Microsoft is celebrating 20 years of trustworthy computing. It started as an initiative by Bill Gates to put security first. When you throw a few 10’s of thousands of employees at a single problem you can get some stuff done and they did. The improvement in security was immediately noticeable. Fast forward 20 years though and almost no one actually feels safer.

Author: Amy Babinchak, MSP, IT Influencer, & President of the National Society of IT Service Providers

The state of security was such a new concept that there were no consistent product lifecycles and no patch Tuesday. There’s no doubt that security has come a long way.

The problem is that at the same time the software and hardware industry was growing up and maturing, so too was digital organized crime. Hacking went from some incel in his basement to fully mature corporations with technical support for those having trouble figuring out how to pay a ransom.

Malicious hacking went from some incel in his basement to fully mature corporations with technical support for those having trouble figuring out how to pay a ransom

On the Facebook Group, Ransomware, Security, Compliance and Privacy, a quote from Microsoft’s article was posted as a poll:

“But by constantly refining and improving security as threats evolve, the world is far more secure today than it was 20 years ago”

The spread of the results pretty much says it all.

MSPs grew up around security and we saw ourselves as the ones that were going to save the client from “the bad guys”. On-premises we implemented folder hierarchies and applied security groups to them; we backed up the data, and we installed edge firewalls and agents on the computer to protect from viruses and aid in monitoring for problems.

But just like Microsoft, whose customers don’t feel safer…despite our efforts our clients don’t feel safer either

But just like Microsoft, whose customers don’t feel safer…despite our efforts our clients don’t feel safer either. Cyber security is in the news every day and it scares people because it’s not a FUD sales technique, it’s real. 20 years and we’ve made people feel less secure.

How do MSPs turn that around?

While security used to be implemented by the IT pro where we protected the edge with a firewall and the pc with an anti-virus suite at the most basic level and with NTFS permissions, and password change requirements, and the more advanced MSPs used group policies and eventually PowerShell scripts, I’m sad to write that most have still not moved beyond these old tools, even as infrastructure declined is even now non-existent for many businesses.

I still walk into businesses with no on-premises infrastructure and find that they’ve been sold an edge firewall.

I still walk into businesses with no on-premises infrastructure and find that they’ve been sold an edge firewall. Why do the laptops need protecting with an edge firewall when they are in an office but not when they are at Panera Bread or at the employee’s home? What is it about the office suite number that says, We need an edge firewall?

We need a new paradigm for security. A new set of best practices that might not include installing anti-virus on the computer and a firewall in the office suite. We need a paradigm where a secure computing environment just follows you wherever you are on whatever device you happen to be using.

This view of security has three major components to consider: Data, Identity, and Devices. It doesn’t care about perimeters, but it does have a dependency on educated end-users.

End-user as security partner

I felt you bristle when you read that we’ve got a dependency on “an educated end-user”. That same poll I cited earlier has a bunch of comments on it and among them is the fatalist statement below.

IT professionals seem overwhelmed and resigned at the same time. No matter what we do, the users will let the criminals in. I think that this fear comes from fatigue. Fatigue from the fight and fatigue from trying to keep up with the rate of change.

If we acknowledge that IT professionals are overwhelmed and fatigued, can we imagine for a moment how the end-user must feel? If they are concerned about security, they probably feel helpless and that makes them entrenched and afraid of change. Better the familiar evil you’ve convinced yourself won’t notice you, than the unknown evil that has the power to bankrupt the company you work for.

Better the familiar evil you’ve convinced yourself won’t notice you, than the unknown evil that has the power to bankrupt the company you work for.

When I think of security I don’t think about the outside in. I think about it from the inside outward. The inside in the case of the cloud being the data first. Every security move is about data. Keeping our eye on the prize, the things of value, our data, is what will focus our efforts, but we can’t be the only ones making those efforts. We need end-users as our security partners.

And how will that happen?

Will they just absorb the knowledge of how to do that from the ether? No, they have to be trained. This makes job number one training the end-user on how to interact with data securely. That’s a conversation that IT professionals rarely have with the people behind the keyboards but it’s one that a modern MSP must engage in.

4 realities for the modern admin

1.   Never trust, continuously verify

Taking a look at our end-user security partners, we have to decide if we trust them. Of course, we don’t. This isn’t a trust but verify world anymore. It’s a don’t trust and continuously verify world. We need an educated end-user, just like we need to be educated ourselves, but no one should trust either of us, because we might not be ourselves.

We are going to stop treating our users as if they are stupid, but we need to start treating them like the criminals they might be. To do that, we have to continuously monitor their behavior on our network to continue to be certain at every moment that they are still, who they say they are. That behavioral monitoring can’t be just what files they open but also needs to include a holistic picture of activity from authentication, location, device, and sharing. Building a profile of user activity is the only way to make sure that they are who they say they are.

2.   Wherever the data goes, we must go

Most admins have been taken aback at seeing the number of devices in their Azure AD. Unlike AD, Azure AD lists all guest devices too. My own small MSP of 7 people has 51 devices listed last time I checked. We might be an MSP full of techs but there’s nothing special about the number of devices that are accessing our data in some way. It’s perfectly normal for users to have multiple devices.

End-users know how to add an email profile to their smartphones. If they don’t personally know-how, they’ll get a family member to do it for them. If they are a 365 user, that also gives them OneDrive on that same phone. So now we have personally owned devices with access to corporate email and data.

If you aren’t yet assuming that there are devices you don’t control that are accessing corporate data, you should. One of my consulting clients recently told me, “We don’t touch personal devices” and I responded that he should give that a rethink. As MSPs, we have to keep our eye on the prize and the prize is the data. Wherever the data goes, we must go. It doesn’t make sense to throw up your hands just because the data left the corporate-owned space, that the data did leave that space should be shrugging up alert flags, not your shoulders.

3.   Expire all sharing

Thankfully data controls aren’t what they used to be, because they used to be non-existent after the user was authenticated. We couldn’t actually say that we were protecting data because in reality we never did.

In the simplest of terms today, once we train users to share links to files rather than the file itself, we can set an expiration on that share and run reports against external sharing so we know where the data went. It can get a lot fancier too but first, there’s a larger problem.

If your memory stretches back far enough, to 2007, that’s when data protection started to change. 2007 is when .docx was introduced. It wasn’t just a random change. It was done to enhance the security of data. It enabled today’s file security feature set of DLP policy and compliance application. It allows data to remain the property of the person that created it. It protects the business from mistakes in data sharing and it protects them from compliance liability and privacy violations. That’s huge. And yet there are businesses out there still using .doc! Sorry but that’s a lazy admin problem. In 2017, I wrote an article that pointed out that it’s been 10 years and you need to convert those files. In 2022, I could write the same article only now I have to point out that it’s been 15 years and most admins still haven’t done the work.

Our security partners can’t do the right thing if we haven’t first even made it possible for them.

4.   Everyone needs to get on the train

My MSP is an outlier, in the best sense of the word. We’re good, we’re profitable and we’re awarded. We get there by constant training. Internal tech training happens every other week. Except for next week, when we’re training every day toward a certification. We’ve been doing that for a couple of decades. And yet when I interview new potential staff, I’ve yet to have one tell me that they got any training from their previous employer. This lack of training shows up in things like the continued existence of .doc files. The exploitation of MSPs who don’t use MFA and the resistance to change in general. If we’re resisting training ourselves, how will we ever get clients to adopt a regular training schedule?

Everyone needs to be on the training train or get run over by the change that’s coming. This week, Google called an end to their free email service, which they discontinued in 2012! The outcry in the MSP forums was loud. Seriously? They left clients on a discontinued service for the last 10 years. Seems like an ethical problem to me, but I’m sure that they have their reasons. The change train is coming and it’s picking up speed and these types of changes are going to rain down hammers on those that aren’t on board. More MSP hacks, more ransomware, more security problems, and let’s not forget state-sponsored terrorism that could impact businesses under our care as the world inches closer to a potential war. I wrote about Satya Nadella’s speed of change prediction last time and it’s quite an eye-opener. It’s scary out there and no one is saying that we’re getting back on the sunny side any time soon. It’s clear that those that don’t embrace change aren’t going to be successful in sustaining their businesses.

Once we’ve trained ourselves, we have to also train our clients. It’s no longer enough that we install a program for them. We have to show them how to use it, what’s new in that new version and how to bring it all together into a more productive, more modern way of working. This is what will bring value to them. This is how we develop the intelligence of our most valuable security partners, the end-user.

I hope that it is read as a wake-up call to modernize MSP practices to align with the security and educational demands of the businesses that we serve.

This article could be viewed as a rant, but I hope that it is read as a wake-up call to modernize MSP practices to align with the security and educational demands of the businesses that we serve. Quality MSP services are getting more complex to deliver. We’ve long said that we’ll take care of everything. Now our insurers want us to backpedal that messaging and cover our rears in limited liability claims. Why? Because they are having to payout. Big payouts result in bad press for software vendors and MSPs. We’re getting a bad rap. It stings but sometimes we deserve it. Didn’t have updates installed? Leaving discontinued software in production? Not using MFA? It’s nearly a daily headline and I’m sure many of us are just shaking our heads at it. It ends up hurting us all though. One bad apple lowers the reputation of all of us.

Education is the way to turn this around. Turn MSP staff into highly skilled experts. Turn end-users into your security partners. An educated populous is good for insurers, vendors, employers, and clients. There’s no downside to security literacy.


About the Author

Amy Babinchak is a highly respected technology business and M&A expert, influencer, thought leader, and President of the National Society of IT Service Providers. Her companies have won many awards, and we are honored that she’s a member of the Modern MSP Community.