Credential Security for Your MSP: Six Best Practices


As an MSP providing IT and cybersecurity services to other businesses, your clients expect you to follow cybersecurity best practices. Your mission is to safeguard the networks, data, and resources of other companies. To be successful, your team must plan, stay organized, and implement a layered approach to cybersecurity so that you can provide safe, reliable services to your clients. Doing so will minimize threats to your own MSP business and ultimately will better protect your clients.

Amber Steel, Marketing Specialist at LogMeIn, parent of LastPass
Author: Amber Steel, marketing specialist at LogMeIn, parent of LastPass

A robust cybersecurity strategy starts with credential security and straightforward best practices. When followed, they will minimize the risk of a potential data breach and reduce the impact of any successful cyberattacks. In addition, your MSP gains oversight of user access, provides users with secure and easy entry to all relevant access points, and simplifies IT management.

Wondering where to get started? Here are six credential security best practices every MSP should be following:

1. Manage User Access With Adjustable Permissions

MSPs often service many clients simultaneously - sometimes hundreds or even thousands. IT personnel need access to networks, databases, apps, cloud services, servers, remote desktops, and more - for every single client. The total number of access points managed by an MSP quickly adds up.

Every one of those access points needs to be controlled, meaning that the MSP needs a way to know who is using them and then take reasonable steps to secure each access point. Managing user access means ensuring the right people have the right level of access to the right things at the right time. Access permissions should be based on role or assigned projects and should be adjustable at a moment's notice. IT should change user access anytime someone joins or leaves the team, changes role, or changes projects.

Software that manages user access helps MSPs see every user in the system (both IT personnel and clients) and all access points in use. They can automate day-to-day management of user access, adjust permissions and policies globally or per user, and assign or revoke access instantly.

2. Add Behind-The-Scenes Complexity to Authentication

A layered approach to user access works best. Don't just rely on simple usernames and passwords. Every access point used - both within your MSP to conduct business and by your clients themselves - is a potential entryway for hackers to exploit.

Multifactor authentication (MFA) uses multiple data points to prove that users are the person they claim to be. In addition to standard credentials or even a single sign-on token, MFA may require users to supply biometrics (like a fingerprint), a code sent to a smartphone, login from a trusted device, or even contextual information gathered behind-the-scenes like a trusted IP address. MFA drastically reduces the risk of a threat actor gaining access to your MSP or a client by requiring additional information that they don't have.

3. Invest In Cybersecurity Training

Regularly review cybersecurity best practices with employees and test their knowledge. Familiarize them with common cybersecurity terminology and fundamentals like not reusing or sharing passwords. Simulate phishing, malware attacks, social engineering, and other threats whenever possible.

By teaching employees to recognize these threats, they're far less likely to fall victim to an attack, and they'll more readily report suspicious activity. Everyone - not just IT personnel - needs to be trained in cybersecurity best practices, from HR to executives to the summer intern. Hackers will usually look for the easiest target, so every employee needs to be vigilant.

4. Create a Patch Management Strategy

Software and hardware vendors regularly release updates to their apps and operating systems. These updates usually include security and bug fixes or "patches." Those updates prevent hackers from exploiting vulnerabilities to steal data or gain a foothold in a company.

Staying on top of these updates is crucial. If you or your clients are running outdated apps or operating systems with known vulnerabilities, you've become a much easier target. That said, you'll likely need to have a testing environment to ensure any updates won't cause issues for internal IT personnel or clients.

Create a process to check for and run updates on a regular schedule. You'll need to start by inventorying all devices in use - both for you and for clients. Some tools may require manual updates, but often patch management can be centralized and automated with patch management software.

5. Update and Enforce Your Password Policy

Does your organization have a password policy? A password policy typically states how employees should create and handle passwords and requires semi-regular password rotation. When was the last time you reviewed your MSP's password policy? And do you enforce the policy, or is it an empty demand?

Your password policy should reflect your MSP's commitment to credential security. Require that every password in use is unique and strong (16+ mixed characters). Users should only share passwords in an encrypted, secure format - not over email, SMS, chat, or any other insecure channel. Rotate passwords once a year or when a security incident requires it; using MFA reduces the need to burden users with frequent password rotation.

Once IT agrees on the updated password policies, document them in employee handbooks and resources. Communicate policy updates clearly and train users occasionally on best practices. To enforce compliance with password policies, consider a password manager. IT can set policies and requirements via the password manager, which then builds in the correct password behaviors as users create, store, and use their login credentials.

6. Manage Passwords With Secure, Encrypted Storage

Given the volume and importance of the passwords managed by MSPs, a password manager is highly recommended. A password manager is not only a secure repository for users to store and encrypt credentials. It's also a platform for centralizing oversight of all credentials in use by all users and enforcing good password hygiene for all accounts. The password manager saves, recalls, and fills passwords for the user, removing much of the tedium and mistakes inherent in password use. In short, a password manager is a crucial tool for MSPs.

With a password manager, especially one tailored to the unique needs of an MSP, you can ensure the correct client passwords are accessible to the right IT personnel. Down to the user level, you can see who has access to which passwords and whether those passwords meet company password policies. A password manager also creates a foundation to build and expand upon the above-mentioned best practices.

Following credential security best practices will better protect your MSP's infrastructure from cyber threats. You'll also better safeguard clients from cyber attacks and minimize common password pitfalls.

LastPass provides MSPs a tailored solution to create and execute a credential security strategy that works for IT personnel and clients alike. Learn more about the benefits of using LastPass as an MSP.

Amber Steel is marketing specialist at LogMeIn, parent of LastPass. Read more LastPass guest blogs here.