When was the last time you signed into your remote monitoring and management software and took a quick look at the various accounts? How positive are you that everyone has a 2FA?... moreWhen was the last time you signed into your remote monitoring and management software and took a quick look at the various accounts? How positive are you that everyone has a 2FA? Is having them all even necessary?
Establish a periodic action to physically check the persons using your tools.
Do your staff members have access to a policy for logins? Does it get imposed? We need a ridiculously long, random, complicated password that is saved in a password organizer for systems like RMM.
Use SMS or voice calls for two-factor authentication? A fake phone ID is possible.
Check to see if 2FA is turned on for each of those accounts.
Consider the level of access granted to each account and apply the minimum privilege concept. Only those rights should be granted to people that are required for them to fulfill their obligations. Don't just assume it; verify it twice!
If the device allows it, check when each user last logged in and remove any records that are no longer in use.
Check your API and integration... less