Three Things That Make MSP Security a Headache and How To Fix Them

Three Things That Make MSP Security a Headache and How To Fix Them

June 20

There are an unbelievable number of people who don’t quite understand how to protect themselves online, and some of them might be your clients. Some clients likely expect you, the managed service provider, to make sure that no viruses or malicious software end up on their computer, and that all of the information on their system is protected. But even with proper firewalls, spam filters and other security measures, that’s not feasible if clients don’t understand safe practices. There’s a certain level of understanding your clients need when it comes to keeping themselves safe online because your reach only extends so far.

Here’s a quick guide to keep your clients out of trouble on the web.


Regardless of your most ardent efforts to keep out spam and malicious emails, they can still get through from time to time. Your clients need to first understand that although you’ve done everything you can, there are cyber-criminals with very advanced capabilities. Start with the basics, like making sure clients know that emails with subject lines like, “you’ve won a free vacation,” “collect your prize now,” or of course, “try some free Viagra” usually have something nefarious in them. These emails should be deleted immediately and never opened, despite how curious (or impotent) the client is.

Remember, though, that cyber-criminals are tricky. What happens when a client gets an email that, at glance, looks like it came from you or someone they trust, but inside it asks them to download and install a patch that happens to be a virus? The client would have little reason to believe that it didn’t come from you, unless they knew what to expect.

To remedy these types of issues, you might want to establish a protocol for communications. If you’re not installing patches or doing upgrades remotely, or if you actually do need a client to install some sort of patch, it’s best to call them and let them know you’re sending them an email with a link to a patch or upgrade or whatever. Let them know you won’t ask them to do these types of things via email, and if they receive any odd, unannounced emails asking them to download things, they might want to let you know.

Anti-virus and security

This is another thing that many clients will see as your job to handle, and it’s likely that you do so as part of your service offering, but there’s one thing that anti-virus software still can’t protect people from: ignorance.

While a disreputable website or supposedly “free download” might seem like pretty clear threats to an IT admin or other technology professional, some clients might not quite understand that they shouldn’t just download everything that catches their eye. You should consider instructing them on what to avoid and how to avoid them. They shouldn’t be downloading songs or videos from torrent websites, or visiting torrent sites at all, for that matter. And while it’s probably overkill to expect them to give you a call every time they need to install a new program, they ought to be able to recognize what a reputable free download does and doesn’t look like. Is it from a credible source like Google, Microsoft, or Apple? Then it’s probably fine. Is it from something they’ve never heard of and on a website riddled with ads and mock “download now” buttons? If yes, they should know that it’s risky to download it. If there’s something they need but can’t seem to find a download of it from a reputable source, they should be able to reach someone at your organization for advice, otherwise you might end up wasting time troubleshooting virus issues.


This will be the toughest thing because not only is it often a point of contention for security experts, it’s also extremely difficult for anyone to create and manage secure passwords, let alone those who understand their importance. When it comes to securing a desktop unit, you can always set parameters for the passwords a client uses to log on, and even force them to change it every three months or so. It’s also wise to password-protect the hard drive itself so that the unit won’t even boot up without a password (this is especially important for employees who occasionally work from home or travel with laptops).

The biggest issue isn’t the passwords a client would use to login into his PC, the real issue happens when various security credentials are needed for access to various online services. This can be a real issue when somebody uses an insecure password for a file and folder service like Google Drive or Dropbox. If any sensitive information is placed in that drive, it’s only secured by a weak password. That’s an invitation for the wrong people to access that account. More importantly, what about credentials for things like the company Facebook, Twitter, or various cloud service platforms? Who has access to these, and how secure are these passwords?

The crucial thing is to make sure your clients understand the importance of a secure password, and how to create a very secure password because regardless of your opinion on the effectiveness of passwords, stronger is much better. You can also offer them tips to manage these, like helping them come up with a formula that creates secure, memorable passwords for any website they go to or by suggesting a password management and creation tool like Last Pass.*

*Last Pass is a free tool that allows you to create a “vault” that holds all of your passwords and credentials in one place online with one super-secure password protecting them. The issue for some security experts might be that you’ve placed all of your passwords in one place. If a hacker somehow got in, they’d have every single password you’ve put there. Although the service is quite secure, you should keep the risk in mind before suggesting this or similar services to a client.

Photo Credit: Zarko Drincic via Compfight cc