For the better part of a year now, managed service providers (MSPs) have been the focal point of a series of attacks that are starting to erode customer confidence. A survey of 476 attendees at the recent Black Hat USA conference conducted by Gurucul, a provider of cybersecurity analytics tools, finds that when it comes to third parties accessing their IT environments, the entities eliciting the most concern are managed service providers (MSPs).
Published today, the survey ranks MSPs in terms of top concerns for third-parties accessing IT environments at 34 percent, followed by developers (30 percent), systems integrators (20 percent), and then external auditors and call centers, tied at 8 percent each.
Attackers use MSPs to get to SMB customers
MSPs have come under increased attack because cybercriminals have discovered that if they can compromise one MSP, they can then laterally attack the customers on which that employ those MSPs. The Federal Bureau of Investigation (FBI) first began warning about these attacks last October. At the end of that year, the U.S. Department of Justice announced that Chinese nationals had conducted global campaigns targeting MSPs against at least nine MSPs.
Soon after, it was revealed Wipro had been the victim of an ongoing series of phishing attacks targeting its employees. Most recently, ransomware attacks have targeted the software many MSPs rely on to manage their operations. Subsequently, those ransomware attacks were extended to include customers of those MSPs.
Cybersecurity attacks on one MSP are bad for every MSP
Many internal IT teams have a natural bias against MSPs that they perceive to be usurping many of functions that once belonged to them. A handful of successful breaches against MSPs confirms that bias, even though most MSPs have much more cybersecurity expertise than the average IT organization. In terms of sheer volume of attacks, most MSPs thwart thousands of attacks aimed at both them and their customers each day.
To increase customer confidence in their organization’s defenses, #MSPs need to invest more in securing their operations, and spend more time and money on attaining #security certifications.
Despite those efforts, it’s also clear MSPs will need to not only invest more in securing their operations, they will also have to spend more time and money on attaining certifications that prove they’re able to ensure a base level of security. More customers than ever are going to demand that some external organization has evaluated the cybersecurity defenses an MSP has put in place. On top of that, it’s now only a matter of time before insurance providers start asking similar questions.
MSPs have two choices
Either they can build a cybersecurity practice to recoup the investments they need to make anyway, or they can partner with a managed security service provider (MSSP) that has already made those investments. The first approach naturally requires a significant investment. The latter approach requires a deep level of trust between IT service providers that is often hard to attain and maintain.
Of course, it’s tempting for MSPs that have not suffered a breach to want to stand pat. After all, why fix something that isn’t broken?
The trouble is, perception is reality. As more customers become convinced something is amiss among MSPs and the level of cybersecurity they provide, the more costly and challenging it becomes to convince them otherwise.
Photo: Khongtham / Shutterstock.