As the one-year anniversary of the SolarWinds Orion breach and the six-month anniversary of the Kaseya VSA breach both approach and a year filled with seemingly endless reports of high-profile ransomware attacks and vulnerable print spoolers draws toward a close, faith in the integrity of the tools MSPs rely on to serve and secure customers is arguably at an all-time low.
“We’re in a situation where MSPs don’t know which vendors to trust, because they don’t know whose stuff is secure,” says Ryan Weeks, Datto’s chief information security officer.
Indeed, data published last week by Acronis in partnership with ChannelPro showed that 53% of MSPs don’t fully trust the vendors they work with to secure end users. Worse yet, 49% don’t completely trust their own ability to keep customers safe.
According to Weeks, overcoming that “crisis in confidence” (an echo of words he used during a keynote presentation at the 2021 DattoCon partner event last month) is a shared responsibility.
“If you look at all of these attacks, how they’re being facilitated, the attackers are not leveraging incredibly advanced tactics,” he says. “It’s simple stuff. And so the more that we do simple things well consistently, the stronger we’re going to become as a community.”
For MSPs, that means embracing the basics of cybersecurity hygiene like keeping software patched, employing multifactor authentication, and closing up firewall ports. More specifically, Weeks urges channel pros to implement all 56 controls in the Center for Internet Security’s implementation group 1.
“That’s one thing every—and I mean every single—MSP should be doing,” he says. “If every MSP did that and did it well, the rate of adverse security outcomes in the channel would dramatically decrease.”
As for RMM vendors like Datto, he continues, their responsibility is to get much more rigorous about locking down their software. “We need to demonstrate a very high level of competency in how we secure the RMM.”
“Demonstrate” is the key word in that statement. Saying that you’ve implement the NIST cybersecurity framework or its equivalent is one thing, but proving that you’re implementing best practices for software security through independent verification, Weeks believes, is essential to regaining the channel’s confidence.
With that goal in mind, Datto opted in 2019 to begin implementing the Business Security in Maturity Model, or BSIMM, a set of practices based on input from dozens of financial institutions, healthcare providers, software developers, and other businesses meant to define best practices for application security. Participating companies work to achieve level one (baseline), level two (mature), or level three (advanced) competence in up to 121 specific risk-reduction activities like penetration testing and developer training that are grouped into 12 categories.
“It’s our opinion that companies that take software security seriously have achieved at least a level two in all 12 of the focus areas of the BSIMM framework,” Weeks says, adding that Datto reached that milestone earlier this year after 18 months of effort.
The rankings, moreover, continually evolve over time as BSIMM participants learn more about risks and countermeasures. “The framework changes every year,” Weeks says. “We’re not measuring ourselves against a static thing.”