This article is purely advice and we take no responsibility for your actions. I would recommend speaking to an employment lawyer in your country/county/state to ensure that any actions that you take are legal and compliant with any laws in your country. The terminology in this article is UK-Based, but check for the equivilent information in your country.
With the recent spike in cybersecurity threats, there has been recent news on MSP staff stealing and selling data such as remote access to clients which has prompted this post. I’ve detailed some of the checks and balances that you can put in place in your business to help mitigate internal threats.
Joe_Cyber on Reddit previously released his Cyber Security book for free! It may not be free at the time of reading this, but it’s definitely worth a read.
When hiring a new employee, it’s important that you know as much about their background as possible. Here is a list of things to look for:
- Certification Proof – Any major IT certification is quite easy to validate, Microsoft certifications are easily downloaded with transcripts for proof and you can associate your staff certifications with your company.
- Criminal Records – DBS Checks (Disclosure & Barring Service) offers basic checks for £20
- DVLA Checks – Checking for records against your employee’s driving license. This could lead to finding drink-driving related incidents, speeding, etc.
- Credit Checks – Possibly overkill, however by running a report on your employee, you can check for any financial difficulties. Financial issues can quickly lead to selling client information.
- UKSV – In the UK, you must be SC (Security Check) cleared in order to work with any government contracts. The UK Security Vetting provides very deep background checks on individuals to ensure they can work with Government data at the classification ‘SECRET’
Here are a few good practices that could fit into your employee checks:
- Password Management – I’d suggest using a Password Management tool such as PassPortal as when you need to lock an employee out of your passwords, it’s one account to restrict password access to all of your clients.
- Enable Auditing – Products like Manage and Automate have auditing functions, Automate allows you to set audit levels from none to verbose. I’d recommend checking your audit levels to see what actions are being performed and who by.
- POLP/ZT – Principle of Lease Privilege and Zero Trust are security policies that grant users access to the bare minimum amount of permission as is required to reasonably do their job.
- Monitoring – Nobody wants to be watched by Big Brother, however sometimes (in the early stages of employment) it can be a great tool for both parties. Software like ActivTrak can be silently installed onto a computer and report back on productivity and such by taking periodic screenshots, logging browser history and much more. Up to 3 Users are free.
- DLP – Many tools from your Anti-Virus to Office 365 have Data Loss Prevention modules that can be a great asset for preventing data being leaked from your organization.
With modern-day threats becoming the norm, it can be quite easy to forget that your threats could be within your organization. Always take every step possible to secure your accounts such as 2FA, SSO, MDM, etc. I’d consider creating onboarding/offboarding project templates within ConnectWise Manage to ensure that every step is carefully taken and accounted for.