If you’re a Managed Service Provider (MSP), hackers are looking for ways to get into your systems right now. In fact, it’s not unlikely that a bad actor — or two — has already made their way into your network. They’re in there – waiting for the right time to launch their attack. Inside, collecting information.
But don’t take it personally. Hackers aren’t necessarily targeting your organization because of you. Hackers want to get into your systems to get to your clients.
As part of the supply chain, MSPs have a hub and spoke relationship with all of their clients. In that relationship, the MSPs are the hub. If the hacker can penetrate the hub, they can often, more easily penetrate all of the spokes. Cybercriminals have figured this out, and they are using MSP security shortcomings to take full advantage.
There has been a lot of talk about supply chain in cybersecurity lately. As supply chain attacks increase, risk managers and analysts are starting to appreciate how important vendor security really is. Remember, the Target hack was the result of a breach through the retail giant’s HVAC vendor. And while gaining access to over 100 million client financial records is a big catch for a cyber-attacker, payment data isn’t the most critical information today’s malicious actors are after.
You might think that your small or medium-sized MSP isn’t on the list of targets for cybercriminals. After all, you don’t maintain financial records. You don’t store sensitive client information. What could they want with you and your business?
Well, a lot.
MSPs, even yours, are the gateway of choice into the networks of high-value targets. Maybe you don’t think you have anything to offer. But think about your client list…. Do they? And take it a step further – what about your client’s customers? If hackers use your system to get into your client’s systems, what’s stopping them from spreading even further?
You don’t want to be the focal point of a federal investigation for a cyber-attack that exposed the financial information of 100 million Americans. Or worse, you don’t want your name attached to a breach that comprised national security secrets and put lives in danger.
But what is the real risk? So much of cybersecurity awareness is rooted in fear and knee-jerk reactions. How likely is it, really, that the average MSP will be encounter a cyber-attack?
While general supply chain attacks aren’t new, targeted MSPs specifically is a more recent (and quickly growing) phenomena. It’s growing so much that in fall 2018, the Department of Homeland Security issued an alert warning MSPs of the increased cyber threat to their systems and operations.
According to that alert, MSPs that provide remote management for client IT and end-user systems are particularly at risk because of their large attack surface.
And this isn’t just theory. In the last year, there have been several known MSP attacks.
Just last month, Synoptek fell victim to a ransomware attack that disrupted operations for many of its 1100 clients. To contain the damage, Synoptek resorted to quickly paying the undisclosed ransom demand. And this happened to an organization once recognized as one of Orange County, CA’s fastest growing companies – a company that also lists risk management as one of its service offerings.
And while there are conflicting theories on the merits of paying a ransom, not paying doesn’t mean that the recovery will be low cost.
In August of last year, 23 local government entities in Texas were hit by a coordinated ransomware attack. And how did the attacker manager to infiltrate so many systems at once?
Through their MSP, TSM Consulting.
TSM Consulting boasts contracts with over 300 agencies throughout Texas, offers firewall security, and maintains that they provide a quality service and take care of their customers. Still, they served as the entry-point for an attacker to gain footing in what is known as largest coordinated ransomware attack on a government.
And though they didn’t pay the ransom, the recovery from the attacks is reported to cost the small Texas governments over $12M.
And in the case of Wipro — a publicly-traded, multinational, MSP behemoth – hackers used phishing schemes to infiltrate the MSP’s systems and make their way to at least a dozen clients. Considering that Wipro has tens of thousands of clients, including Fortune 500 companies, it’s a sigh of relief that their hackers were only looking to commit gift card fraud and not something more sinister.
None-the-less, the Wipro hackers were building their campaign for years and may have camped out in Wipro systems for months before launching their attack.
What if these attackers wanted to do irreparable damage to Wipro’s clients or their client’s customers? The nature and length of the attack campaign would have likely allowed them to do so.
And as with the other examples mentioned, Wipro advertises cybersecurity services as part of its offering.
So where is the disconnect? How are so many MSPs falling victim to cyber-attacks even when some strive to offer security services?
MSPs and MSSPs
Many MSPs started as product resellers and transitioned into managed services to meet client needs. They never intended on getting into security and haven’t established sound security practices within their own operations. But the tide has turned. Now, many businesses expect their MSPs to support business IT functions and keep networks safe. They see it as a package deal. Some MSPs are trying to meet customer needs by including limited security services, but partial security only creates the illusion of safety and serves to set all parties up for an attack.
Because MSPs are trusted by so many business and government entities, and because many MSPs have created a security illusion (or neglected security entirely), they are a prime target for hackers looking to steal from several organizations through one breach effort.
And this trend will continue to grow in number and intensity.
Just as MSPs evolved from product resellers to managed services in response to market demands, today’s MSPs need to transition from just managed services with some security to real managed security services. And while many MSPs already know this, not many of them know the best way to effectively secure themselves and provide security services to their clients.
Short of hiring qualified security professionals and building in-house security frameworks and operations from the ground-up, MSPs have a faster and more effective option – cybersecurity partnerships.
Partnering with a company that already specializes in cybersecurity means that you can immediately secure your own business and offer advanced protection and mitigation services to your clients. Furthermore, adding true security services to your offering allows you to market to new clients and effectively grow your business.
But as with any aspect of your business, finding the right security partner requires thorough evaluation and analysis. There are a lot of security firms that simply resell and deploy substandard cybersecurity “solutions” at a mark-up. And there are other cybersecurity providers that engineer their own solutions, but those solutions only focus on endpoints. When you consider that most attacks come through software vulnerabilities, DDoS attacks, and SQL injection, you quickly realize that endpoint solutions aren’t enough. Endpoint solutions won’t stop these prevalent attack types and will leave your organization vulnerable.
If you are concerned with providing the most robust security for yourself and your clients, you must partner with a cybersecurity innovator that creates customized solutions that consider the risk, vulnerabilities, size, network components, and operational requirements of you and your clients.
Assured Enterprises goes beyond endpoint security and becomes a real extension of your MSP team. We conduct periodic risk assessments that provide measurable benchmarks and clear roadmaps to increased security. We deploy AssuredScanDKV® to automatically detect known vulnerabilities in the software resident on a network and we can immediately correct deficiencies. We provide on-call service to assist your in-house team whenever a security issue or question arises.
And, through our insurance affiliate, AssuredOneTM, affordable data breach insurance may be available to your clients.
At Assured Enterprises, we are serious about protecting the hub-and-spoke relationships that have become so vulnerable as the nature and attack surface of cyber-attacks morphs and intensifies. It’s why we are dedicated to providing 360˚ cybersecurity that starts at identifying risk and vulnerabilities and protects you and your clients through the recovery if there is ever an incident.
Contact us to learn more about how we can tailor a suite of products and services to empower our partnership to meet your unique needs and those of your client base.