I think it would be a fun video for you and the guys from Huntress (and maybe some others) to do a very high-level top 10-20 tips for best network practices with regard to security. There are certain things that you mention from time to time that some of us have done for a while (no firewall access from regular machines), least-privilege user roles, etc. But I’m sure there are others that even those of us who’ve been doing it a while will miss.
I’m not in the security business, after all. With that being said, I think we all should be in the business of security. It would do us and our clients a lot of good. I’m a pilot and I was talking with a fellow pilot who made the statement “I’m not a professional pilot.”. What he meant was he didn’t fly corporate gigs or for the airlines. But would you want to get into a plane with a pilot who claims he’s not professional? No. And likewise, would any of our clients really want to hire us if we weren’t security-minded? We may not be a Huntress, but we can all learn to think like them. We can take our jobs seriously, like any professional.
So, again, I’d love to see your tips and dialogue around some of them. I know the concept of least privilege has been a super large thorn for one of my clients. They don’t like the fact that they don’t have access to do everything on their computers with their normal login. It’s a security nightmare. But I could list at least 20-30 different similar items. In the end, it’s the client’s network, but I let them know the risks. And there are some clients (i.e. schools) for which I have a minimum risk chart. I won’t be their MSP if they don’t adopt a minimum level of best practices because it’s a risk for ME to be THAT provider that had such bad practices that they got hacked. We can’t stop all attacks, but we can make sure that our clients don’t have an open door. Do you have similar minimums?