The MSP Security Paradox

There's an uncomfortable truth in the managed services world: the companies responsible for securing dozens of client networks often neglect their own infrastructure. It's the classic "cobbler's children have no shoes" scenario, and threat actors know it.

MSPs represent high-value targets precisely because of their privileged access. Compromise one MSP, and you potentially gain entry to every client they manage. The 2021 Kaseya attack demonstrated this devastatingly well, affecting over 1,500 businesses through a single supply chain compromise.

So how paranoid should you be about your own infrastructure? Based on industry best practices and real-world breach data, here's what every MSP should consider non-negotiable.

Identity and Access: Your First Line of Defense

The most common attack vector into MSP environments isn't some sophisticated zero-day—it's compromised credentials. Building robust identity controls should be your foundation.

Hardware security keys like YubiKeys for all critical systems aren't overkill; they're essential. SMS-based MFA has known vulnerabilities, and even authenticator apps can be phished through real-time proxy attacks. Hardware tokens provide phishing-resistant authentication that dramatically reduces your risk surface.

Strict account separation is equally critical. Your marketing team's email account should never touch your RMM console. Create distinct accounts for: - Administrative access to client environments - Internal IT management - Day-to-day business operations (email, file sharing) - Financial systems

When accounts are separated, a compromised sales inbox doesn't become a pathway to every client's domain admin credentials.

Network Segmentation and Perimeter Security

Your network architecture should assume breach. That means designing systems so that compromising one segment doesn't give attackers free reign over everything else.

Ditch ISP-provided equipment for your perimeter. Enterprise-grade next-generation firewalls provide the visibility and control you need—deep packet inspection, application-level filtering, and proper logging. You can't defend what you can't see.

Segment your management networks from general corporate traffic. Your RMM servers, backup systems, and client VPN concentrators should live in isolated network segments with strict access controls. An infected workstation in your sales department shouldn't be able to reach your Datto console.

Consider implementing jump servers or privileged access workstations (PAWs) for accessing sensitive systems. Yes, it adds friction. That friction is the point.

Vulnerability Management: Practice What You Preach

Here's where many MSPs fall short: they run vulnerability scans for clients but skip their own infrastructure. Your internal systems deserve the same rigor you apply to client environments.

Regular vulnerability scanning of your own networks should be automated and consistent. This includes: - External perimeter scans (what attackers see from the internet) - Internal network assessments - Web application testing for any client portals or ticketing systems - Configuration audits of critical infrastructure

The goal isn't just finding vulnerabilities—it's maintaining continuous visibility into your security posture. Automated scanning tools can identify misconfigurations, missing patches, and exposed services before attackers do. When you're managing security for others, you can't afford blind spots in your own environment.

Patch management for your internal systems needs the same discipline as client environments. That domain controller running your internal AD? It needs updates just as urgently as any client server.

Monitoring and Detection

Prevention eventually fails. Your security architecture needs to assume that and plan accordingly.

Centralized logging from all critical systems—firewalls, domain controllers, RMM platforms, VPN concentrators—should feed into a SIEM or at minimum a log aggregation platform. Logs that sit unreviewed on individual systems might as well not exist.

Alerting on anomalies matters more than alerting on known-bad signatures. Unusual login times, access from unexpected geolocations, bulk data transfers, or privilege escalation attempts should all trigger investigation.

Many MSPs are now implementing 24/7 SOC monitoring for their own infrastructure—either through internal staff rotation or by partnering with another security provider. Yes, it feels strange to outsource when security is your business. It's also pragmatic.

Documentation and Incident Response

When something goes wrong, chaos is your enemy. Having documented, tested procedures makes the difference between a contained incident and a catastrophe.

Maintain current network documentation including asset inventories, network diagrams, and data flow maps. During an incident, you need to know exactly what systems exist and how they connect.

Develop and test incident response plans specific to MSP scenarios. What's your procedure if a technician's credentials are compromised? How do you notify clients if your systems are breached? Who has authority to disconnect client environments if necessary?

Run tabletop exercises at least annually. The time to figure out your response isn't during an active breach.

Building a Security-First Culture

Technical controls matter, but culture determines whether they're actually followed. Security awareness training shouldn't just be something you sell to clients—your own team needs regular education on current threats, social engineering tactics, and secure practices.

Encourage a blame-free reporting environment. Technicians who accidentally click suspicious links should feel safe reporting immediately rather than hiding the mistake and hoping nothing happens.

The MSPs that survive the current threat landscape will be those that treat their own security with the same seriousness they bring to client engagements. Your infrastructure is the foundation everything else rests on—it deserves your best effort.