Password hygiene is a huge priority for Managed Service Providers
Every organization is at risk for a cyber attack, but MSPs have emerged as a top target. This is because threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects.
In May of 2022, CISA, the FBI, and a group of other international cybersecurity firms released an advisory on protecting MSPs. In addition to the immediate difficulties associated with data breaches (for example, financial repercussions and loss of sensitive data), MSPs face the added pressure of fallout from the client and vendor community.
The major aspect of password security that IT teams cannot control is human behavior. Unfortunately, a majority of cyber incidents that lead to breaches and ransomware are due to human error – specifically password hygiene. As researchers have understood these issues, they’ve been able to identify password sharing, weak password creation, and password reuse as major security concerns that increase IT risk.
These common habits, specifically password reuse, are rampant across organizations. Even when users admit to “knowing the risks” they still use the same password (or tiny variations on a password) across their accounts and for both work and personal devices.
For example, 91% of respondents in a LogMeIn survey claim to understand the risks of reusing passwords across multiple accounts, but 59% admitted to doing it anyway.
This behavior poses a significant security compliance challenge for MSPs managing multiple clients’ security environments.
In the past, organizations addressed the risk of compromised passwords by requiring periodic password resets whether or not the password was detected as compromised.
However, NIST guidelines on password security have changed. The latest recommendations for increased credential protection include the elimination of periodic resets due to the risks they create.
Why Have Password Reset Policies Changed?
With these risks associated with resets and reused passwords, MSPS and IT security teams must rethink their approach to credential protection and now focus on securing employee accounts from the start.
The most efficient way for MSPs to protect enterprise accounts while acknowledging the inability to address user behavior is to scan for compromised credentials at the point of creation and on an ongoing basis.
By checking proposed passwords against a database of known, exposed credentials, MSPs can obtain much more comprehensive protection for managed security while also eliminating the resource strain and financial burden of password resets and arbitrary complexity requirements.
Automated IT Risk Mitigation: Credential Scanning & Monitoring
“Prevent initial compromise by implementing mitigation resources to protect initial compromise attack methods from vulnerable devices, internet-facing services, brute force and password spraying, and phishing.”
The advisory also recommends:
By adopting these best practices, MSPs can reduce attack surfaces, improve managed security, and mitigate IT risks for both internal users and client organizations.
Scanning for compromised credentials is more accessible and user-friendly than some organizations might imagine—and it’s a truly crucial step for IT risk mitigation.
For MSPs managing enterprise security, implementing automated credential screening ensures:
By eliminating password reuse risks and ensuring continuous credential protection, MSPs can fortify security compliance efforts and help businesses defend against modern cyber threats.