Cybercriminals have discovered a simple trick for multiplying their effectiveness: target MSPs themselves. If breaching one business’ systems is like slipping past a security guard unnoticed, infiltrating an MSP is like stealing that guard’s whole key ring. A successful MSP breach lays bare the data of all its clients, making MSPs particularly ripe targets offering a rich bounty.
The potential vulnerability of providers themselves has quickly become an issue recognized by some MSPs and their clients. Incidents involving MSP clients that happen to be state and local governments have led public officials to take notice as well, and even to respond with legislation.
Louisiana’s cybersecurity struggles
Last year, Louisiana declared a statewide emergency following a cyberattack on an MSP that enabled the bad guys to lock up the systems of several school districts with ransomware. Shortly after, an attack on a single vulnerable MSP in Texas led to a string of incidents that crippled the systems of 23 local town governments. Louisiana has recently put in place a formal response to this issue – Act 117. The legislation requires registration of all MSPs working with public entities, and mandates those MSPs to disclose all cyberattacks and breaches to government authorities.
Louisiana Secretary of State Kyle Ardoin raised the concerns driving this legislation in a January speech to the National Association of Secretaries of State in Washington, remarking: “As attacks grow more sophisticated, many MSPs have not been upfront with their clients about the need to invest more in security. This leads to serious problems for their clients, and the MSPs themselves.” Ardoin summed up the issue by stating that “if MSPs aren’t protecting themselves, how can they protect their clients?”
To be clear, I’m certainly not calling out any MSP for becoming a target – I speak from experience when I say that most members of the MSP community are absolutely dedicated and serious about security, both their clients’ and their own.
Instead, I want to raise the point that MSP clients must elevate their own appreciation for effective and comprehensive security. The MSPs that I know should be assertive with new clients that try to nickel and dime themselves out of adequate security measures. MSPs commonly face this exasperating conversation (just look at any MSP member group on Facebook, LinkedIn, reddit, etc.), in which clients know that they’re speaking with true experts detailing the devastating risks of breaches, and the carefully considered tools and practices required to prevent them, and still only ask for something cheap instead.
Layered security is required
As MSPs are acutely aware, defending an organization from potential cyberattacks on all fronts requires layered security that is thoughtfully assembled. Access controls must be hardened in adherence to the principle of least privilege, and backed by technology such as two-factor authentication. Trusted endpoint security solutions need to be in place and active. Servers and systems need to be isolated to prevent and limit escalating attacks.
Employee training in security best practices is an essential factor in any cybersecurity regimen (in-person training sessions are more effective and recommended, once in-person meetings are safe again). And, of course, MSPs must grapple with more of their clients’ working remotely and the added security burden that imposes.
MSPs and even more security-specialized MSSPs apply their expertise in combining complementary security layers that check all the boxes and together offer complete protection. Certain clients will then come along and ask if they can swap poorer quality parts into this finely-tuned apparatus, or even if they can apply only certain cheaper protections piecemeal. The reality is that the absence of any one security layer leaves a gap and, well, one gap is all an attacker needs.
Don’t try to force low pricing
It’s fair to say there are MSPs in the industry that will attempt to cater to clients’ pricing requests no matter how unreasonable or what effect it has on the quality of the end service. I’d urge such MSPs to rethink that practice; ultimately, it poorly serves the client, the MSP, and the reputation of the industry itself.
MSPs should only be offering and utilizing security services that keep themselves and their clients out of the headlines, and they certainly have every incentive to do so. It pays to hold firm with clients who fail to appreciate that when you seek bargains in cybersecurity, the costs later on can be severe.
Photo: only_kim / Shutterstock
