<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=118316065439938&amp;ev=PageView&amp;noscript=1">
David Mills
By David Mills on July 29, 2020

When an MSP website becomes an insider threat

Managed service providers, or MSPs, are trusted partners for millions of organizations. They hold the keys to almost everything of value within a business from access to banking and client records, to eCommerce and personal information. Since nailing down security issues is an important role for most MSPs, the potential that an MSP could become an insider threat is a potential reputation wrecker for these businesses.

Do a quick news search, and you'll see how hackers view MSPs as a "target rich environment."

Screen Shot 2020-07-29 at 3.15.36 PM

It's Your Customers They are After

While there are numerous avenues to reach MSP customers that can include administrative systems, point of sale, storage or ecommerce, one area that is a blatant vulnerability is the MSP website. Infosec describes two primary avenues: 1) hackers are using your site to lure in others, or 2) administrators receive phishing emails. It is particularly effective if phishing can lead people back to a page on the MSP website, where as a trusted source they can collect vital access information from your clients.

Not only is this happening on customer websites, it's happening on MSP websites as well. The phishing process on an MSP website works like this:

  1. Hacker compromises the MSP website
  2. Hacker sets up a page designed to collect important information (say, "reset your network passwords?")
  3. Hacker invites MSP customers to visit the page, and bam. They are in.

It's hard to imagine a more compromising situation than your customer giving up their critical passwords on a hacked page on the MSP website.

Two Big Targets: Hosting and Open Source Software

As we review MSP websites and talk with MSP leaders, we discover that they have not always applied the appropriate kind of security practices to their own websites. Some are hosting their websites on some of the most popular and highly hacked web hosts that exist. Some even sell that hosting to their clients on the same hack prone hosting provider. 

At Story, when we used to employ and sell a highly popular hosting service (a name you'd recognize), almost every one of our client's websites were hacked. It was almost like clockwork, and it was never easy to fix. We graduated to a more secure hosting environment, but we noticed something else - the open source software that we loved and promoted was full of vulnerabilities. We even had websites hacked that really offered nothing to the hacker, except the thrill of owning someone else's site, or perhaps just a little practice.

Open Source Software Like WordPress is a Hacker's Dream

The very nature of WordPress invites hackers. Since in order to operate WordPress, you need a large number of plugins which are developed by the random assortment of volunteer developers around the world. The average nationally is greater than 20 plugins per website. Every time that WordPress updates, half of those plugins become vulnerable before they are updated. And keeping them all up-to-date is a regular chore - a chore that almost no one keeps up on.

A MSP Website Experiment

We ran a Google search for the top 20 MSPs in the region around the Story HQ.  Of the top 20 that we found, 60% were running WordPress for their websites. We completed an initial vulnerability scan for each of the WordPress websites and identified code vulnerabilities in 85%. Only 15% came back without a vulnerability. 

MSPs we reviewed had an 85% vulnerability rate if they were using WordPress - that clearly makes them an insider threat.

MSPs should be functioning as Cyber Hygiene Guides

Instead of modeling and practicing effective security, many MSPs are using inexpensive open source software that is essentially insecure. If I was a current MSP client, I would have to look twice at every configuration or service email coming from an MSP. They are a hacker's target and have left themselves open. The argument is that they have separated the website from their network infrastructure by hosting offsite. That's great, but if the website is the primary communication vehicle for clients, then it poses a primary risk if it can be used to spoof the identity of the MSP in client communication.

->Learn how to quickly make the move from vulnerable to secure with a website that delivers more clients, too.


A best practice approach for MSPs is the use of enterprise level software for their own website. 

Story Collaborative began making its move to SaaS website software beginning in 2017. Talk with us if you are an MSP that wants to quickly move to a secure web profile, you want a pain-free process, and want the other enterprise benefits for sales and marketing that come along in the package. Just like you offer a great deal more for clients with the enterprise software that you employ, your website, sales and marketing will benefit if you move to that same level of enterprise level website software. And you'll also remove the reputation and liability risk that comes with allowing the potential for client's critical access passwords to be compromised. Plus, you'll have something new to teach your clients about security.

New call-to-action


Published by David Mills July 29, 2020
David Mills