Wes Spencer at Perch Security explores how managed service providers (MSPs) can step up to an intensifying threat landscape
Last year was a rollercoaster of a ride for MSPs, thanks to the impact of COVID-19. Overnight, clients pressed the ‘fast forward’ button with regard to the adoption of digital services and technologies as they strived to initiate work-from-home models and put customer, supplier, and partner interactions onto a digital footing.
Unsurprisingly, this rapid shift from traditional working arrangements to highly distributed digital operations emboldened cybercriminals to take advantage of the wealth of new opportunities before them.
For MSPs the race was suddenly on to secure their environments and mitigate risk on behalf of SMB clients, who represent a particularly enticing target for cybercriminals.
Indeed, nearly 73% of MSPs we surveyed for our 2021 MSP Threat Report confirmed at least one customer had a security incident last year and that nearly 60% of these incidents were related to ransomware. Meanwhile, only 25% of MSPs who suffered a security incident reported it was related to ransomware.
An intensifying threat landscape
Last year’s crisis highlighted how the collective value of MSPs means they are increasingly in the line of fire as far as cybercriminals are concerned. MSPs hold the keys to dozens if not hundreds of organisations that they manage, so why hack one business when you can go after many in one fell swoop? Indeed, Buffalo Jump attacks (when an MSP is breached and more than one managed organisation is compromised with malware as a result), are now part of cyber-criminals’ monetisation strategy.
Not only do attackers understand MSP tools; they also know how to exploit the vulnerabilities and legitimate uses of the tools that MSPs depend upon. Plus, they know that enterprise-grade security solutions are rarely built for use by MSPs, who typically have fewer resources to deal with this problem.
Finally, MSPs represent a large number of companies, each of which has its own appetite for risk. Some may have pre-existing in-house security controls that MSPs have to support or manage, even if these products weren’t built for use by MSPs. Meanwhile, others may have adopted a more limited or fragmented strategy due to resource constraints, a lack of understanding, or a devil-may-care attitude to risk.
With dozens of clients, MSPs are familiar with the drudgery that is involved in trying to keep everyone safe. But 2020 marked a watershed moment when all things digital took off at rapid speed. Introducing a slew of potential new vulnerabilities and risks that customers need to be educated about and shielded from.
Problem is, as more and more customers shift to the cloud and put their remote operations on a more permanent footing, MSPs know that their investment in cybersecurity tools and practices will need to increase to counter the rising tide of security threats. Little wonder that 82% of MSPs told us that the budget reserved for cybersecurity increased in 2020.
The unfortunate reality is that those MSPs that lag behind or fail to prioritise a security-first approach that is in line with a fast evolving threat landscape will be easy prey for cybercriminals who are waiting in the wings.
Steps every MSP should take
MSPs need to take threats seriously, even if their customers don’t. Because the moment something goes wrong, customers will be quick to point the finger and blame an MSP for not forcing their hand at the moment they decided to save costs and take the least robust security approach.
Let’s take a look at the top best practice approaches that MSPs need to be on top of:
- Recognise you’re a valuable target – this is the first and most important step. If you lack the right staff and training, then get on board with trusted partners and peers that can help you grow your security know-how and capabilities.
- Educate customers – not an easy task but becoming more assertive with customers and bundling security into all packages will put you in a stronger position.
- Budget – educating leadership on the gaps and risks is the only way to get an increased security budget. Perform a self-assessment to show where the gaps are.
- Staff – tools alone aren’t enough; you need human capacity to operate and interact with security solutions. If you don’t have the resources to hire and train dedicated security personnel then opt instead for managed security services.
- Reduce tool sprawl – find security controls that work well together and with your current ticketing systems. Stay on the lookout for things that will complement your stack.
- Maximise your spread – when thinking about what to bundle into basic packages, keep in mind the realities of today’s increasingly converged customer environments. For example, network-level defence now involves far more than just a firewall. Increasingly, SOC/SIEM is becoming a must have and introducing additional XDR/MDR/EDR layered tools will add a good amount of extra protection for not a lot of overhead or cost.
- Tackle simple things like passwords and training – time and again passwords are a key weak link where security failures are concerned. While training for users around things like password reuse is important, MSPs also need to architect more secure systems. Implementing things like multi-factor authentication and security keys for single-sign-on will eliminate a lot of potential vulnerabilities.
And finally – address remote workforce security gaps.
It’s becoming clear that fully remote and hybrid working models are set to stay for the long term but in the initial scramble to pivot to work-from-home models, security often got pushed onto the back-burner.
As the temporary changes made to support the move to home working are no longer temporary, MSPs must urgently ensure these are secure. That means reviewing the effectiveness of existing security controls in terms of where your employees – and your customer’s users – now work and determining whether an alternative deployment architecture or controls are needed to cover the risk.
Getting on top of cybersecurity is rapidly becoming a commercial priority, because insurance firms are hardening their attitudes where cyber policies are concerned. With new compliance regulations on the horizon, MSPs will need to get their house in order fast in preparation for the new status quo.
Main image courtesy of iStockPhoto.com