Managed Service Providers (MSPs) need to be on alert.
These businesses are relied upon by a myriad of organizations in a range of industries for managing services that encompass all things IT and telecommunications — from personal computers to cloud storage, from servers to scanners, and much more. But MSPs are now being targeted – specifically, according to a recent Reuters report, by the international hacking ring cloudhopper that is linked to the Chinese government. Why are they under attack? Because given their range of clients, and the amount of data each one of those clients possesses, they offer a trove of valuable and exponential personal data.
This may come as some surprise to MSPs, but from a cybersecurity standpoint it makes complete sense that MSPs and other IT service providers are prime targets. After all, they have unfettered access to their clients’ valuable data, either stored or as a direct conduit to the clients’ networks. And as Willie Sutton, the infamous bank robber, so succinctly put it when asked why he robbed banks, “that’s where the money is.”
Given this situation, it’s now more important than ever that MSPs step up their game – both for the sake of their clients, and themselves. Relying on anti-virus, anti-malware, and a firewall is not enough. MSPs and IT service providers need a cybersecurity ecosystem that provides 360-degree visibility and protection.
A comprehensive cybersecurity ecosystem blankets the attack surface with a layer of protection that leaves no hole exposed, and nothing left to chance. MSPs should coordinate with cybersecurity professionals to assemble a suite of purpose-built appliances and applications; after all, while IT people can be very good at what they do, unless they specialize in cybersecurity, they need to coordinate with experts. Otherwise, it’s like a general practitioner performing heart surgery, or a dentist straightening teeth (neither of which are very appealing propositions). And even more importantly, many MSPs don’t invest in the next-gen security to protect their systems that access their client data.
Key technology components of a cybersecurity ecosystem really must include SIEM 2.0, next-gen advanced endpoint protection, next-gen perimeter protection, network level monitoring, data loss prevention, DNS and web filtering, file and disk encryption, encrypted backup, and multi-factor authentication. Additional elements of protection to help round out the ecosystem should also include dark web monitoring and security awareness training.
Alongside these components, a comprehensive set of cybersecurity-related policies should be formulated and enforced. These policies must define behaviors and expectations, deputizing members of the organization to join in safeguarding valuable data in the process.
One incredibly effective policy for all organizations (including IT service providers and MSPs) to consider is participation in consistent ongoing education and training. Educational efforts can’t be thought of as one-and-done, but rather must be an ongoing, repetitive, and normative process for a company, allowing employees to practice what they learn every day.
That said, these efforts don’t have to be overwhelming – a quarterly review of policies, routine security announcements (that could be included in a staff meeting’s agenda, a message on a paystub, or a popup when they log on in the morning), and perhaps incorporated as part of an employee’s annual review all add up to an environment where employees are always thinking about keeping their own data – and their organization’s data – safe.
Employees should be also educated on the proper use of technology and social media – what they should be looking out for, what cyberattacks actually look like, what websites are infected (and there are tons – even legitimate websites!), and what malware behaves like.
Hackers who spoof other people will leverage social media as a means to infiltrate a company externally, so that they can then go at it internally. They will take on the personality of someone in the organization and send out infected links, for example, through Messenger or Facebook ads. An invitation to click on a link looks legitimate but it takes the user to an infected site. Effective cybersecurity training can instill a sociological element that changes employees’ behavioral norms with regard to how they interact with one another and act on social media.
This type of education can then be reinforced through procedures that demonstrate to employees how to be good corporate citizens with a strong cybersecurity posture, and policies that demand they live up to these requirements.
Here are a few guidelines to follow:
- Do not post anything about travel habits of the executive team.
- Do not post, or allow to be posted, the names of any of the direct reports to any of the executive team members.
- Do not post, or allow to be posted, anything of consequence about the business on any employee’s personal Facebook or other social media pages. Talking about sponsoring the community Little League Team is fine, but nothing that talks about an individual’s responsibilities belongs anywhere out in the public domain.
- Have and enforce a policy that outlines what can and what cannot be included as public information.
- Have ongoing educational programs to help employees identify potential leaks – recognize them, and avoid the temptation to click on a link just because it’s there. If, for example, you are not expecting a shipment from UPS, does it make sense to click on a link that is “from” UPS when it well may not be?
And, because mistakes still happen despite these precautions and best intentions, it’s not a bad idea for them to round out their protection by adding a cyber liability insurance policy for when an employee accidentally opens an infected attachment or visits an infected website.
The good news is that as cyber threats have increased, so have the companies that have risen to the challenge. This has significantly reduced prices, making it affordable to almost any business.
Businesses should realize that if their IT provider isn’t protected, neither are they. An IT company which is not fully protected can be responsible for their client’s data being stolen. Now, more than ever, MSPs and IT service providers need to step up their game with a comprehensive cybersecurity ecosystem for their clients – and themselves.