Headlines covering the recent ransomware attack on local governments in Texas likely triggered sleepless nights for any MSP not fully committed to (and confident in) the security of their own managed offerings. In the attack, 22 targeted systems across multiple local governments became infested with file-encrypting malware. The attack rendered it impossible for the affected local governments to fulfill important public-facing functions, such as accepting utility payments or completing birth and death certificate requests. Attackers included a ransom demand of $2.5 million for the key to unlock the encrypted files.
At this point, of course, ransomware attacks are hardly new. But this story should raise the reddest of red flags to any less-than-secure managed service provider: all of the local governments in this attack share the same MSP. The ransomware was deployed through MSP-provided software meant to deliver technical support (and, well, not malware).
If you’re an MSP that doesn’t consider security and compliance concerns to be squarely within your purview, the bad guys are just fine with that—and will force the issue whether you take steps to protect yourself or not. Moreover, MSPs that wish to stay in business for the long haul must recognize that they now face security challenges across multiple fronts: not only must MSPs protect clients from any security gaps in their own systems and practices, but MSPs themselves are now targets.
In conversations with MSP colleagues after the Texas fiasco, I heard the following advice when it came to expecting the unexpected and preventing security and compliance issues that could otherwise deal crippling blows to managed providers:
1) Your own reputation is only as safe as your clients’ data
When an MSP takes on a client, it also ties its fate to that client’s systems and data security. “It just makes sense for MSPs to bring security and compliance-as-a-service to the table as part of what they’re offering, since an MSP needs those capabilities anyway for their own well-being,” says Doug Truitt, CEO at Dallas-based Kalleo Technologies.
Even for MSPs that don’t consider themselves particularly security-centric, adopting that focus is a wise and forward-thinking move that MSPs ought to feel no shortage of motivation to make. “Threats to data security can come at a business from all angles,” adds Truitt. “Make no mistake about it: employees will lose unencrypted devices, they will fail to keep login credentials secure, they will leave credentialed sessions unattended, and they will click on phishing emails. And don’t forget terminated employees, who might wreak whatever havoc they can with the access they have left (we’ve seen it). In our own case, implementing security and compliance offerings proved to be a win-win proposition for both ourselves and our clients. At this point, I can only shake my head when MSPs make the news as vulnerable hacking targets, because the truth is they’ve only done themselves in.”
For MSPs, failure to protect a client from a data breach or similar attack affects the provider’s standing with not just that client, but all potential clients going forward. Earning a bad reputation is very bad for an MSP business—if not a fatal blow.