MSPs have had a target on their backs for a while now, as cyber attackers know that breaching a single vulnerable provider can grant them entry to all of their clients’ data, effectively achieving many successful breaches for the work of one. Therefore, MSPs not only need to shore up their own security, but they must firmly resist when clients ask for flawed, bargain basement “security.”
The prevalence of MSP attacks, and the dangers that represents, are gaining increasing attention among channel pros, their clients, and even public officials. At the start of this year, Louisiana Secretary of State Kyle Ardoin put the industry on notice in a speech to his fellow secretaries of state, saying: “As attacks grow more sophisticated, many MSPs have not been up front with their clients about the need to invest more in security. This leads to serious problems for their clients, and the MSPs themselves.” The state of Louisiana has since followed through with Act 117, a law requiring MSPs working with public bodies to register with state authorities, and to report all cyberattacks to those authorities. In Louisiana, the burden of breach disclosure is now squarely on MSPs.
Ardoin and other public officials had a right to be upset and to pursue this legislation, given the precipitating incidents in which governmental bodies bore the impact of attacks upon vulnerable MSPs. Louisiana was forced to declare a statewide emergency after an attack on an MSP allowed cyberthieves to infiltrate the systems of several school districts. Not long after, 23 local governments in Texas had their systems struck by attacks, all stemming from the same vulnerable MSP. Ardoin put the issue at the heart of these stories succinctly when he asked, “If MSPs aren’t protecting themselves, how can they protect their clients?”
I bring up this point not to throw any MSP under the bus. In fact, I believe it is actually MSP clients that need to improve their understanding of the importance and value of holistic cybersecurity. The MSPs I’m used to working with have the standards, self-respect, and just plain prudence to tell potential clients “No” when they’re eager to make penny-wise, pound-foolish security decisions, and are looking for a partner to help them do so. There’s nothing more frustrating in this industry than MSP clients that ignore the expertise of their providers and bargain for corner-cutting approaches to security at every turn.
The best MSPs and MSSPs understand the need for layered security that deters and thwarts attacks on many fronts. Defending clients from attacks requires hardened access controls with capabilities like two-factor authentication. It calls for isolating servers and systems so that attacks cannot escalate. It takes investments in effective endpoint security solutions. Crucially, it means investing in in-person (well, when possible again) employee training, and enforcing firm rules and procedures governing employee practices. This expertly orchestrated layering of secure techniques adds up to achieving a stout defense carefully designed to stave off attackers’ best efforts. In contrast, security based on the pay-what-you-want, à la carte approach that some MSP customers would prefer is like the Maginot Line: Attackers will simply infiltrate systems where they’re weakest, and find success far too easily.
At the same time, there are some MSPs willing to accommodate whatever requests their potential customers might have when it comes to pricing or tool selection. MSPs are doing a disservice to clients by allowing them to deploy flawed, bargain basement “security.” If these recent high-profile MSP attacks are any indication, it’s also a disservice to the industry as a whole. Paying at least the minimum threshold to put effective security protections in place is a whole lot cheaper than paying the consequences when data is exposed to attackers.
That said, MSPs must also take control of the narrative—and stay out of the headlines—by ensuring that their own security is up to the same robust standards they should be implementing in their clients’ systems. I’d never call any provider a fly-by-night operation, but a business can certainly be gone just that quickly if an attacker decides to walk through flimsy protections and steal clients’ data. This is a fact that I believe most MSPs and MSSPs understand and must remember in holding their clients to high standards. Unfortunately, a few providers have had to learn that the hard way.
CAM ROBERSON is vice president of channel sales for San Jose, Calif.-based Beachhead Solutions, which provides a PC and mobile device encryption service platform for MSPs and businesses across industries.