As we near the end of our series on understanding the Essential Eight, we’re leaving the easiest strategies for last—but they’re no less important in the grand scheme of security best practices. In this post, we’ll cover how to limit access to sensitive information with multi-factor authentication, as well as how to ensure easy recoverability with daily data backups.
If you missed our previous posts, you can catch-up on them here:
- Configuring Microsoft Office Macro Settings and Restricting Administrative Privileges
- Application Whitelisting and User Application Hardening
- Patching Best Practices
- What the Essential Eight Is and Why It’s Important
Why Clients Need Multi-Factor Authentication
Firstly, it’s extremely important to have good, safe password policies in place, but this should not be a substitute for multi-factor authentication (MFA). Most IT professionals have instilled good policies already—however, if you need more guidance on industry best practices and compliance, you should review the latest NIST Standards for more information.
While you may already have good password policies in place today, the reason why MFA is so important comes down to human nature. I’m sorry to lump our whole species together, but humans are lazy by nature. This has not necessarily been a bad thing, though; our desire to do things quicker, easier, and more efficiently has spurned several millennia of innovation to improve our lives.
There are tactics you can use—such as minimum password length, mandatory character complexity, password expiration dates, etc.—to strengthen passwords, but this doesn’t necessarily make them more effective. People usually repeat passwords across all applications and make minor changes to them when they expire, i.e. Password#1, Password#2, Password#3, and so on. Sound familiar? This practice is more common than not, and I must admit, I have been guilty of doing this in the past before I became “woke.”
How Does Multi-Factor Authentication Fit into My Offering, and Why Should I Include It?
Taking into account the ‘human’ element, an MFA solution essentially mitigates this by providing an additional step to confirm access to secure, critical applications to avoid unauthorised access and potential data breaches. Sounds simple, right? It should be, but getting clients to change the way the work and access various tools can be the tricky part.
Clients may complain that those few extra seconds it takes for them to get in feels like the end of the world. Rather than giving in straight away, we—as the trusted advisors—should be driving awareness for our clients. This can be done through marketing campaigns, highlighting threats and the costs of a breach, and ongoing security awareness training through various methods. For example, running dummy phishing campaigns is important to help clients understand who is most at risk within their organisation. Through our partnership with Webroot, Continuum offers security awareness training, which is now widely considered to a requirement for foundational security practices.
Should Backup Be Considered a Security Standard?
We can probably all agree that having proper backups, especially for critical services, is essential. However, there is an argument that backup is not considered security; that it’s more of an insurance policy.
As Continuum CEO Michael George explained in his keynote at Navigate 2018, “calling BDR ‘data protection’ is like calling a sprinkler system ‘fire protection’—giving customers a false sense of security. But BDR is a necessity when security fails.”
Backup does not protect against data theft, and it doesn’t protect against hackers delivering a malicious payload and locking up your machines with ransomware. Backup is there when all else fails, and in the event of a catastrophic failure, it provides you with some peace of mind that you can recover. But the downtime can be costly. Loss of productivity, revenue, and data can be detrimental to the health of a business. Not to mention the stress that typically comes with it.
To provide a real-world scenario that we can all relate to, let’s use your car. Most people have some sort of insurance for your car. But just because you have insurance on your car does not mean you should leave it unlocked or drive it off a cliff. In many cases, not having a car for any period of time can make it harder on your life. And even worse, you may have to suffer the pain of having to navigate the public transport system!
The intention here is not to undermine the importance of backup as a standard business practice—it is an extremely critical component for any managed services offering—but to redefine the use of backup as a security function. Backup should be considered as a fail-safe, a last resort against absolute failure to ensure recoverability and business continuity.
So, What Should I Be Looking for in a Backup Solution?
Easy... Continuum BDR! Need I say more?
Only kidding. There are many great tools on the market today that cater to the MSP channel. From basic backups to full business continuity with disaster recovery capabilities. Some of the key areas you should be looking for are:
- Flexible retention points
- Local and offsite storage options (consider storage locations for regional compliance)
- Disaster recovery options (including DR tests)
- Support capabilities
These are just some items to look at when making your decision. At the end of the day, cost and client needs may also be a factor. Some businesses (like trades and brick and mortar stores that don’t rely on a POS system) may be able to cope with an outage for a short period of time. But larger organisations may have critical systems that are necessary just to function as a business. These should be considered when providing your clients with an appropriate solution for their needs. Overselling can be an issue here, as it may lead to your customers questioning you as their trusted advisor.
With Continuum BDR, we provide all the above. However, where we differ from other tools is the service we provide as part of our overall offering. Similar to our other solutions, we provide fully-managed NOC support, staffed 24x7 to support you and your clients. In turn, this allows you to save time and cost by reducing technician workloads on daily backup checks.
If you’d like to learn more about the power of Continuum BDR, view an on-demand demo.
Handpicked for you:
By Lily Teplow
By Brian Downey
By Dave LeClair