WIXLIB

MSPs Need Clear Roadmap toCombat Growing Security ThreatsRegardless of their size, managed service providers today face increasedcybersecurity risks and urgently need help to plug their knowledge gap sothey can better fight and mitigate potential attacks.W H I T E PA P E RManaged service providers (MSPs) large or small today face increasingsecurity threats but lack the knowledge to protect themselves againstpotential cyberattacks. This gap can be plugged with clear roadmaps andframeworks that provide the guidance MSPs need to manage their risksand ensure their customers stay secured.There is urgent need for every MSP or technology service provider to realise no company is toosmall or is of no interest to hackers to be targeted. Cybercriminals are drawn to data, not the sizeof an organisation.This means that any company—small or large—with access to sensitive and valuable informationmakes an attractive target. Organisations that continue to believe they are safe and neglect theneed to adopt the necessary security measures will be severely crippled or at risk of shutting downif business-critical information is no longer available for them to continue operations.In short, it is all about the data. If you have data, a cybercriminal out there wants it—whether toexploit the data and demand a ransom for it or to sell it to other criminals.And MSPs increasingly are under the spotlight, as shown by several high-profile third-party attacks,including those involving SolarWinds and Kaseya. These incidents reveal that security breaches canhave widespread impact on MSPs and their customers.

2MSPs Need Clear Roadmap to Combat Growing Security ThreatsAccording to the FBI, hackers in the Kaseya breachexploited a vulnerability in the U.S. vendor’s VSA remotemanagement tool to launch a supply chain ransomwareattack against multiple MSPs and their customers.1Kaseya estimated that about 50 MSPs and as many as1,500 of their clients were compromised in the breach.2There are further indications that hackers have turnedup the heat on MSPs and other organisations acrossall regions, including Asia-Pacific. According to marketresearch, Asia-Pacific saw a 168% spike in cyberattacksbetween May 2020 and May 2021, with an increase of53% from April to May 2021 alone.3 Australia reporteda 15% climb in the number of cyberattacks in Maycompared with previous months in 2021, whileNew Zealand saw a 13% increase.Across Asia-Pacific, the top three sectors that saw thelargest percentage increase in cyberattacks in Maycompared with previous months this year were utilitiesat 39%, MSPs and ISPs at 12%, and software vendorsat 6%.Lack of Knowledge Puts MSPs in Security PerilThe reality is that most MSPs are technologists by trade,not cybersecurity practitioners. Many lack propereducation, training and experience to fully appreciate orrealise that cybersecurity is important not just to theirclients but also to their own business.This gap in experience has resulted in many MSPs shyingaway from having hard conversations around cyberrisks and how they should be managed. This oftenleads to poor security hygiene practices that permeatethroughout the organisation and, subsequently, impacttheir clients’ environments.A lack of experienced staff, for instance, has resultedin a common oversight among MSPs where theimplementation of security point products is oftenreactive and carried out without proper understandingof why such tools are needed. In addition, systemchanges often are made on the fly and without anyrealisation of their potential impact on the company’soverall security and risk posture. There are no controlsin place to check changes and ensure they are carriedout correctly.1 “CISA-FBI Guidance for MSPs and Their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack,” Cybersecurity & Infrastructure Security Agency, July 04, 20212 “Kaseya: 1,500 Organizations Affected by REvil Attacks,” TechTarget, July 6, 20213 “Check Point Research: Asia Pacific Experiencing a 168% Year on Year Increase in Cyberattacks in May 2021,” Check Point Software, 2021

MSPs Need Clear Roadmap to Combat Growing Security ThreatsFurthermore, MSPs place too much trust and reliance ontheir vendors, when instead they should do their duediligence and establish risk management programs fortheir suppliers. This would enable MSPs to assess therisks vendors may bring into their environment and,ultimately, expose their own customers.And there are reasons to be concerned, especially forMSPs with limited financial resources: Some 32% ofsmall and midsized businesses (SMBs) have experienceda cybersecurity attack in the past 12 months, up from25% in 2020, according to a Vanson Bourne studycommissioned by ConnectWise.4 Amongst those thatdid, the financial repercussions of the attack averagedUS 104,296, almost twice as much as the average cost(US 53,987) reported in 2019.Apart from those financial losses, 40% of SMBs thatsuffered a cybersecurity attack reported that they lostbusiness data, while 36% lost money due to the timethey had to spend dealing with the incident. Another33% said their brand reputation suffered damage as aresult of the attack.In Australia, more than 67,500 cybercrime reports werefiled during the 2020-2021 fiscal year, up almost 13%from the previous year, according to the AustralianCyber Security Centre (ACSC).5 Organisations estimatedthat they lost more than AU 33 billion (approximatelyUS 24 billion) because of these cybercrime incidents.And while more small businesses submitted cybercrimereports this year than in the previous year, mediumbusinesses reported the highest average financialloss per cybercrime report at AU 33,442 (US 24,341),according to the ACSC.Blame over a security breach also extends beyond thecompany that suffered the attack.The ConnectWise study revealed that 82% of SMBsthat used an IT service provider said they wouldhold that partner at least partly responsible for asecurity incident. Furthermore, 68% would take legalaction against their IT service provider in the eventof a cybersecurity attack, up from 61% in 2020. These4 “Vanson Bourne Shares Stats on the State of SMB Cybersecurity in 2021 and How to Prepare for Attacks,”ConnectWise, 20215 “ACSC Annual Cyber Threat Report: 1 July 2020 to 30 June 2021,” Australian Cyber Security Centre, 20216 “The Economic Costs of Cyber Risk,” Foundation for Defense of Democracies, June 28, 20213findings underscore the need for IT services providers,including MSPs, to ensure they have taken the necessarymeasures to safeguard their infrastructure as well astheir customers’.In a June 2021 memo, the U.S. Foundation for Defense ofDemocracies (FDD) stressed that MSPs were not alwaysable to properly protect their own technology as wellas their customers’.6 In fact, it noted that several largeMSPs were tagged with a one- or two-star rating in theCyberhedge Cyber Governance Indices, highlightingthat such companies had a greater probability and wereat higher risk of falling victim to a ransomware attack.

4MSPs Need Clear Roadmap to Combat Growing Security ThreatsIncreasing Dependence Places Onus on MSPsto be SecureWith the growing reliance on MSPs, this can proveparticularly challenging, as seen in what Perch Securitycalls “buffalo jump” attacks, whereby cybercriminalstarget MSPs because they only need to compromiseone organisation to hit all of the customers managedby that provider.The FDD report found that as organisations, particularlySMBs, pushed on with their digital transformations,they often outsourced IT functions to MSPs. It furthernoted that increasing network interconnections made ittough to distinguish corporate networks from those ofsuppliers, partners and customers. Attack surfaces alsoexpanded with remote work—and along with it, remoteaccess to corporate networks—as the model becamethe norm amidst the global pandemic.The ACSC, in particular, warns that attacks targetingsupply chains present a significant threat becausenetworks increasingly contain more third-party software.The agency notes that cybercriminals are focusingon supply chains as a way to extend their reach andcompromise as many victims as they can. This putsMSPs at greater risk, since hackers know these serviceproviders have links to a wide ecosystem of partnersand customers.With MSPs being given privileged access to theircustomers’ back-end IT infrastructure, even SMBs withstrong cybersecurity postures are vulnerable when thirdparty suppliers and vendors suffer a breach.There is a clear impetus for MSPs to identify andunderstand potential risks, including gaps within theirown environment, by aligning to a best-practicesframework. They must continuously evaluate andimprove their security posture, providing training todrive awareness across the entire organisation.Efforts should include validating third-party softwarebefore deployment, ensuring the applications have notbeen altered or manipulated. Hardware vendors, too,are just as susceptible to vulnerabilities in their firmware.Misconfigurations account for most open attack vectors,which have enabled cybercriminals to breach networks.It is essential that MSPs adopt good cybersecuritypractices and monitor their environments,including software and hardware systems, forpotential vulnerabilities.With MSPs being given privileged access totheir customers’ back-end IT infrastructure,even SMBs with strong cybersecurity posturesare vulnerable when third-party suppliers andvendors suffer a breach.Frameworks Help Establish a CommonLanguage for Risk AssessmentTo help MSPs manage their risks and remain secure,ConnectWise has developed a series of cybersecurityframeworks and playbooks that offer guidelines onbest practices these organisations should adopt. Theyare designed specifically to help MSPs and their clientsshare a common language for identifying risk andsecurity gaps within their environment. Understandingtheir risk profile provides a more fiscally responsiblespend on cybersecurity tools that are best aligned tothe company’s business objectives.Available for free, ConnectWise’s MSP CybersecurityFramework (MSP CSF) details best practices toestablish security controls or improve those MSPs havealready implemented. The framework is built to serve asa verification and validation process to ensure suitablecybersecurity procedures are in place to safeguardnot only the MSP’s systems, services and data but alsoits customers’.MSP CSF offers the outline for an MSP certificationprogram, providing guidance along the MSP’s growthjourney—from baseline security elements to repeatableand adaptive programs.It encompasses best practices that meet key localand international guidelines, including the PaymentCard Industry Data Security Standard (PCI DSS), theNational Institute of Standards and Technology (NIST)