Some two and a half years after the Department of Homeland Security first issued a warning about the phenomenon, MSPs remain high-profile targets for cybercriminals hungry for the rich, conveniently centralized end user data stored in RMM solutions and other MSP business systems.
Indeed, 73% of MSPs surveyed by ConnectWise unit Perch Security in its 2021 MSP Threat Report say they’ve suffered at least one security incident in the last 12 months. They won’t be the last such victims either, according to Tom Greco, who became chief information security officer at ConnectWise in January.
“It’s not going away,” he says of threat activity against MSPs. “It’s getting worse in the sense that actors are definitely emboldened by the successes they’ve had.”
They’re likely to have more successes, predicts Greco, who spoke with ChannelPro at ConnectWise’s IT Nation Secure event in Orlando this week. Software makers and users are both responsible for preventing MSP breaches, he notes, but appreciation of that fact and awareness of the grave dangers they face is far from universal among MSPs at present.
“There’s three camps,” Greco says. “There’s people who are aware. There’s people who maybe think they’re aware, but they’re not doing enough. And then there’s those who really aren’t very aware at all.”
If becoming aware is step one, adopting cybersecurity best practices is an essential follow-up. ConnectWise has long been urging MSPs to use security frameworks like the one it published last year to protect customers. Greco urges MSPs to do the same internally.
“If you look at something like the NIST cybersecurity framework, identify and protect are the first two tenets,” he says. “That really means being aware of what your threats are and how susceptible you are to them, and then understanding what controls do you have to have in place.”
While all of that is easier said than done, Greco acknowledges, it’s often simpler things that trip MSPs up. “A lot of times it comes down to basics,” he says, citing user permissions as an example. “Are you thinking about minimizing the access you provide and making sure that the access you do provide has the least amount of privilege needed?”
Making proper use of the role-based permissions functionality in most IT management tools is often another missed opportunity, according to Greco. “If you create roles that are very broad, then you’re using the control technically but you’re not using it as effectively as you could,” he says.
Requiring use of multifactor authentication when logging into RMM and PSA applications is one of the most basic basics of all, Greco notes, yet while most MSPs do it at present, some still don’t. ConnectWise, for its part, has made MFA mandatory for its Automate and Command RMM solutions as well as its Control remote access system, and is evaluating an extension of that policy to the rest of its products by the end of the year.
Steps like that are among many ConnectWise has taken in response to mounting threat activity against MSPs and media reports in 2019 about vulnerabilities in its software. Other measures include implementing a “shift left” strategy aimed at building security controls deeper into the company’s product development process through enhanced threat modeling and vulnerability testing, training in secure development practices, and automated tools that call attention to potentially insecure code as it’s written.