Supply chain attacks are the new battleground of cyber security, writes Paul Rosenthal, CEO at search and digital marketing product company Appstractor Corporation.
Managed Service Providers (MSPs) are a vital part of the cyber security solution for SMBs and are likely to become even more important in the next year, with research from Business Wire suggesting that 41pc of companies plan to invest more in MSP support for IT security. Managing cyber security and IT requirements for dozens or even hundreds of clients at a time can be a significant challenge for any MSP, but it is becoming more important that they also ensure they have robust security themselves to avoid becoming a bridge over which criminals can get to their clients.
Because they have access to IT systems containing commercially and personally sensitive information on their clients, MSPs are a particularly attractive target for cyber criminals. After all, why spend time attacking SMBs individually when you can compromise an MSP and instantly access hundreds of targets?
Finding vulnerabilities through trusted links is a major focus of cyber criminals and so MSPs have a greater responsibility today to “practice what they preach” and invest just as much time and resources into their own cyber security than they do for their clients.
Cyber crime is expected to cost the global economy $2 trillion by the end of 2019 – according to Forbes – almost four times the estimated cost back in 2015.
Historically, responsibility for stopping these costly cyber attacks fell firmly within the confines of the IT department or third party IT suppliers, but they now belong front and centre as a board level business issue – and this includes within MSPs. In reality, MSPs have more responsibility to protect themselves from cyber criminals.
A single unencrypted message intercepted by a cyber criminal could not only expose the MSP’s data and information but also leave the door open to criminals accessing client information. Once a cyber criminal gets access to this information the damage they could do could be devastating and potentially irreversible if they can hijack all the data sent between an MSP and their clients.
With so much at stake, plugging cyber security gaps after an attack is no longer good enough and MSPs must be proactive when it comes to detecting and blocking security threats ensuring that their clients’ data remains secure. One of the biggest ongoing cyber campaigns reported in 2017 was aimed specifically at MSPs with the goal of gaining access to their customer networks, according to a report by PwC.
With MSPs now firmly in the firing line of cyber criminals, and with arguably more to lose than an individual business, these support firms must take robust action to protect themselves and keep their online communications safe. Whether this is upgrading their security policies to ensure staff know the risks of online communication thefts when working remotely, or using public WiFi, to deploying a full range of virus protection and encryption solutions within their business. Failing to take these steps means MSPs are putting their clients in the crosshairs of cyber criminals and putting them at unacceptable risk.
Much of the work of MSPs is now done within the cloud; and this opens up opportunities for criminals but there is a big misconception amongst many that because information is stored and shared via the cloud that it is secure – it isn’t. Individual organisations and their service providers are responsible for securing access to the information, communications and applications they choose to store there.
Without adequate security, any back up files sent to the cloud could be intercepted in transit by cyber criminals and, as many businesses choose to store sensitive information like client data, usernames and passwords in the cloud, if this information is intercepted the results can be devastating for all parties.
Deloitte, for instance, fell victim when attackers used an administrator account that gave them broad access to the business and only required a single password. Two-step authentication could have helped stop the attacks so MSPs should consider strengthening access controls for their customers.
A single security breach can have a long-lasting impact on an MSP as even an attack that took place many years before can keep coming back to haunt them and continue damaging their reputation with customers whose information stolen years ago is used later.
There is, of course, not just a reputational benefit to MSPs in ensuring they have robust cyber security and online encryption in place within their own business; there is a huge commercial benefit to being known as a supplier with a robust security policy and network. And recent research has shown that this is becoming an important factor in the procurement process of businesses when looking for a partner, with half of businesses (50pc) looking to hire an MSP now enquiring about their cyber security policies before committing to an agreement.
Even of those respondents in the report “Under Attack: Assessing the struggle of UK SMBs against cyber criminals” who said they don’t currently ask about cyber security during the procurement process, 24pc believed it should be part of it.
While this desire to have a security conscious partner puts pressure on MSPs to get their own security measures correct, it does also create opportunities for those who do to demonstrate not only an understanding of their clients’ security issues, but an understanding of how to effectively tackle the problems.
Much like marketing is being driven by the user experience in the use of technology like chat bots and AI, MSPs are being driven to meet new expectations from clients that they will not only provide high quality IT services, but that they can also provide these services securely with minimal, risk to loss of data in transit or in place.
Businesses of all sizes and across all sectors are in it together when it comes to the fight against cyber criminals and each business has a responsibility to ensure that they are not only looking after their own house but their neighbours to or, in the case of MSPs, companies who are paying them to keep their data secure.
