MSP, Content, Networking

MSP Security: Stop Preaching, Start Practicing


You already know that MSPs remain under attack. The question: What are you personally doing to lock down your business from potential hackers, ransomware and malware attacks?

The issue remains particularly timely for managed IT services providers. Consider the latest anecdotes:

  • Research – MSP Cyberattacks: Over the past year, 74 percent of MSPs have suffered a cyberattack, with 83 percent reporting that their SMB customers have suffered one as well, according to research commissioned by Continuum and conducted by Vanson Bourne.
  • Research – Ransomware Part One: Eighty-five percent of MSPs reported attacks against SMBs over the last two years, compared to 79 percent of MSPs who reported the same in 2018, according to Datto's latest Global State of the Channel Ransomware Report.
  • Research – Ransomware Part Two: Ransomware attacks continued to become more focused and sophisticated in Q2 and Q3 2019, an Emsisoft report says. In contrast to the spray-and-pray campaigns of the past, threat actors are increasingly targeting larger and more profitable targets such as businesses, schools and government organizations, the company says.

If MSPs and their technology suppliers don't move more aggressively to address cybersecurity, the MSP industry as a whole could face a crisis of credibility, ChannelE2E has warned.

MSP Security: Demand More Of Yourself

Frankly, MSPs and some of their technology vendors need to take a hard look in the mirror. In some cases, the picture isn't all that great.

Starting around 2016 or so, some security vendors starting pitching products that can "transform MSPs into MSSPs." The pitches, overall, were nonsensical. There are no "magic boxes" or toolkits that transform mainstream IT support companies into true cybersecurity masters.

In a far more responsible and logical move, some technology vendors have spent at least the past two years telling MSPs that they need to lock down their own businesses before going out and selling more security services to end-customers.

Among the associated steps that ChannelE2E recommended to MSPs:

  1. Sign up immediately for U.S. Department of Homeland Security Alerts, which are issued by the Cybersecurity and Infrastructure Security Agency. Some of the alerts specifically mention MSPs, CSPs, telcos and other types of service providers.
  2. Study the NIST Cybersecurity Framework to understand how to mitigate risk within your own business before moving on to mitigate risk across your customer base.
  3. Explore cybersecurity awareness training for your business and your end-customers to drive down cyberattack hit rates.
  4. Connect the dots between your cybersecurity and data protection vendors. Understand how their offerings can be integrated and aligned to (A) prevent attacks, (B) mitigate attacks and (C) recover data if an attack circumvents your cyber defenses.
  5. Continue to attend channel-related conferences, but extend to attend major cybersecurity events — particularly RSA ConferenceBlack Hat and Amazon AWS re:Inforce. (PS: Also, keep your eyes open for PerchyCon 2020 -- more details soon.)

MSP Security: Demand More Of Your Vendors

In addition to taking a hard look in the mirror, MSPs must also take a hard look at all of their technology vendors -- demanding:

  1. Clearly documented information about basic and advanced security settings in their products.
  2. Fully documented information about known cyber vulnerabilities, and timely, easy-to-find information about closing those vulnerabilities.
  3. Easy-to-find contact information for reporting or requesting information about cybersecurity issues. This should be far more than a generic "contact us" inbox.
  4. Zero finger pointing between vendors while investigating and mitigating a cyber incident.
  5. Clear product roadmaps that explain cyber features and expected delivery dates.

MSP Security: What's Next?

Looking ahead, it's a safe bet we'll see more MSP-centric cyberattacks. But we'll also start to see vendors working more closely with one another on various education, mitigation and recovery strategies.

Among the next moves to watch: The potential rise of an MSP-focused security association, information sharing networks and documented best cyber practices for the managed services industry. For instance:

No doubt, selling security services is a major MSP opportunity. But if you don't practice proper security inside your business, please avoid the temptation to pitch cybersecurity services outside of your business.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.