I recently wrote a security column about sandboxing and, to my tech eye, the technology seems to solve many issues. Sandboxing teases out a potential malware threat before it even becomes a problem. Plus, it’s scalable. There is off-the-shelf sandbox software for the do-it-yourself, independent entrepreneur, and five-figure versions wielded by the most elite MSPs. So, the technology has a lot of versatility.
“Tools become a crutch”
Despite the positives, some unintended, negative consequences have emerged from sandboxing’s popularity. Ahmed Banafa, a leading cybersecurity expert at San Jose State University, warned me that:
“Cyber-criminals are finding more ways to evade this technology. For example, new strains of malware can recognize when they are inside a sandbox. They will wait until they are outside of the sandbox before executing the malicious code.”
So much for sandboxing as a silver bullet. This revelation raises the question: Is there a single best defense that an MSP can use? Firewall? Patching? Anti-phishing software? All of the above? Karen Eltis, who specializes in cybersecurity, AI, and online privacy while working as a law professor in Ottowa’s Centre for Law, Technology, and Society, cautions MSPs about depending solely on technology for its defenses.
“The concern with all innovative tools is that they can quickly become a crutch; we presume the infallibility of the security tool ‘du jour’ and over-rely.”
The human aspect
Eltis says there is the human aspect which permeates every part of cybersecurity. The best defenses in the world won’t work if the employees aren’t on board.
Education is a consistent theme that has emerged in SmarterMSP’s talks with experts. Whether the sessions are led by corporate or MSP staff, the two entities need to work hand-in-hand to educate every employee — from the CEO to the janitor — on good cyber hygiene habits.
MSPs and their customers need to work hand-in-hand to educate every employee — from the CEO to the janitor — on good cyber hygiene habits. #cybersecurity #MSP @SmarterMSP
A study released in late 2018 raises alarms. A Tripwire study surveying 306 IT professionals finds that organizations are falling short in risk management. Two-thirds of professionals surveyed are not following primary CIS or Defense Information Systems Agency guidelines that provide a framework for the bare minimum network security. Other alarming stats from the Tripwire report include:
- Fifty-seven percent said it can take hours, weeks, or months to detect new devices connecting to their organization’s network.
- Forty percent of organizations are not scanning for vulnerabilities weekly or on a more frequent basis despite recommendations, and only half run the more comprehensive authenticated scans.
- Also, perhaps most alarming is that it takes 27 percent of organizations anywhere from a month to more than one year to deploy a security patch.
These stats show that MSPs have a significant opportunity: convince a potential client that their in-house IT capabilities aren’t up to the task and that an MSP can offer better, cheaper, and faster security service. Moreover, MSPs can provide the training that could help mitigate some of the Tripwire report’s spotlighted weaknesses.
Including training is a must
“There is no substitute for training and educating employees to ensure that policies are understood and acknowledged,” according to Eltis. She adds that security can’t merely be left to IT, it must also be addressed by leadership and trickle down.
“Security must also adapt to changing needs and address broader threats,” Eltis states. There should always be a management liaison with the MSP so that the SMB and MSP are operating on a united front
For better or worse, office politics and corporate culture is as much a part of the MSP job description as anything else.
Eltis says that a company needs to emphasize top-down changes “which should encompass all areas relating to fundamentals like BYOD,” plus related fundamentals like establishing the appropriate equilibrium between facilitating mobility, productivity, and bringing all stakeholders onboard about the importance of protecting data.
“More broadly, don’t succumb to what Tim Wu has referred to as the phenomenon of “the Tyranny of Convenience.” The Internet gave us access to anything and anyone, but gave anything and anyone access to us,” reminds Eltis.
With MSPs increasingly dealing with sensitive data, the inevitable challenges of privacy come to the foreground and healthcare data has emerged as a particularly acute concern.
“Safeguarding ‘big health data’ will require a panoply of tools. Above all, human reflection and oversight are the most important aspects. Robust corporate policies, education of users, a culture where reporting is encouraged, not shamed or dismissed are key components” Eltis details, adding that the old adage “if you see something say something” ought to be part of company culture. All security tools need to be paired with common sense and wisdom.
The weapons in an MSP’s arsenal need to be viewed as part of a “complete breakfast,” which includes education and a corporate culture where #CyberSecurity concerns are taken seriously
According to Eltis, whether the tool is sandboxing, patching, firewalls, or anti-phishing software, the weapons in an MSP’s arsenal need to be viewed as part of a “complete breakfast,” which includes education and a corporate culture where security concerns are taken seriously.
When it comes to security, there are no silver bullets. MSPs need to keep one eye on the big picture, while keeping another on specific threats. That’s a lot to watch, but it is necessary in today’s rapidly changing cyber landscape.
Photo: Jacob Lund / Shutterstock