I’m preaching to the choir here. We are all at risk of breaches and attacks. Especially as we round out 2022.
Just looking at the news last week, it’s evident that organizations perceived to be “secure” are at risk.
I recall the hoops that it took to gain access to the InfraGard site.
InfraGard describes the steps to become a member on their website:
Step 1: Provide evidence you are employed or formerly employed within critical infrastructure for at least three years.
Step 2: Verify your age is least 18 years of age on the date of application completion.
Step 3: Verify your US citizenship
Step 4: Complete the InfraGard membership application form in its entirety
Step 5: Consent to a security risk assessment and to periodic re-confirmation of the security risk assessment.
These steps are more complicated than applying for employment. And still, they weren’t enough to keep someone to gain access for malicious purposes.
Here’s what we know about this incident so far:
A hacker group going by USDoD engineered their way into the Infragard site. It wasn’t some big, sophisticated breach. They didn’t find a security hole in technology. They tested the vetting process described above and got right in.
The group claimed to be a CEO of a financial services company in the US (a company likely to get approved by the FBI).
The hacking group applied for an account and then were granted that account. It was that simple. There was no real vetting. They received an email and proceeded to verify the email address, ran a python script to query an InfraGard API and collected all of the site’s user data.
This individual setting up the account never was really checked. No one in the InfraGard organization vetted this person.
You probably can think of other scenarios where an attacker would completely gain access to one of your clients’ data. InfraGard is not special here. Your clients are equally at risk of data breaches.
But what can you do about it?
Communicate with your clients and prospects. This made the nation-wide prime time news. If you aren’t educating them around what happened, why it happened, and what they can do to keep their data secure, you will lose their trust.
Incidents like this are the norm today. Whether it is a government agency, local business, or somewhere in between, organizations are at high risk of falling victim.
You know it. I know it. But do they know it? And how do you help them understand what they have at risk?
It’s not easy cutting through the noise. Getting them to understand WHY they need to care about their data security. Or to even see any value in investing in solutions you know are in their interest to have on their networks.
The truth today is that unless you are educating your clients about why they should care, even if they invest in a solution, they probably won’t value it. They might see what you have to sell as a commodity.
That’s why we are here. We help MSPs explain and sell value.
To see what I mean, consider testing your stack to enable you to get your clients to understand their risks in 2023.
