Channel Insider content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

An MSP data breach response plan is a detailed blueprint that specifies how to protect against an intrusion with guidelines on what to do in the event of a suspected or confirmed intrusion. Besides disrupting a managed service provider’s operations, a successful breach would put all of its customers at risk, especially if the intruders gained access to the service’s professional services automation (PSA) and remote monitoring and management (RMM) platforms.

MSPs that provide cybersecurity protection services should be creating data breach response plans for their customers. Every MSP should also have a thorough and routinely updated plan for their own operations since they are the primary targets of threat actors.

Featured Partners: Managed Service Provider (MSP) Software

Free data breach response plan for MSPs

We’ve drafted a data breach response plan checklist that MSPs can use to finalize their own plans. Click the image below to view and download the entire checklist, then make a copy to modify it per your unique business needs.

how to respond to an msp security breach
Click to view and download

What is an incident response plan?

An incident response plan is a documented course of action outlining specific steps and procedures to take when a major attack occurs. Every MSP should have an incident response plan for its organization and create one for its customers. It should be part of a business continuity and disaster recovery (BCDR) strategy.

The Cybersecurity and Infrastructure Security Agency (CISA) advisory to MSPs emphasized that an incident response and recovery plan should identify stakeholders’ roles and responsibilities, including key executives, IT leads, and procurement officers. MSPs should regularly test their incident response and recovery plans and they should encourage their customers to undergo the same exercises.

Also, CISA recommended that MSPs should take a proactive stance in understanding and managing their supply chain risks across security, legal, and procurement teams and implement risk assessments. MSPs should also be aware of the supply chain risks that they face and the downstream risks they place on their customers.

Every incident response plan should include:

  • Documentation of steps to take upon discovery of a breach outlined in phases
  • Identification of roles, responsibilities, and contingencies
  • List of people to initially contact within the organization
  • Plan for communicating the breach to clients, particularly those most vulnerable
  • Review by the organization’s council and insurers
  • Copies that are easily accessible, including printouts

How MSPs can avoid data breaches

An incident response plan is critical, but avoiding incidents will reduce the likelihood of having to use that plan. According to CISA’s advisory, MSPs can avoid data breaches by using appropriate settings on VPNs, having a vulnerability management program, identifying and tracking all internet-facing assets, implementing strategies to prevent authentication-based attacks, and protecting against credential stuffing attacks.

Let’s examine those approaches more closely:

  • VPN configurations: Use the longest supported encryption keys and other best practices, run only necessary features to reduce exploitation of vulnerabilities, and monitor access to and from the VPN.
  • Vulnerability management programs: Include system discovery tools to identify and classify assets, find and validate vulnerabilities in assets, prioritize vulnerabilities based on technical and business objectives, have a plan for fixing identified issues, and create a vulnerability disclosure playbook.
  • Internet assets: Identify and track web or API services, and ensure that protocols and ports in use are gathered from known and baselined configuration settings (such as firewall rules).
  • Authentication-based attack prevention: Prevent types such as brute force, dictionary, password spraying attacks, phishing campaigns, social engineering, and system vulnerabilities.
  • Credential stuffing attack avoidance: Avoid attacks targeted at user accounts, system accounts, APIs, and federated accounts.

How MSPs should respond to security breaches

Unfortunately, no one is immune to falling victim to intruders, who engage in sophisticated and well-orchestrated campaigns often backed with significant funding. Taking the actions above will reduce the risk of a breach, but if intruders can exploit giants like SolarWinds, Kaseya, and even Microsoft, no MSP is impervious, which is why it’s so critical to have an incident response plan.

Having and adhering to a plan of action from the moment a breach is suspected promises to reduce the impact of an intrusion. Take these six steps once a breach has been detected or confirmed:

  1. Immediately block all affected nodes and ports
  2. Mobilize key incident response team stakeholders, including business and IT stakeholders, legal counsel, insurance carriers, and law enforcement
  3. Assess and document the data breached
  4. Determine the root cause of the breach and steps to mitigate future occurrences
  5. Calculate the cost of the breach
  6. Review your incident response plan to ensure you’ve completed all actions

In the process of responding to a breach, MSPs with threat assessment capabilities should also tap CompTIA’s Information Sharing and Analysis Organization (ISAO), an online community of experts collaborating to identify and share threat information. ISAO collects data from different sources on threat actors and their methodologies, including governments, businesses of all sizes, and cybersecurity organizations worldwide.

CompTIA’s MJ Shoer emphasized that the ISAO helped crunch data to share relevant and useful information, such as findings and discussions about the ConnectWise vulnerability.

How susceptible are MSPs to cyberattacks?

MSPs have become prime targets of sophisticated attackers and ransomware gangs because they provide a natural path to their customers. An MSP has privileged administrator access to core systems, applications, and databases, which means a successful breach of one vulnerable service provider can pave the way for them to gain access to a huge number of organizations.

Once an intruder gains privileged access to an MSP’s customers, the attacker can often go undetected for some time because the customer has entrusted the MSP to maintain their systems. Attackers typically exploit vulnerabilities in RMM and PSA tools that MSPs use to manage each of their clients.

The predisposition of MSPs famously came to view in late 2020 when Russian attackers exploited a vulnerability in SolarWinds Orion, which affected over 18,000 organizations. The attackers injected a trojan into an Orion update that carried a backdoor. According to research by Kaspersky, the trojan impacted 28% of all MSPs.

Months after the SolarWinds incident, the well-known ransomware attack targeting Kaseya’s Virtual System Administrator (VSA) is believed to have hit at least 1,500 organizations and 40 MSPs. Many MSPs use Kaseya’s RMM tool, giving the intruders backdoor access to many of the organizations breached at the time.

Vulnerable MSPs on the dark web

MSPs have become so susceptible that security researchers observed hackers selling access on the dark web. For example, Huntress senior threat intelligence analyst Harlan Carvey reported that his team discovered one group offering access to the MSP panel of over 50 companies and another peddling RDP admin access to companies.

The Cybersecurity Infrastructure and Security Agency (CISA) took notice of this and joined its global counterparts by issuing a warning about the threat to MSPs. CISA’s alert emphasized that MSPs’ services typically require both trusted network connectivity and privileged access to customer systems.

“Whether the customer’s network environment is on premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects,” the alert stated.

Risk to MSPs of authentication bypass breaches

MSPs are especially susceptible to hackers who exploit vulnerable systems with authentication bypass flaws, found in the SolarWinds and Kaseya vulnerabilities. The International Council of E-Commerce Consultants describes an authentication bypass vulnerability as a security flaw in software that lets an attacker evade the authentication process.

Authentication bypass flaws are especially dangerous to MSPs because they allow hackers to elevate privileges and cut off access to authorized administrators. “Essentially, a bad actor can mimic the role of the system admin, delete all other users, and take over the instance,” said CompTIA chief community officer MJ Shoer during a podcast with RMM provider ConnectWise CISO Patrick Beggs.

The two conducted the discussion in February 2024, after a critical vulnerability enabling authentication bypass breaches was discovered in ScreenConnect, a tool provided by ConnectWise that’s widely used by MSPs.

Shoer joined Beggs on the podcast to discuss an authentication bypass flaw ConnectWise discovered in its ScreenConnect tool in February 2024. While ConnectWise immediately released a patch, the vulnerability (CVE-2024-1709) has the highest severity score possible, 10.0, more critical than the SolarWinds and Kaseya vulnerabilities.

“Essentially, a bad actor can mimic the role of the system admin, delete all other users, and take over the instance,” Shoer said.

Even more concerning about the ScreenConnect flaw is that ConnectWise has the largest market share of MSPs that use its PSA and RMM platforms. It accounts for 27% of MSPs as of the third quarter of 2023, according to market research firm Canalys. 

Why are MSPs easy targets?

The unfortunate reality is that many MSPs get so caught up in putting out fires for their customers that they fail to protect their own infrastructure. Yet neglecting their own house can put an MSP and its clients at risk, which happens all too often.

CompTIA’s Shoer emphasized that MSPs must prioritize keeping their house in order. “Patching is part of their basic service offering, yet so many times, it’s the cobbler’s kid,” Shoer said. “The MSPs are forcing patching on their customers but resisting their technology partners, their vendor partners, who are critical for their stack, from doing the same to them.”

Kevin McDonald, COO and CISO of Alvaka Networks, an MSP and MSSP in Irvine, California, emphasized that at the March 2024 Channel Partners Conference & Expo.

“We’ve rescued several of you over the last few years because you yourselves got hit by ransomware,” he told MSPs at the event. “Please defend yourself; learn by defending yourself. I learn every day by having to defend myself from threat actors. Do the same and then take what you’ve learned and translate that into profit.”

Can MSPs be held liable for data breaches?

MSPs are liable for data breaches on a broad spectrum of fronts, open ports, spread of malware, phishing, data loss, downtime, failed backups, and failure to comply with regulations such as HIPAA, GDPR, and FINRA, among others. An MSP can be held liable even if any of those failures are inadvertent or the fault of a client or someone in the client’s supply chain.

To limit liability, MSPs should detail disclaimers in their client contracts and set realistic service level agreements. However, even a contract filled with disclaimers and signed off by the client doesn’t mean clients won’t sue an MSP if something goes wrong.

For example, in February 2024, the law firm Mastagni Holstedt filed a lawsuit in Sacramento Superior Court against MSP Lantech LLC and its backup software vendor Acronis following a ransomware attack. While the complaint doesn’t say how much ransom the law firm had to pay to regain access to its data, it seeks $1 million in damages.

When the firm attempted to recover its data from Acronis after the ransom was demanded, the lawsuit claimed the backup had been deleted. The complaint pointed to the attackers as Black Basta, the ransomware group identified by Trend Micro as having exploited the ConnectWise ScreenConnect vulnerability. The Russian ransomware group has reportedly extorted over $100 million from its victims.

How MSPs can display a strong security posture with clients

As threat vectors continue to change, with more actors able to wage attacks with fewer skills, MSPs and MSSPs must have a broad set of tools and capabilities to provide comprehensive protection. If you need help providing the tools and capabilities, partner with someone who can.

Ensure your clients know you have access to the best security tools available. Capabilities to emphasize should include tools to secure infrastructure, networks, cloud software, and data. Also critical are identity and access management (IAM), including providing multi factor authentication (MFA), infrastructure and application monitoring, and risk and vulnerability management.

Bottom line: Establish a data breach protection plan

Everyone is a target of a cyberattack, but MSPs are prime targets because you are the gateway to all of your clients’ systems. If you’re evangelizing to your customers that they should patch their systems and have incident response plans, don’t be the cobbler who wears broken shoes. MSPs that take steps to maintain strong security postures will reduce their liability if they experience a data breach.

Although no MSP is immune from experiencing a data breach, there are ways to reduce risk, like adhering to the Cybersecurity Maturity Model Certification (CMMC 2.0). Next, learn how to become CMMC compliant through key steps and a free checklist.