As a trusted technology provider and business advisor, your MSP has some serious horsepower. It’s why Matt and I are constantly talking about the importance of locking down your own house. You, the IT provider, could wreck livelihoods if something went drastically wrong.
However, for all these technical security measures we’re always discussing, something seems to often get missed: human security. As an MSP, your brand carries serious weight with your customers. If someone calls your customer, or shows up rocking ‘company swag,’ would your clients know who belongs?
The Phone Based Attack
This attack is simple. I can peruse your site for case studies (critical marketing material) and call up those customers. “Hey, I’m Dom from such and so IT and I need to look at your PC.” I think, more often than not, I’d be in! Why? Because your brand conveys trust and carries weight. Have you thought of this attack vector? If not, now’s the time! Here’s a couple of things I’d consider:
- Set expectations for how you get in touch.
Obviously, calling clients is normal. Maybe, in your operation, you wouldn’t be calling for access if you don’t have an active ticket. The customer could ask for their ticket number. Alternatively, you can use a non-generic remote access tool with dedicated URL’s (like CW Control) and tell clients that they should ever only be asked to go to remote.yourdomain.com. I used the ladder approach, as I was moving away from persistent remote access on workstations. Also make it clear that you will never ever ask your users for their password, ever (at least I hope you won’t). - Empower your clients.
It is insanely easy to spoof a number. Two seconds and ten cents, and I can call from any DID I want. I always told clients that they can absolutely hang up and call us back, to make sure they’re actually talking to us.
Point being your clients should never trust anyone calling them and saying they’re from your MSP. The attack is just too easy.
The Physical Attack
This one is a little more brazen, but it still happens all the time. It’s the classic ‘appear to belong’ tactic. Throw on an orange vest, hard hat, and carry a clipboard. You’ll find yourself getting into a lot of places. Same goes for your brand. I can grab a copy of your logo online, and have a polo made up for $30 or less. Suddenly, I look very much like the “new guy.” I can walk in and drop WiFi pineapples, packet sniffers, install malware on machines, or whatever I want. Here’s a few things to consider to prevent that:
- Set expectations.
If you plan on going on site, schedule it! That way they know who is coming and when. - Issue credentials.
A classic option is to have good looking employee IDs made up that your team can wear. It can of course be faked, but it’s harder to accomplish than printing up a shirt. - List your team online.
You should be proud to show off the rockstars you have working for you. Put them on your website and tell clients where to go to make sure someone is actually on the crew. - Use paperwork.
From time to time, I utilized one-off contractors to get something done. Perhaps it was looking at a network drop or something to that effect. In those scenarios, the contractor had paperwork that showed they’re supposed to be there, the client knew who to expect, and had matching paperwork to verify.
Your brand is the core identity of your business, and it carries trust. Threat actors can abuse that trust to gain access to your clients’ infrastructure, and completely erode that trust. As you harden down on your technical house, be sure to harden down on your people house too.