MSPs grapple with managed cybersecurity services challenges

Stories from the field

The roundtable-style "Stories from the Field" session featured cybersecurity veterans discussing everything from the state of the industry and regulations to experiences dealing with cybersecurity incidents.

Evan Francen,  CEO of IT security management provider FRSecure LLC and software firm Security Studio, got the ball rolling by talking about the most prevalent crime he sees right now: ransomware attacks. Besides seeing a rise in ransomware incidents, Francen said he has noticed that these attacks are leading to more data exfiltration than previously.

Chris Roberts, the virtual CISO of Hillbilly Hit Squad, a research and development company, said security concerns have become more complicated following the move to remote workforces this year. "Back when you were inside an organization, you had, to some degree, a certain level of protections," Roberts said. "We were able to circle the wagons. The problem at this point [is] we're getting picked off one by one and it's just too easy."

If you're an MSP and you don't know your client intimately, you're doing that client a disservice.

The current work environment is filled with rogue assets and non-standardized endpoint security, which allows attackers to target one or two employees at a time, Roberts said. This is a much simpler hack than having to deal with an entire office infrastructure.

"What's crazy about all of this is it's all the same basics: Stop using single-factor authentication," Francen added. "Seriously, you're making it too easy."

Some SMBs don't realize how big a target they are. Matt Lee, director of technology and security at managed service provider Iconic IT, said SMBs face the same risks as large corporations but are the ones most likely to ignore the risks. He stated that part of a managed cybersecurity service provider's job is to educate and get their clients to understand that they are at risk. SMBs don't need to understand the technology side of the security risks, but they need to understand the ramifications.

"You talk to a business and ask them if they have fire insurance. 'No doubt,' they say. They all have it," Lee said. "Next, you ask if they keep kerosene lamps in precarious places, always lit, and play kickball inside. 'No, that would be stupid,' they say. Where's your two-factor authentication? You're kicking lamps."

Alternatively, Francen said one of the best ways for MSPs to defend themselves and their clients is to understand the assets that hackers would target. "Know your assets, the configurations [and] the applications on those assets," he said. "If you're an MSP and you don't know your client intimately, you're doing that client a disservice."

Small business, big target

Meanwhile, in the IT Nation Secure presentation, "Small Business, Big Target," National Cyber Security Alliance director of education and strategic initiatives Daniel Eliot discussed SMB cybersecurity guidelines for MSPs.

According to Eliot, the industry as whole hasn't done a great job at educating people about cybersecurity. He pointed out some common misconceptions and how to handle them.

• A very common belief among SMBs is that their data isn't valuable. An SMB client might consider themselves too small to be targeted or think they just don't have anything of interest to a criminal. MSPs need to help SMBs understand the value of their data -- for instance, tax records.
• SMBs need to understand that cybersecurity isn't just a technology issue. MSPs need to help the SMB community understand the human element of security. After the criminals get past the technological controls, it's then up to the user not to click that malicious link or download that malware.
• Not all insurance policies cover cyberattacks. MSPs should recommend that their SMB clients review their policies to avoid any surprises down the line.
• Attacks don't always come from the outside. MSPs must explain to clients that, even if accidental, insider threats are common. MSPs can help their clients design risk frameworks to reduce vulnerabilities.
• Many business leaders don't know the difference between IT and information security and assume their IT vendors are covering their security. This might be the most dangerous misconception because the business could be operating under a false sense of security.
• Being compliant with regulatory requirements doesn't mean you are secure. While regulatory compliance can be a great start for protecting businesses, compliance is not a security strategy.
• Cybersecurity isn't always expensive. While some tools can be big investments, there are many steps MSPs and their clients can take that cost nothing or very little. Setting up two-factor authentication, creating and implementing policies, leveraging existing platforms or services, and using free educational tools are all great examples.

"This concept of supporting small businesses is only going to get more complicated as the threat landscape gets more complicated," Eliot said. "This pandemic opened up a whole new set of concerns for securing [SMB] organizations. What it comes down to is communicating the value of why they should invest in security."

Eliot recommended MSPs use all the managed security services resources out there and to focus on how they talk to non-tech audiences. "Be a partner, don't show off [and] don't use too much jargon. Maybe practice on someone who isn't a cybersecurity expert," he said. "See if you can tie cybersecurity into the vision and mission of their business. That'll get their attention."