This prospect had Kenny Log-ins. Please don’t have Kenny Log-ins. Learn about his Ride Into the Danger Zone…

“I’m alright”, he says. Let’s say he has Kenny Log-ins. He’s a business owner whom I know socially, but not well. He’s in a long-term contract with a large & well-known DC/Balt area MSP. When I ask him about the job his MSP is doing, the answer was, “I’m alright.”
Having Kenny Log-ins is a term for business execs that have no PW strength enforcement, had the same MSP for years, with the same security & tech stack over that entire time. And doesn’t take time to inspect, nor prioritize performing any kind of due diligence on the security which that vendor has in place.
It’s not expensive nor time-consuming to avoid having Kenny Log-ins.
But still, it’s a tough objection to overcome when a prospect’s senior exec is friends w the PoC for the MSP & the prospect and MSP owner are friends.
It’s safe to say he didn’t take a meeting the first time I asked.
So we pivoted to their data & security as a method of demonstrating the level of their MSP’s performance. Three weeks later, after a meeting with the client & our conducting some baseline security reviews, we’ve found:
- The prospect has recent credential sets (user name & PW) from three dozen of his employees available for sale on a Dark Web ID theft forum.
- The prospect does not enforce regular password changes on any staff.
- The prospect didn’t have three of the four DNS mail handling and authentication security protocols enabled. DM for nerd translation, or read my blog on the topic @ https://transitionparadigm.com/uncategorized/boost-your-small-businesss-information-security/
- – The prospect did not have multifactor authentication on their remote access VPN.
– The CEO’s compromised credentials have Global Admin Privileges for Office 365/Azure. His password was only seven digits, and only numeric. This was his only account and his user name was his email address.
Quoting The Offspring: You gotta keep’em separated.
The ‘Kenny Lessons’ for business owners, c-level, & ops execs evaluating a Managed Services Provider or Staff, are the following:
- If the MSP isn’t advocating basic security Group Policy / Intune Policy for Entra AD such as password strength mandates (12 characters) & password change frequency, it’s a
- If the MSP isn’t asking questions about, nor proposing solutions for Password Vaults, off-line / air-gapped data backups, conditional access (pls ask what this is), & Internet Security Awareness Training (ISAT), then you have a vendor that is not prioritizing security on your technology roadmap.
- If the MSP doesn’t have an on-boarding procedure that includes inspecting, & when needed – fixing prior failures regarding your DNS mail handling and authentication security protocols; it demonstrates a lack of pro-active management on important security elements.
- If the long term MSP has left their client’s remote access VPN in place without configuring it for multi-factor authentication, your vendor is taking you on a Ride Into the Danger Zone.
#CheckYourMSP
#Security&DarkWeb
#DontHaveKennyLoggins
#12CharachterAlphaNumeric+!