Just in time for Halloween, we sat down with two of our expert MSPs on our “MSP Fast Track” hangout “The Scary Truth About Cybersecurity” to discuss some bone-chilling facts and insights on how and why managed service providers are increasingly the target of cyber attacks and what they can do to educate and protect themselves and their clients.
We started off with a pretty frightening statistic from our latest report with Vanson Bourne, “Under Attack: The State of MSP Cybersecurity in 2019,” that said 80% of MSPs have experienced difficulties with selling cyber security, but 39% of their clients don't understand the importance of cyber security. That’s the scary truth that MSP’s are struggling with today. They know they need to be selling these services but are finding it difficult to have the conversation with clients, particularly as it relates to additional hardware, software and internal resources that must be dedicated to detection and prevention.
Meet the Panelists
Logic Technology Consulting Group - Yohan Ruparantne, President
ADNET Technologies - Tim Weber, Director, Security Services
How MSPs Secure Their Own House: A Layered Approach
According to our first panelist, Tim Weber, Director of Security Services at ADNET, it all starts with educating clients on the benefits of a layered security approach starting with multi-factor authentication.
“We've seen a huge uptick in the last six to twelve months in successful attacks, unfortunately against MSPs. If we're the victims ourselves we're not going to be much help to our clients, so you must have multi-factor authentication. Now we're asking the same thing with every new vendor we work with, it's one of the first questions out of the gate, what are the authentication mechanisms? How can we protect and integrate it into our existing security solutions?”
Another one of our panelists, Yohan Ruparatne, President of Logic Technology Consulting Group, added “there's not one golden key, there are several layers for the threats to come through. There are different forms.”
Further reiterating the need for this layered approach, Continuum’s VP of Security Product Management, Brian Downey, mentioned “MFA is outstanding. Every MSP should be looking at it, but we're already starting to see chinks in that armor. We're starting to see the attack patterns changing where they are spoofing cell phones to be able to get past MFA. So, how do we stay ahead of that curve and focus on the areas that are going to be the problems for tomorrow as well as the problems for today?”
End user training and internal staff education was another area of focus in our MSP’s layered approach to cybersecurity.
Yohan shared his approach to educating clients and end users stating, “We're doing a lot around security awareness training. We're doing quarterly subnet and phishing exercises. If they fail those exercises, then they're required to take more security awareness training. We also send out very topical emails to our clients about issues that are prevalent to educate them about what about the threat landscape. For me, it's really all about education. The clients need to be aware of what to look out for and how to navigate those threats. And then for the staff, it’s the same kind of thing.”
How Valuable Is Your Client's Data?
According to the ACLU board for purity research, 43% of small businesses suffered data breaches last year and only 13% of MSP SMB’s feel confident that their organization is able to defend against an attack. That's scarier than any story or movie we might see this Halloween.
Another frightening stat from the Vanson Bourne report said that 69% of MSPs agreed that their clients are focused on responding to a cyberattack rather than preventing one. The consensus from all our panelists was it was much easier to have a cybersecurity conversation with a client BEFORE an incident occurs not AFTER. Still, some clients and their MSP’s don’t feel their data is valuable enough or that their company size doesn’t warrant the attention of a cyber-criminal and isn’t worth their time. This could not be further from the truth.
According to Yohan, “I used to get a lot of pushback…the question was always why would they want my data? My response was they don’t care about your data. They know it's valuable to you and they don’t want you to have it. So, it shifts the focus from the value that others see in their data and how much they value their data. It's really educating them about the fact that it's not the value that they see in your data. It's the value that YOU see in your data, making sure that it's protected properly.”
Brian added, “an MSP might have some data that's a very small piece of business to them, but something very meaningful for their end clients. Attackers have figured that out. We've seen ransoms change in ransomware when they've realized who the end clients were. That's something you must be aware of as well. You have to think, well this isn't meaningful to me, but it might be meaningful to my clients.”
Taking Steps to Reduce Risk
Trying to solve for every security scenario or addressing all your gaps and vulnerabilities at once is like trying to boil the ocean. It’s a continuous journey because the threat landscape is always changing. There is just too much happening in the world of cybersecurity and feeling overwhelmed can become a reason for inaction. Instead, our panelists recommended a step-by-step approach, focusing on an area or two you can improve immediately on like awareness training or more education for your internal resources. You can then have an honest conversation with your clients, see what works and what doesn’t and learn and progress as you grow.
Tim suggested, “Consider partnering with somebody that is an expert in cybersecurity to address any skills gaps. You may not have the capabilities to do a risk assessment or an incident response so you should consider partnering with somebody that can help kind of round out your skills in those areas.” Everyone agreed that MSP’s should work together and leverage their respective strengths to continue to provide the maximum value to their clients.
It’s also important to implement a culture of security within your own team. According to Yohan, “We start every team meeting educating each other on the kinds of risks scams that are out there, a tip or something related to security. We’ve also employed this framework and have developed a security stack that we offer to our clients. We also make sure that we educate our clients on the level of risk that they will accept. We do joint risk assessments with our clients and we help them complete them, but it's entirely their exercise.”
Tim also noted “we use cyber security insurance as a part of our NIST framework or our security stack because sometimes our clients think they have E and O insurance or general like liability, but a lot of those policies don't cover cyber. So, we make sure that they've got a cyber security plan that allows them to leverage that in the event of a breach.”
All three of our panelists had valuable takeaways on our hangout, The Scary Truth About Cybersecurity”:
- Instill a culture of security in your organization – Make sure your systems environments are safe and secure because if you can’t keep your system secure and safe how can you keep your client's system secure and safe?
- Have frank conversations with your clients about their risk - Make sure your clients understand the level of risk they are willing to take on versus the level of security services that they currently have in place with you.
- Partnerships - If you don't feel comfortable doing something, work with somebody that can help you get where you need to be. It's not a bad thing to partner. It just means providing solutions in different ways and it can mean augmenting what can often be hard-to-find security resources.
- Don't get overwhelmed. Take action - There's a lot out there to learn. Just get started. Start with a couple of aspects at a time like authentication methods, awareness training, a risk assessment or incident response plan. You're going to feel a lot better about where you are a month from now. Threats are always evolving and it’s better to start to act than let being overwhelmed cause inaction. If you make a mistake, you can pivot but at least you have learned something and are moving forward.
When we think about the scary truth behind cybersecurity, we tend to look at the negative, we look at the risk. We look at the impacts of a cyber-attack on the business like reputation damage, downtime loss and ransom payments. Maybe we should look at it a different way. There are very few times in professional careers that you have an opportunity, like what MSPs have in front of them.
Security can be scary, but it will be worse if an MSP does not engage in this area. MSPs should act now to make security their differentiator. Seize the opportunity and watch your business grow. To hear more from our panelists, check out the complete “The Scary Truth About Cybersecurity” hangout.
By Lily Teplow
By Gretchen Hoffman
By Gretchen Hoffman