We thought information technology was a fast-moving rocket until we encountered cybersecurity. It seems that as soon as one threat is handled, another, more malicious one pops up. It’s no wonder just about every Managed Service Provider (MSP) owner tells us their clients expect them to be a cybersecurity expert as well. Companies and organizations know they need help because they can’t possibly afford the kind of sophisticated security talent cyber requires.
This year, Cybersecurity Ventures anticipates that the costs of global ransomware attacks will reach approximately $20 billion. To make matters worse, the firm projects that the cost of these attacks will increase in frequency at a rate of 15% per year, topping out at $10.5 trillion by 2025.
Core Element of Every Solution
For MSPs of all sizes, being able to see and proactively manage big picture security, especially cybersecurity, is key. Cybersecurity expertise has to be a core element of every solution set. However, in reality, we’ve found most MSPs only dabble in security. Lacking a skilled and certified cybersecurity team isn’t just a competitive disadvantage for MSPs, it’s a significant hurdle to be overcome if they are to survive.
Consider the most recent, high-profile ransomware attack, which targeted global technology consultancy, Accenture. LockBit demanded ransom of $50 million after claiming responsibility for taking more than six terabytes of data. If Accenture did not pay the ransom, LockBit threatened to publish the data. News reports stated that LockBit posted 2,000 of the stolen files on the dark web for a brief period. However, Accenture did not admit or deny making payment to LockBit.
This is also occurring, at an alarming rate, across the many Small and Medium (SMB) sized companies that MSPs cater to. If a company’s data is breached, it will turn to its MSP for assistance and possible financial relief. In recent years, we’ve seen some of these breaches come in through software installed by the MSP itself which means the company is certain to relieve the MSP of its duty, at best, and to be named in a lawsuit, at worst.
CISO: Every MSP Needs at Least One
The rise in cyber security attacks and increasing demands for ransom make having at the very least, a Chief Information Security Officer (CISO) a market requirement for all MSPs. In addition, MSPs need to offer a full range of cyber security services such as virtual private networks (VPNs), encrypted email, endpoint protection, security audits, compliance audits, security awareness training for end users, and security action plans, policies and procedures that can be activated at a moment’s notice if a breach is suspected. In addition, MSPs can expect their customers to ask them about their Strategic Operations Center (SOC) that monitors all client systems 24/7/365.
If you are an MSP that thinks there is plenty of time to amass the cybersecurity team, you need to think again. You need deep cybersecurity expertise now – not years from now. The two following cases illustrate the kind of damage that can happen while you are off building your cyber team.
MSPs’ Vulnerability is Real
To better understand your vulnerability, look no further than two recent incidents involving SolarWinds and Kaseya.
N-able, the remote monitoring and management (RMM) subsidiary of SolarWinds, was being spun out from SolarWinds but that didn’t seem to matter to the marketplace when a large-scale breach was announced by its parent company. N-able suffered declining new subscription sales and lower net new revenue, as well as reputational harm, even though none of its code was involved in the suspected Russian hack of SolarWinds, which pumped poisoned code into 18,000 clients’ systems across U.S. government agencies and private sector organizations.
Many MSPs use Kaseya’s software to remotely manage their customers’ systems. It was an update to that software that caused massive headaches for Kaseya, its customers and its customers’ customers. Another ransomware-as-a-service group, REvil, took advantage of a never-before-seen vulnerability in the company’s network management and remote control software update to inject ransomware into MSPs’ customers’ systems and downstream to the customers’ customers’ systems.
While initial reports stated that the ransomware was distributed to more than 1,000 businesses in 17 countries, Kaseya maintained that the actual number of affected customers totaled 60, while those affected downstream numbered 1,500 companies and organizations
Now called one of the most significant attacks in recent history, the Kaseya incident occurred just as the company was addressing zero-day vulnerabilities that had been discovered in its web-based administrator tools by Dutch security researchers. Zero-day issues take their name from the fact that there are no days to resolve the damage they create.
Customers Need to Question Cyber Capability
MSP customers need to be able to tell if your MSP offers commercial-strength security services or just “does” security and they are beginning to understand how – by looking for a dedicated cybersecurity team, security-certified staff or a top tier security provider to be affiliated with your MSP. They are also reviewing credentials of the cybersecurity professionals and searching for titles that show a measurable amount of cybersecurity expertise such as Certified Ethical Hacker, Certified Information Systems Security Professional, CompTIA Security+ and Certified Information Systems Auditor, among others.
Investing in your cybersecurity services and team or joining forces with an organization that has already built this out, is something to be done much sooner rather than later. By not addressing this, the risk and impact to your MSP is simply too great, and its accelerating faster than you might realize.