It seems like about once a month now some government agency somewhere discovers there might be a potential issue with the cybersecurity of a managed service provider (MSP). The latest warning comes from the U.S. Secret Service, which sent out an alert to both government agencies and private sector companies cautioning them cybercriminals are targeting the IT infrastructure of MSPs. The alert advises that those attacks are being launched in the hopes that MSPs will provide cybercriminals with the ability to compromise IT environments of the downstream customers that depend on those MSPs.
In the last year or so there have been roughly a half dozen of these warnings issued in one form or another. There’s no doubt MSPs are being targeted by cybercriminals and there have been some notable breaches.
However, none of these alerts ever seem to mention the massive number of attacks that MSPs fend off on behalf of their customers. The implication of the alert issued seems to suggest that organizations would be more secure if they relied on the cybersecurity expertise of their own internal IT staffs. Yet, given the comparative cybersecurity expertise of the average MSP and internal IT department, it should be apparent to all that MSPs enjoy a much higher rate of overall success.
MSPs remain ahead of the curve
That’s not to say there aren’t some well-publicized issues with many of the platforms that MSPs rely on. However, most MSPs are well aware of those issues and have moved with considerable speed to mitigate those risks. In contrast, it might be several months before the average internal IT team gets around to patching applications that have known vulnerabilities.
The truth is most MSP platforms are no more or less susceptible to vulnerabilities than any other application. Those platforms, however, make for a high-profile target that tend to generate a lot more headlines than when one small company finds itself victimized, for example, by malware.
The trouble for MSPs is that all those headlines about cybersecurity alerts are bad for business, especially when they generally lack context. There’s no doubt MSPs platforms that are largely constructed on a monolithic client/server architecture need to be modernized to make them more secure. But that’s not going to happen overnight. Most internal IT teams, of course, are struggling with similar issues. Chances are better that MSPs will address their cybersecurity issues long before most internal IT teams address theirs.
In the meantime, MSPs would be well-advised to have a meaningful cybersecurity conversation with their end customers. Many of them are currently petrified, which makes it tempting to look for a scapegoat. However, once they confront those fears many will quickly realize they are better off with an MSP than without.
After all, as Ben Franklin once noted during a crisis that if we don’t all hang together we will surely hang separately. The challenge and the opportunity is to get customers to appreciate how much that simple observation from the 18th century applies now more than ever to cybersecurity.
Photo: Bankrx / Shutterstock