact. For others (schools, certain point-of-sale businesses), downtime is critical, as well as public perception. Those mitigations are much more significant, and it’s interesting and even fun for some of them to do the assessments.
We even had one client a couple of years ago who wanted to do a risk-walkthrough. After about 10 minutes, they stopped us and invited some of their key folks to come and do the rest of the walkthrough. Their response was so significant that we’ve adopted that practice and offered it as an option going forward. When the client learns to identify issues and think in security mindset, they can be your best allies. We’ve been very fortunate, and I hope that continues.
But I’d be foolish to think we know it all. This stuff changes so much, I’m constantly worried about what I don’t know. I hope Tom and the team take this up. I think many of us would get a lot of benefit.
Maybe they could do a follow up video on best practices to get customers onboard with these security practices.
I like this idea. But I must say that especially in a small business setting, it’s often the “soft” security factors that clients get bitten on.
Yes, firewall rules, segmentation, etc are very important. But let’s look at a typical SMB. In my professional experience, you can drastically reduce their risks with:
User security awareness training
Email measures such as filtering, warning for certain attachments, phishing prevention, etc.
Strong passwords
Installing updates and patches promptly
Strong BYOD and remote work policy
Not as much fun as doing some hardcore networking, and of course “hard” security is needed too. But this is the stuff that is lacking in the SMB community, in my experience.
Shameless plug, I’ve just written this report on some softer security factors. It’s aimed at a non-technical audience, but it might be of interest.
Installing patches is a very important step, you’d be surprised how often this step is skipped and then getting attacked 6 months later. I have a specific case but shouldn’t go into detail.
For now least privileges is so important… When I first started as an IT-Technician we have some users that has admin access and can install all the games they want or download movies haha Missed the old days.
