Askhat - stock.adobe.com
The cybersecurity reckoning of recent months has compelled channel partners to consider their own shortcomings, adjust their offerings and question long-held assumptions regarding risk assessment and response.
A series of high-profile attacks, including hits on meat processor JBS USA, Colonial Pipeline and IT infrastructure software firm Kaseya, have rattled customers and their service providers. The JBS event resulted in a $11 million ransom payment, while the Colonial Pipeline attack caused a fuel shortage. The Kaseya ransomware incident affected dozens of MSPs and more than 1,000 downstream customers.
"The last 60 to 100 days have given MSPs whiplash from all of the different things that have gone down," said Ian Thornton-Trump, CISO at Cyjax Ltd., a threat intelligence company based in London. Thornton-Trump participated in a cybersecurity panel discussion at CompTIA's online ChannelCon 2021 event, which ran Aug. 2-4.
"We have that perfect storm of predatory behavior from cybercriminal groups that took the opportunity during the pandemic to really up their game substantially," Thornton-Trump said. "We've been hit by an endless series of zero days that were quickly weaponized by bad guys."
The situation calls for a fundamental rethinking of cybersecurity.
"The old paradigm of, 'We're going to look after our customers; we're going to patch them once a month,' is really falling apart with the sudden emergence of these major attack surfaces like Pulse VPN and Microsoft Exchange zero-day vulnerabilities," Thornton-Trump noted.
"There's a ton of stuff changing right now," said Robert Boles, founder and president of Blokworx, a Reno, Nev., managed security services provider that works exclusively with channel partners.
Boles, who also participated in the ChannelCon panel discussion, cited industry legislation in states such as Louisiana and the White House's May 2021 cybersecurity executive order as signs of change. "The writing is on the wall that our peers are going to need to get in line ASAP," he said. "It doesn't matter if you're a vendor or where you live in the food chain. We're all going to be accountable."
Channel partners must shore up their in-house cybersecurity approaches as an important first step toward accountability.
"The biggest suggestion I would have, and this comes from our experience working with MSPs, is eat your own dog food," Boles said.
Service providers demonstrate an inability to protect customers when they ask clients to take security measures that they don't also follow. "You're not defending the client by giving them accurate and effective information," Boles said.
Ian Thornton-TrumpCISO, Cyjax
Corey Kirkendoll, president and CEO at 5K Technical Services, an MSP based in Plano, Texas, recommended partners get their houses in order. As an extra incentive, he pointed to a Texas breach notification law that requires the state attorney general to post sizeable breaches on a "wall of shame." That law goes into effect Sept. 1, 2021.
In-house check-ups should be coupled with customer assessments.
"As an MSP yourself, have you looked at your cybersecurity policy to make sure that you're covered, as well as looking at your customers to ensure that they have the right coverage?" Kirkendoll asked ChannelCon attendees.
Steve Rutkovitz, CEO at Choice CyberSecurity, an Owings Mills, Md., company that provides compliance and security services to businesses and MSPs, suggested changes to an MSP's security approach could flow from customer risk assessments. Assessments provide the baseline for creating a cyber resiliency plan, he said.
"Once you implement a resiliency plan ... you have to look at your tool set, your stack," Rutkovitz said. "You may have to add or delete some things that make your stack more right-sized for the kind of security problems clients are having now."
That could mean adding training or artificial intelligence for detecting ransomware, he noted.
Frameworks, metrics and more
Rutkovitz also recommended partners employ a cybersecurity framework. Customers know they need Cybersecurity Maturity Model Certification in the defense sector and HIPAA in healthcare, but the choice may be less obvious for companies in other markets that lack a national compliance regimen, he said.
"It's up to you, the MSP, to start recommending your clients have a NIST CSF [Cybersecurity Framework] or ISO 27001," Rutkovitz said. "I feel that every company out there should now be on a structured framework."
Security service providers should also challenge their established measurements of cyber risk.
"One of the metrics we used to talk about was the cost-per-record of a data breach," Thornton-Trump said. "But now we're dealing with an existential ransomware threat to businesses. The old metric that we had to measure how bad it was? It's [now] so bad, that metric doesn't even work for us anymore."
Finally, channel companies must acknowledge when they are out of their cyber depth. Partnering with another company can compensate for a deficit.
"If you don't know, find a resource," Boles said. "Don't try to wing it, because the stakes ... are out the roof now."