Axcient’s Security-First Approach Part 1: People
How are you ensuring business continuity as a separate element from cybersecurity? Managed Service Providers (MSPs) put significant emphasis on keeping the bad guys out – but struggle to keep businesses running when they get in. Cybersecurity threats, risks, and attack strategies are constantly evolving and growing in sophistication. With the number of successful attacks rising year-over-year, Axcient has shifted the responsibility of security from a dedicated internal security team, to the responsibility of every single employee. In this three part series, we’re walking MSPs through the three pillars of our security-first approach: people, process, and infrastructure.
Table of Contents
Security From the Top Down
Many of Axcient’s leaders come from a background in security. Gaining top-level buy-in is critical to any business culture, and having those values built-in makes it that much stronger for the rest of the team. Axcient’s CEO, David Bennett, spent 10 years in security before coming to Axcient, which he jokes, “has made me paranoid about everything.” Joined by Axcient’s Senior VP of Product, Ben Nowacky, who also brings a wealth of security experience, David and Ben have crafted Axcient’s security-first approach over the last two years.
David explains the transformation from team to individual. “It’s great having some specialists that really understand the security tech stack, but how do we change the approach in our business, and how do we think about securing out tech stack – which ultimately secures our MSP partners and their clients. So we came up with this distributed security capability in that we made every single employee figure out how they can solve a part of the security problem across all facets of our business.”
Data protection is security because without access to your data, business stops. Ben says, “Yes we do backup, yes we do disaster recovery, but really we are the fundamental piece of security in the MSP security puzzle. So we have to have a security-first approach to everything we do. We made security a core part of the company culture for every person in the company through KPIs and OKRs, all the way through evaluation and stopping production if anyone finds something suspicious.”
While people are the fundamental link in a multi-layered security approach, they are also always going to be the weakest link. Because the number one cause of data loss is human error, everyone at the company, regardless of department or role, has to have a security-first mindset. Axcient instills these values and awareness through required and regular security training. Information security and social engineering training, phishing and hack tests, and mandated compliance standards help Axcient bring security into every aspect of employment.
It only takes one employee to accidentally click the phishing link, open the attachment, save critical data on their desktop, or fail to use corporate password policies, and bam, your client is down. It may not happen immediately since todays hackers like to gain access and sit quietly while planning complex and damaging attacks – but it will happen and business will stop. With that said, no amount of training will eliminate the risk of humans being human. Accidents will happen and that’s why business continuity and disaster recovery (BCDR) is central to security. MSPs need to be able to virtualize client environments fast to keep their business running while the breach is dissected and remediated by either the cyber liability insurance company or internal teams.
Before new features are developed, Axcient engineers have to complete a security questionnaire for approval to move forward. Features have to be secure by design in order to be integrated with Axcient products. Some of those questions include:
- What are the security concerns of the new feature?
- How are those concerns being address?
- What are the scans?
- What is being done to mitigate potential risk?
- How is security being monitored on a regular basis?
Security is a core responsibility for every person on the engineering team and the foundation of the development lifecycle. If something is not secure, elevates risk, or compromises the security of other features, it’s not ready for our partners. Axcient will never sacrifice security for shiny new features. Our developers are strong and if a feature can help MSPs and their clients, we’ll find a way to build it the right way.
Security From the Outside In
While Axcient leans on both internal employees and dedicated security teams to further our security-first approach, we’re know enough to know we don’t know it all. Axcient leverages security specialists and subject matter experts to identify potential issues, changes in the threat landscape, and to help tap into the community at large to constantly be upping security awareness internally. Teams attend security-focused events and look to industry thought-leaders to constantly remain aware and engaged with cybersecurity in the channel.
We also work with a number of incident response vendors to regularly update, practice, and refine our cybersecurity playbook for disaster readiness and efficient restore. As new threats and strategies are introduced, we need a plan for fast remediation. Contact information needs to be updated and available offline in case phone lines and email are unavailable. Breach notification requirements have to be followed to remain in compliance with state regulations and industry standards. Cyber liability processes have to be respected for claims to be paid. As Ben says, “Decisions made in battle time are the worst ones to be made,” so get help to make sure your cybersecurity playbook is always ready for what if.
We also rotate through threat and security management companies to get fresh eyes on our code and avoid falling into an echo chamber with ourselves. When we launched AirGap for ransomware rollback we utilized two different third-party security vendors for penetration testing with full access to our VPN and data centers. Worst case scenarios are the focus, so we open our full source code, accounts and systems, and say, “do your worst.” We want to know what happens if a developer is compromised. What if there’s malware on a developers’ computer? How can that breach be used to enter the network and gain persistence? Vendors should always be able to back their security claims with external testing to prove effectiveness in the real world.
Once we identify potential people loopholes, we attack back by understanding the vulnerability, fixing it, and ensuring subsequent breaches don’t occur. Ben explains, “Vulnerabilities are tracked internally through a number of ticketing systems. External partners do penetration tests, we have a vulnerability disclosure program where partners can submit any issues they find, and those are all tracked internally with SLAs tied to everything. Anything that is a remote code execution vulnerability, a zero-day, or critical vulnerability has an SLA of one week – no more – to have that resolved in production.”
Axcient has not had any of these critical incidents in the last year, but our rapid response team is available 24/7/365 with comprehensive staffing in operations, engineering, and support. We’re always available to isolate systems, mitigate against the attack, investigate, remediate, and resolve issues. Our team is constantly evaluated and graded on response times, number of touches before resolve, and partner satisfaction to deliver a positive and productive experience.
Learn more in Axcient’s Security-First Approach Part 2: Process and Axcient’s Security-First Approach Part 3: Infrastructure to see how we’re reinforcing personal responsibility for security in our everyday operations and development process.
About the Author:
Liz Mellem // Technical Copywriter, Axcient
Liz Mellem has been a freelance copywriter for over four years in the technology, education, and alternative medicine industries. She produces content, sales collateral, and email marketing campaigns that contribute to digital marketing strategies for sales growth and brand awareness. In her free time, Liz enjoys reading, exploring Austin, and Netflix with her cat, Harlem.