Early last month the Department of Homeland Security issued a warning for MSPs: you’re a growing target of cyberattacks.
By now, most of us have been aware and thinking about the growing number of attacks hitting MSPs. Last year was a record year for the number of MSPs hit and the number of breaches or full-blown ransomware attacks has continued to climb in 2020.
We’ve all heard the statistics on this at this point and I don’t want to focus on the what’s happened in the state of MSPs year to date thus far. What I’m concerned about is creating awareness into the WHY’s: why MSPs are being targeted, why MSPs are falling victim and the HOW’s: how in the heck are we as stewards of information and its security going to make sure our clients and our own businesses are protected going forward.
So, why are MSPs being targeted?
Managed services providers (MSPs), cloud service providers (CSPs) and managed security service providers (MSSPs) have all been warned about increased cyber activity and attacks related to their particular industries by DHS. Both hacking rings and nation state sponsors have identified service providers as holding the keys to valuable networks (their own and their clients).
I’m sure it’s not too difficult to connect the dots on why MSPs, CSPs and MSSPs are all attractive targets. As IT service providers with administrator access to their clients’ networks—or at very least with elevated privileges on those networks—attackers see a clear way into treasure troves of data and ransoms. Once in a service provider’s network, they’d have access to servers, security appliances and client databases.
Without a doubt, the MSP industry (in addition to offshoots of that industry) remain at the forefront of targeted attacks in 2020.
Why are MSPs falling victim to attack?
There are a variety of reasons why MSPs (in addition to other service providers) continue to fall victim to attack. I do NOT believe that all MSPs are in the same boat, but those that do not reinforce within their organizations the importance of inspecting what they expect and the benefit of identifying and correcting vulnerabilities caused from mistakes from people on their teams or bugs in tools are at risk of joining the 2020 MSP attack stats.
The main reasons I see why MSPs, MSSPs and CSPs continue to fall for attacks are related to the following:
Averse to change—my team used to by like this too! They wanted everything to stay the same because change means more work, more learning and an overall harder experience. The problem with this mentality is that in many situations change makes life easier (and safer).
Don’t Inspect What They Promise—no MSP is promising anything less than making sure their clients are secure. I know you genuinely care about those you’re serving and would never want anything to happen to them. The problem is it’s hard to inspect a promise of security. Yes, you can say a firewall blocked X, Y and Z or you blocked so many phishing attempts, but deep down it’s hard to say that your clients’ data is actually secure and getting securer. At any moment, a new vulnerability or even a simple configuration mistake could leave you with a serious mess on your hands. Most MSPs are not keeping tally of this stuff because no one is making it a priority.
Unwilling To Confront Or Admit To Problems—there are MSPs out there (I’m sure you’ve audited clients of some) that simply don’t fess up to their problems. The MSPs that are not taking security seriously are actually making you and other MSPs less safe by association (hackers are learning to manipulate the tools that make managed services easier for the sole purpose of getting access to more networks to ransom or exploit).
Are Mainly Interested In Quick Fixes—several MSPs that I’ve spoken to recently want a quick prescription to securing their network. They don’t want a routine or a cultural shift in their approach to security. They simply want to flip a switch and call their network secure. They want to buy into a subscription that will give them a glowing certification and let the world know they’re secure—without lifting a finger. I hate to say, but quick fixes don’t exist. If they did, why would we need to invest in a cybersecurity stack?
MSPs can’t do their own security?
Recently I read a post about MSPs needing to have security partners in order to protect their clients and that cyber insurance policies will deny claims if MSPs are not engaging with security firms.
I do think that misguidedly buying security tools—often times overpaying for tools that overlap in functionality, while leaving gaps in cybersecurity stacks—can contribute to serious security holes.
If you, as an MSP owner, are well-informed and are continuously learning, identifying and improving your security stance, you are much less likely being a target than those sticking their head in the sand thinking their current path of bad behaviors is acceptable.
So that leaves us with the HOW question.
How do we make sure our data and that of our clients is safe?
My short answer is really easy. Common sense.
There are a ton of expensive tools and services out there that use hi-tech to address the cybersecurity gaps present in virtually all IT environments. Some of these tools can be quite handy, but the problem with most of them is they come with a steep learning curve to implement or most of the time as an MSP, you are putting complete trust in these black box solutions without really knowing what’s going on.
Yeah, their marketing might explain things in a nutshell, but when the rubber hits the road, how are you certain you’re getting a return on your committed investment.
But when it comes to figuring out how to protect your business and your clients from ransomware attacks it boils down to the basics:
Inspect What You Do—be aware of when your teams mess up. Communicate those mess ups and focus on the fixes. Reward your team for finding problems and working together to avoid them in the future—no one’s perfect. If you don’t shine a flashlight on where the problems are, they’ll never be fixed (and might get worse!).
Identify Areas That Aren’t Working—figure out what is not working within your security. Determine is the problem related to people, process, or tools. If everyone is having the same problem, it likely isn’t a problem with your people. Realize that many of the vulnerabilities we find in MSP networks that are exploited by hackers are not solely a product of one individual opening the door.
Strategically Reduce Your Risks—Determine which problems within your organization are either easy to fix or worth the investments (because they eliminate big risks). This is something Galactic Scan does a great job doing.
Fill In The Gaps Where Necessary—if it turns out you have great people and your process makes sense (in that you aren’t introducing new holes), figure out if there are ways you could better invest in technology to be more effective at what you’re doing. In nearly 60% of MSPs I’ve assessed in 2020, I’ve found wasted spending on overlapping products. My challenge to you: understand what your security stack is doing and what pieces make sense (again, this is something we are good at helping you with!).
Bottom line: many MSPs are spending good money on their cybersecurity solutions. Many are overspending because the products in the marketplace today are confusing. From marketing sheets or even conversations with vendors, you are being led to believe that many of the newest flashiest products are unique when many of them overlap significantly. I’ve seen overlap, underused AND misconfigured security products implemented all across the MSP space.
Understand what your tools are doing, where your team is leaving holes (even the best teams open doors) and where your processes need tweaking. Until then you’re going to remain an opportune target for attackers.
