Share This:

I talk to MSP owners weekly about cybersecurity trends in the industry and which trends are the most troubling. By far, what I hear about most in 2021 is ransomware. And the statistics bear out the fear of ransomware hitting “soft targets.”

Check Point’s mid-year cybersecurity report shows a 93 percent increase in cyberattacks in the USA over the same time last year. Many aspects are driving the trend, and one of them is those “soft targets.”

What is a soft target?

MSPs need to have soft targets on their radar. Usually, they match the following descriptions:

    • Less than 50 employees.
    • A business that isn’t regulated and doesn’t have typically highly prized information like PHI. Examples of these might be florists, cake-decorators, dry cleaners, janitorial services, or motels.
    • Does business with large businesses. For example, a small manufacturer of keychains and other gift items that produces “swag” for a major company.
    • Has revenue of less than 1 million. A small budget usually leaves little room for cybersecurity expenses.
    • Relies heavily on legacy technology which is usually outdated and unprotected.

The following is a recent incident relayed by an MSP owner in Kentucky that shows the dangers of unguarded soft targets.

The MSP owners received an urgent early morning phone call from a large multinational client saying that ransomware hackers had attacked their systems. Their data was unavailable, and business was ground to a halt. The company would have to conduct business by paper and calculator for the duration of the crisis. The small MSP would spend 90-hour weeks over the next two weeks restoring his client’s data and trying to get to the bottom of what happened.

It turns out that what happened began several states away. A small interior decorating firm’s system was breached. The interior decorator did not know at the time that their accounts had been compromised.

They did what many SMBs do: assume that international hackers seeking large sums of money couldn’t possibly be interested in them. It turns out they were wrong. Hackers were able to infiltrate their email and learn that the CEO of the multinational company was having his office redecorated.

So when the CEO received an email purported to be from the interior decorator with an invoice attached, he had no reason to believe it was anything but legitimate. It was from a spoofed address close to the one the CEO was accustomed to doing business with. It was not, however. There was instead a payload attached, and it unleashed a ransomware attack that would cost his company. The interior decorating firm did not have an MSP or outside IT firm handling their cybersecurity.

Soft targets present opportunity for MSPs

“Small 3-4 person firms don’t usually have the budget for anything other than basic off-the-shelf software,” notes Tony Morris, a cybersecurity consultant in London, England. “MSPs that can go to these SMBs with the right pitch and the right price could find some new business.”

The reputational damage alone that a small business experiences when a hack becomes public would be far more than retaining the services of an MSP. Morris advises MSPs to talk to their clients about whom they are doing business with.

“If you have a high-value client who has a bunch of small vendors they are doing business with, then you need to flag potential security risks,” suggests Morris. “An MSP can’t be policing every single point of contact that a client has, and hackers know this, but you can at least try to tilt the odds in your favor by weeding out ones that seem to be sloppy with their cybersecurity.”

Morris notes MSPs may need to nudge clients into working only with businesses that meet specific cybersecurity standards and ones who sign onto the best practices program. Also, awareness training has a place when it comes to vendor selection.

“Supporting small businesses and vendors is something noble and should be encouraged, but the administration needs to be aware that once you start engaging with a vendor that may not safeguard their systems, then that is a vulnerability,” warns Morris. “I find that simply having a conversation with all stakeholders about cybersecurity and mutual interests and concerns goes a long way towards closing gaps.”

Another weak spot: passwords

“Hackers can leverage their targets’ laziness into big bucks. Don’t use your mother’s maiden name, your social security number, or any other easy password. It amazes me that people continue to do it,” admits Morris. “It’s like putting an open sign on the door for robbers to see.”

Of course, the strongest password in the world doesn’t do much good if hackers manage to deploy keystroke logging malware.

“The bottom line is that MSPs need to monitor client engagement with soft targets and take appropriate precautions,” stresses Morris.

Photo: Pasuwan / Shutterstock

Share This:
Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.


  1. Great article


  2. Nice article, Kevin. Thank you for sharing your insights!


  3. a very good reminder, to be on the lookout for clients, a bit of our time now will save some time down the road


Leave a reply

Your email address will not be published. Required fields are marked *