There were over 700 million attempted ransomware attacks in 2021 alone. Unfortunately, a new preferred target has be identified: managed service providers.
Criminal hacker groups were spending more time focusing efforts on a strategy known as a “digital supply chain” attack to compromise both software and service providers and move up their supply chains through a novel abuse of privileged insider access. And, according to Gartner, 99% of cloud security failures will be the customer’s fault through 2025.
The threat to the MSP industry has only grown more serious. In May of 2022 the U.S. Cyber & Infrastructure Security Agency (CISA) and FBI issued a joint advisory with their “Five Eyes” peers in Australia, Canada, New Zealand, and the UK warning of threats specific to managed services providers.
“As this joint advisory makes clear, malicious cyber actors continue to target managed service providers, which can significantly increase downstream risk to the businesses and organizations they support – why it’s critical that MSPs and their customers take action to protect their networks,” said CISA Director Jen Easterly. “Securing MSPs are critical to our collective cyber defense, and CISA and our interagency and international partners are committed to hardening their security and improving the resilience of our global supply chain.”
The advisory suggested five things that both MSPs and their customers should do to reduce the risks of suffering a successful attack, including recommending that MSP customers “ensure their contractual arrangements specify that their MSP implements the measures and controls in this advisory.” The five recommended actions include:
- Prevent initial compromise by implementing mitigation resources to protect initial compromise attack methods from vulnerable devices, internet-facing services, brute force and password spraying, and phishing.
- Enable monitoring and logging, including storage of most important logs for at least six months, and implement endpoint detection and network defense monitoring capabilities in addition to using application allowlisting/denylisting.
- Secure remote access applications and enforce multifactor authentication (MFA) where possible to harden the infrastructure that enables access to networks and systems.
- Develop and exercise incident response and recovery plans, which should include roles and responsibilities for all organizational stakeholders, including executives, technical leads, and procurement officers.
- Understand and proactively manage supply chain risk across security, legal, and procurement groups, using risk assessments to identify and prioritize the allocation of resources.
CISA’s recommendation that customers get directly involved by ensuring that their MSP partners undertake certain security measures—and to contractually obligate MSPs to those measures—is yet another signal that the game is changing, and that MSPs must regard cybersecurity as a business imperative. A recent ScienceLogic survey that found 46% of European managed service providers are concerned about security issues confirms that MSPs are thinking about these trends. But thinking does not necessarily equate to action, and MSPs need to act.
Industry Pressure Is Mounting
Market pressures now demand that MSPs create and document security programs, earn certifications in certain security disciplines, and train or hire professionals with bona fides like Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Privacy Professional (CIPP), and Certified Information Security Manager (CISM). And security isn’t just about preventing cyberattacks and avoiding data breaches; it is about complying with the many security and privacy regulations that dictate how various kinds of sensitive data—like financial, healthcare, personal, and intellectual property—are protected and managed.
There are omnibus regulations, like the European Union’s General Data Protection Regulation (GDPR) that dictate how the data of EU citizens can be collected, used, stored, and moved. Industry-specific regulations like the Health Insurance Portability and Accountability Act (HIPAA) dictate how sensitive patient data can be collected, used, and shared. The Payment Card Industry Digital Security Standard (PCI DSS) is regarded as established best practices for securing and managing data associated with credit, debit, and other forms of digital payment. Nearly every country has its own complex legal regime to protect personal and business data, and it takes specialized knowledge to understand and comply with the rules for all jurisdictions in which an MSP does business.
The systems, programs, and people it takes to understand and comply with all these rules require time and resources, but it makes good business sense to make these investments. As a practical matter, as organizations demand that their MSPs take responsibility for their security practices, only those MSPs that can prove their ability to take on that risk will qualify for the most lucrative contracts. Furthermore, by investing in systems, personnel, and programs that can mitigate the risks of falling victim to a cyberattack, the costs associated with a data breach can be avoided.
Non-Compliance is Costly
According to the most recent IBM/Ponemon Institute “Cost of a Data Breach Report,” the average cost to organizations that suffer a data breach is $4.24 million dollars per incident. That figure includes an aggregate of factors, including fines, legal fees, technical forensics and remediations, increased marketing, and losses associated with declining business opportunities and increased customer churn due to a loss of brand reputation. For the most egregious incidents, however, costs can be higher. Significantly higher.
A data breach that hit hotelier Marriott in 2018 could end up costing the company more than $12 billion, while a 2011 breach at marketing services provider Epsilon cost the company a reported $4 billion. Other high-ticket breaches include British Airways ($200+ million, reduced to $25+ million). Retailer Target ($162 million), Heartland Payment Systems ($140 million), and health insurer Anthem ($100 million).
Four Best Practices for Compliance Programs
For MSPs that want to minimize the risks associated with a data breach and associated fines for regulatory non-compliance, we recommend four best practices:
- Actively track, verify, and manage system and configuration changes. According to the most recent Verizon Data Breach Investigations Report, misconfigurations contribute to as many as 15% of data breaches. Unauthorized and unplanned configuration changes are also a high priority indicator of compromise (IoC) and should be investigated as a possible breach to contain potential attack effects and limit damage.
- Build, manage, and document specific compliance policies. Written plans are required by regulators and serve as a reassurance to customers and prospects. Documentation of plans, updates, and ongoing compliance processes is also a requirement of security and compliance auditors. Compliance is not a one-size-fits-all exercise. As previously discussed, specific requirements are involved based on industry, geography, and any cross-border transfers of data involved.
- Ensure configuration and data back-up processes is in place and have a failsafe recovery plan. When misconfigurations are detected, or if unauthorized changes (either malicious or done in error) are made to data systems, having a backup available for rapid restoral is vital. But a simple restoration to previously saved configurations is not enough. A complete disaster recovery and business continuity plan should be in place to cover contingencies ranging from simple errors to major cyberattacks, including events like denial-of-service attacks or ransomware infections.
- Eliminate operational and data silos. When systems and data are stovepiped, it creates complexities for data management tools and systems. Unifying operational systems means tools can see all relevant processes, making compliance management and monitoring more efficient.
The Right Tool for the Job
For MSPs that recognize the importance of running an operation that values security and compliance, and that are willing to make the investments necessary to create and maintain programs that support compliance, it is important to choose tools and partners with the same care that you should expect your customers to demand of you. That means not only working with top security vendors, but with other vendors whose products are built on the security by design model and that can efficiently support the execution of compliance programs.
It also means understanding that maintaining a compliance program is a daunting task, and one that is not possible without automations specific to the various aspects of tracking and documentation. When moment-to-moment operations and changes at the device level need to be tracked, backed-up, managed, and documented, a solution like Restorepoint can cut staff time dedicated to such tasks by more than 50%, while increasing the scope, scale, and accuracy of the results. And because actions that can’t be confirmed are assumed to be non-compliant, if an audit is conducted, thorough documentation can equate to millions of dollars saved by avoiding fines.
Visit our blog next week for the third and final part of this blog series. For more information about how Restorepoint can be an essential part of your MSP compliance program, click to find more information about our products and company, or contact us.