YOU DON’T achieve security, says Kyle Hanslovan, “you have to constantly earn it.” Continually reassessing and verifying your security posture is critical, stresses the CEO of Huntress Labs, a provider of managed threat detection and response services. However, he says, “We're not seeing MSPs do that. And we're definitely not seeing that happen in the clients' networks.”
With cybercrooks increasingly targeting MSPs for attack, it’s more critical than ever to adopt best practices to defend yourself, and by extension, your clients.
Jayson Ferron, chief technologist at Interactive Security Training, agrees that a lot of MSPs are not following good security hygiene. “I hate saying this, but it's the truth,” he sighs. “We know that from the forensics, but the MSP is not telling the customer, ‘Hey, it's my fault.’ But it really is your fault because you didn't follow good behavior internally.”
Even more troubling, some MSPs are not being transparent when there is a breach, either in their own networks or their clients’, says Jason Coffer, principal of the Coffer Group, a San Francisco-based IT and cybersecurity solutions provider. “They know about something, but they hope no one will notice. In this industry, people always eventually notice.”
The October 2019 research report Under Attack: The State of MSP Cybersecurity in 2019, commissioned by Continuum (acquired by ConnectWise that same month) and conducted by Vanson Bourne, found that 74% of MSPs had suffered a cyberattack in the previous 12 months, with 83% reporting that their SMB customers had suffered one as well. In addition, two-thirds of MSPs surveyed said they were worried that they wouldn’t be able to defend their customers during a cyberattack.
In a reader survey ChannelPro conducted in June 2020, 46% of respondents said they had experienced a cyberattack on either themselves or their customers.
Why MSPs are now the targets of cybercriminals should be obvious, says Ferron, noting that a decent MSP has anywhere between 20 and 100-plus customers. “If I can get into the software that the MSP is using, I can affect 20 to 100 different companies from one attack.”
SMB customers have become more attuned to the issue too, says Hanslovan, who adds that was not typically the case just a year ago. Now, he says, people are telling him “I'm leaving because my MSP was compromised,” or “I have heard the MSPs can get you compromised,” or “I'm considering not using an MSP and doing it in-house.”
Coffer, whose firm and its customers have not experienced a security incident, has clients in the financial services sector that are subject to industry regulations, and they read the headlines. “Because our companies are regulated by the SEC, they need to do a certain amount of cybersecurity themselves, and they look to us to help them with that. But at the same time … we need to fill out due diligence questionnaires to make sure our cybersecurity standards are up to the standards they need to be, because we're their vendor and they worry about that.”