Five countries issued a warning on May 11 about MSPs and customers that includes 12 action steps to avoid cyber intrusions. The alert, “Protecting Against Cyber Threats to Managed Service Providers and their Customers, states: “The cybersecurity authorities… are aware of recent reports that observe an increase in malicious cyber activity targeting managed service providers (MSPs) and expect this trend to continue.”
The warning came from the United Kingdom National Cyber Security Centre (NCSC-UK), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), the United States Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) with contributions from industry members of the Joint Cyber Defense Collaborative (JCDC). The sheer number of agencies shows how big an issue this is.
While the warning gives attorneys more ammunition when they go after you because your client suffered a data breach, ransomware attack, or email scam, it is also gives you more ammunition to use in your marketing, contracts, and proposals.
In my previous articles, “How to Protect Your Clients From…You” and “MSP Sued! Are You Ready?” I wrote about things you should do to protect your MSP business and your clients.
Each one of the 12 steps included in the new warning gives you a marketing opportunity. Each also gives you a chance to convince clients to implement stronger security processes, purchase more services, and knowingly accept the risks of making bad decisions or trying to save money. The recommendations align with the NIST Cybersecurity Framework (CSF), HIPAA, DFARS/CMMC, PCI-DSS, other regulations, and cyber insurance policy requirements.
The 12 Steps
Here is a condensed summary of the 12 security recommendations.
1. Prevent initial compromise
- Improve security of vulnerable devices.
- Protect internet-facing services.
- Defend against brute force and password spraying.
- Defend against phishing.
2. Enable/improve monitoring and logging processes. Whether through a comprehensive security information and event management (SIEM) solution or discrete logging tools, implement and maintain a segregated logging regime to detect threats to networks.
3. Enforce multifactor authentication (MFA). Organizations should secure remote access applications and enforce MFA where possible to harden the infrastructure that enables access to networks and systems.
4. Manage internal architecture risks and segregate internal networks. Organizations should understand their environment and segregate their networks. Identify, group, and isolate critical business systems and apply appropriate network security controls to them to reduce the impact of a compromise across the organization.
5. Apply the principle of least privilege. Organizations should apply the principle of least privilege throughout their network environment and immediately update privileges upon changes in administrative roles.
6. Deprecate obsolete accounts and infrastructure. Both MSPs and customers should periodically review their internet attack surface and take steps to limit it, such as disabling user accounts when personnel transition.
7. Apply updates. Organizations should update software, including operating systems, applications, and firmware. Prioritize applying security updates to software containing known exploited vulnerabilities. (This also means removing unsupported operating systems, software, and devices when they reach end-of-life and no longer receive security updates.)
8. Back up systems and data. Organizations should regularly update and test backups—including “gold images” of critical systems in the event these need to be rebuilt.
Organizations should base the frequency of backups on their recovery point objective (RPO). (Backup processes should also be tested to ensure they can meet the recovery time objective, or RTO).
Store backups separately and isolate them from network connections that could enable the spread of ransomware; many ransomware variants attempt to find and encrypt/delete accessible backups.
9. Develop and exercise incident response and recovery plans. Incident response and recovery plans should include roles and responsibilities for all organizational stakeholders, including executives, technical leads, and procurement officers.
Organizations should maintain up-to-date hard copies of plans to ensure responders can access them should the network be inaccessible (e.g., due to a ransomware attack).
10. Understand and proactively manage supply chain risk. All organizations should proactively manage supply chain risk across security, legal, and procurement groups, using risk assessments to identify and prioritize the allocation of resources.
11. Both MSPs and their customers will benefit from contractual arrangements that clearly define responsibilities. MSPs, when negotiating the terms of a contract with their customer, should provide clear explanations of the services the customer is purchasing, services the customer is not purchasing, and all contingencies for incident response and recovery.
Customers should ensure that they have a thorough understanding of the security services their MSP is providing via the contractual arrangement and address any security requirements that fall outside the scope of the contract.
12. Manage account authentication and authorization. All organizations should adhere to best practices for password and permission management.
Develop Trust with Prospects and Clients
Address the warning head-on. Before talking with clients, focus on your MSP business. Implement the recommendations and use the warning as a checklist to show prospects and clients that you are adhering to the international recommendations for MSP security.
Go another step and earn CompTIA’s Security Trustmark Plus, a business-level accreditation that validates your MSP business’s implementation of the NIST Cybersecurity Framework (CSF). I know it is achievable for MSPs because I have implemented it in three of my own companies and I have coached over 40 MSPs to earn it.
Being seen as a cybersecurity authority is a good way to counter warnings about MSPs. For example, Bryan Hornung, a New Jersey MSP, leveraged his Security Trustmark Plus into on-air interviews with CNN, Forbes, and Fox News, quickly establishing his authority as a go-to cybersecurity expert in his market.
Recommend Client Security Built on the 12 Steps
The warning recommends that MSP customer contracts transparently identify ownership of security roles and responsibilities. This is a good message from an independent credible source that a client cannot fully outsource all aspects of cybersecurity. Clients have responsibilities for things you can’t control, and it’s their responsibility to purchase cybersecurity services and tools that are reasonable for their situations—not just by their willingness to pay.
Use the warning in your marketing and proposals. Even though it talks about threats that MSPs pose to clients, it also includes specific things clients should do to protect their networks. Referencing outside sources like the cybersecurity agencies of five countries may get customers who are sitting on the fence to finally sign a proposal.
Managed services is a risk-based financial model. Clients who won’t pay for security services should not expect you to include incident response in their fees. For those who turn down your recommendations, you should reference the warning in a Decline of Services document you send them. Run your “attitude filter” to not make them look stupid, and include something like this: “The United States Cybersecurity and Infrastructure Security Agency (CISA) recommends ______, which you have declined to implement. We are therefore not responsible for any cybersecurity incidents and their direct or consequential damages. Incident response services are not included in your monthly fee, and will be charged at our prevailing hourly rate if needed.”
Make sure your terms and conditions limit your liability and exposure, and state that clients share in their cybersecurity responsibilities.
And thank the governments of five countries for a way to convince clients to do the right things.
Opening image: Roxana Balint © 123RF.com
