State and local government agencies have become a significant area of opportunity for MSPs in recent years, especially when it comes to ransomware prevention.
Unlike companies in the private sector, municipalities and even state agencies must typically cope with limited IT resources and budgets. However, even with what resources government agencies do have, many fail to fully understand their exposure within an enormous risk landscape.
Why do government agencies fail to grasp their ransomware risks? According to Jonathan Goldberger, senior vice president of the security practice at Austin, Texas-based managed service provider TPx Communications, the answer is twofold. "Part of the reason is they hear about every threat being put out there in the news," he said, which is coupled with "an onslaught" of alerts to patch their IT systems. "They're getting so many notifications they don't know which are the most critical for them."
Threats can come from nation-states and organized crime organizations that are well funded and have built tools to conduct highly sophisticated attacks, noted John Zanni, CEO of Acronis SCS, a provider of cyber protection services for the U.S. public sector.
Today's hybrid work environment demands an array of anti-ransomware tools. Ransomware protection must be installed on endpoints, desktops, servers, and virtual servers and machines, Zanni said.
Get onto the same page about risks
State and local government leaders must recognize that ransomware attackers seek out vulnerable organizations, Goldberger said.
This is where a gap assessment from an MSP can be helpful. An MSP can outline the risks that government agencies face based on the systems they use, their exposure to the internet and the protections they already have in place, Goldberger said.
A common risk among agencies is the use of outmoded systems, such as legacy Windows operating systems, he noted.
"They're vulnerable because in many cases [legacy systems are] not patched anymore, but they can't come off it because of proprietary code running on the server," Goldberger said.
Other constraints can also make it difficult to migrate legacy systems. "Frankly, they don't have the budget and the people to do a migration," he added.
Attackers know this, so many will target legacy Windows vulnerabilities once they get inside a network, which is accomplished through phishing attacks. Once inside, attackers will mine and capture data, then identify vulnerabilities and place the malware, according to Goldberger.
"Attackers tend to be on networks between two and three weeks before they execute ransomware," he said. He added that attacks tend to occur when it's most inconvenient for the municipality -- at 2 a.m., for example, when no one is on the network and response time will likely be hindered.
How MSPs can help in the fight
MSPs hold a special appeal to budget-constrained government agencies. Because MSPs typically charge on a subscription model, services can result in lower annual costs for customers than other kinds of pricing plans, Zanni said.
However, not all MSPs are prepared to work in the public sector. "Most of the MSPs I talk to don't have a dedicated state and local government practice," but instead have a horizontal offering, Zanni said. "By having a specific compliance service offering targeted at state and local governments, you can offer a premium and … expand your market."
Additionally, StateRAMP certification will become a requirement for anyone offering cloud in the next few years, Zanni noted. "The first ones to market [with certifications] will be the ones that can grab the biggest piece of the pie."
With that said, some partners can point to public sector organizations that remain reluctant to modernize IT, despite the security risks of doing nothing.
In light of the huge uptick in cybersecurity incidents today, if governments "don't feel on edge, I don't know what it will take," said Chris Wallace, senior security engineer at F1 Computer Solutions, a solution provider based in Manassas, Va. The company's customers include government contracting organizations. F1 uses Acronis SCS for cloud backup.
"In my experience here and at other MSPs in northern Virginia, the local governments we've interacted with … are limping along on antiquated hardware [and] unpatched software, and there's not really a focus on IT," Wallace said. "There doesn't seem to be lot of understanding about the importance of IT."
For example, Wallace recalls that in 2017, he worked with a township in the Manassas area and provided help desk, DNS filtering software and antivirus software services at a discount. The township operated with a lot of products that were no longer supported or under warranty, including Microsoft Exchange Server 2010, he said. F1 recommended that the township move to Office 365.
The township, however, didn't want to make the transition, Wallace said. "They just fought us the whole way for various reasons: no time, not in budget, etc."
Ultimately, once the township was no longer a client of F1, "that server got compromised by ransomware over the course of six weeks," Wallace said. "It's unfortunate, but at the same time, how bad can you feel for somebody you've told repeatedly something bad is going to happen unless you fix this, and then they just don't?"
Despite the obstacles, Wallace said that local governments represent a "gold mine" of opportunities for channel partners. The main challenge is helping government IT decision-makers understand the importance of ransomware prevention when they haven't yet suffered an attack firsthand.
Wallace noted that some government agencies do grasp the need to boost security. One of its clients, a water sanitation department for a county in the Manassas area, expressed concern after learning about an attack in another state. A Florida-based water department had its supervisory control and data acquisition (SCADA) system infiltrated earlier in 2021. The SCADA system controls and monitors equipment and analyzes information about waterflow and waste waterflow.
F1 provides the Manassas-based water sanitization department with cloud backup and security services. The company also manages the department's infrastructure. Each of the department's sites has a firewall, and F1 uses a remote monitoring and management (RMM) tool to monitor traffic and alerts. "Anytime there's something anomalous, we fix it," Wallace said.
What's on the horizon
MSPs and their local government customers must come to grips with an urgent need to protect vulnerable critical infrastructure today.
Chris WallaceSenior security engineer, F1 Computer Solutions
"There's a lot of antiquated systems out there, and it scares me to think about how many are critical infrastructure, from 911 systems to fire [response]," Wallace said. "There's a lot of stuff that needs to be jolted into the future."
It's also important for agencies to understand that the average cost of a ransomware attack has increased over the past five years, and most agencies can't afford to deal with it.
For all types of government organizations, the main message about ransomware attacks is "this will be you. It's not a question of if but when," Wallace said.