The MSP Security Gap

Turn security gaps into sales opportunities with weekly attack scenarios

Turn security gaps into sales opportunities with weekly attack scenarios

The account that should have been gone

The scenario:

Someone left your client months ago. Good terms, clean handover. Their email was closed. 

One thing was missed. A shared admin login they used, and a VPN account nobody switched off. 

How it unfolds:

The credentials still work. Late one evening, someone signs in with them from a new location. 

There was no password to guess and no lock to pick, because the door was never locked. It is a known account doing known things, so nothing flags. They copy client data and leave. 

Whether it was the former employee or someone who bought the details, the cause is the same. Access that outlived the person. Offboarding closed the obvious account and left the quiet ones open. 

The warning signs:

  • Shared logins that more than one person knows. 


  • Accounts for people who have left, still active weeks later. 


  • VPN or admin access with no owner and no review. 


  • A sign-in from a known account at an odd hour or a new place. 

Stop it:

  • Kill every access on the day someone leaves, not only their email. VPN, admin, shared tools, SaaS. 


  • Remove shared logins. Give each person a named account, so offboarding switches off one login cleanly. 


  • Review who has access each quarter and close anything with no owner. 

-

PS: A tool will not tell you an account should have been closed. It tells you when a dead one wakes up and starts pulling data. Same lesson as the weeks before: you catch the move they have to make, not the one you wish they had not. 

More attack scenarios

The weekend break-in