The managed services industry is constantly pushing MSPs to pivot toward the latest market trends, but the pivot to cybersecurity is taking on a different and more urgent tone.
ConnectWise Inc.’s IT Nation Connect 2019 conference, held from Oct. 30 to Nov. 1 in Orlando, Fla., stressed that managed service providers (MSPs) are in criminals’ crosshairs. Because of their centralized management systems such as remote monitoring and management (RMM), MSPs have unique access to their customers’ IT infrastructure and data. Increasingly, threat actors realize this and are finding ways of breaching MSPs’ systems to spread ransomware, steal sensitive information or execute other criminal activity.
The cadence of attacks on MSPs appears to be intensifying, which reflects a growing awareness among cybercriminal organizations and even nation-state actors that MSPs are attractive targets. ConnectWise is one of a chorus of managed services industry players urging MSPs to acquire the mindsets, practices and technologies required for advanced cybersecurity.
“Cybersecurity is the great unknown, and we are so far behind and so flat-footed and so ill-prepared, and it is happening at such a massive scale,” said Michael George, CEO of Continuum at IT Nation 2019. ConnectWise revealed at the event it has acquired Continuum, an MSP software competitor.
SMBs under attack
In a conference session, George underscored alarming threats facing small businesses, a market segment that the bulk of MSPs focus on. The segment is large, with 6.2 million companies in North America employing 100 people or fewer, he said.
Michael GerogeCEO, Continuum
While small businesses have progressively become operationally reliant on technology, they have given little attention to cybersecurity. SMBs and MSPs believed it unlikely that cybercriminals would pursue a 22-person law office or a nine-chair dentist office, George said. “Nobody would ever try to attack that kind of small business, so we never thought ourselves to be vulnerable to it,” he said.
Today, of course, that notion has been flipped on its head as more SMBs are targeted by attack methods such as social engineering and ransomware. “I can assure you that most [small businesses] are either completely vulnerable or mostly vulnerable to these kinds of attacks. And, of course, that workforce is completely uneducated about it … that they might be a target for cybercrime,” George told IT Nation 2019 attendees.
“What we have is a small to medium-sized business market that is unsuspecting prey and a managed services industry that is ill-equipped to address those challenges,” George said.
What MSPs are up against
Among numerous speakers at IT Nation Connect 2019, the outlook on cybercrime for 2020 and beyond is bleak, mainly because the threats are being insufficiently addressed.
“Globally, we still have organized groups and some nation-states targeting MSPs, given [MSPs’] centralized access to what [attackers] believe are very valuable supply-chain targets,” said John Ford, chief information security officer at ConnectWise. Ford noted that 2019 has seen a resurgence and spike in ransomware attacks and that these attacks are executed at a faster rate than before.
Kyle Hanslovan, CEO of Huntress Labs, an MSP-focused threat detection software company, agreed. “The attacks against MSPs are on the rise, so much so we are seeing maybe up to three MSPs a week getting targeted in mass ransomware incidents,” he said.
“I am surprised [MSP-targeted attacks] didn’t happen years ago, but I think a lot of the criminal groups wised up” to the ways MSPs can be exploited, said Jon Murchison, CEO of Blackpoint Cyber, a cybersecurity firm that offers products and services to MSPs.
Murchison added that MSPs make attractive targets for nation-state actors. He pointed to the major defense contractors with massive supply chains, which often include small defense contractors using MSPs to run their networks. He also noted the wave of municipalities getting hit by ransomware.
Ronald Clark, a strategic advisor for Blackpoint Cyber, said that one driver behind today’s cyberattacks is that it represents “a very low-risk, high-reward set of operations,” especially when compared with other kinds of criminal efforts — for example, physically robbing a U.S. bank. The risks inherent to the cyber world haven’t yet posed significant deterrents to criminals, he said. Additionally, even when cybercriminals abroad are identified in U.S.-based attacks, “there are still … challenges of extradition.”
Meanwhile, Chris Inglis, a board member of Blackpoint and former deputy director of the National Security Agency, said he anticipates nation-states and criminal enterprises to grow “increasingly audacious” in scope and scale. Thus far, he said, these actors have seen little consequence for their previous attacks, which could have an emboldening effect. On the other hand, he expects governments and the private sector will realize they must come together, integrate and collaborate to counter the varied threats. He said he is bullish that more public-private collaboration will emerge.
DeNeige Watson, whose current roles include executive director, risk desk, at Risk Assistance Network and Exchange, underscored that nation-states will indeed step up their attacks. “If you look at the geo-political landscape, yes, the nation-state actors are going to be more … audaciously aggressive,” she said.
Watch the IT Nation Connect 2019 opening keynote.
Watson noted that the Trump administration has leveled “more sanctions on more entities and sectors and countries than the previous administrations have,” and, as these sanctions take hold and increasingly “bite,” the governments or individuals living in sanctioned countries may become more desperate and, thereby, incentivized to turn to cybercrime. She added that global unrest — as seen in Hong Kong; Catalonia, Spain; much of Latin America; the European Union; and elsewhere — adds to the likelihood of cybercrime expanding. “In that unrest, you have ‘haves’ and ‘have-nots,’ and you have a whole lot of malware out there that is easy and cheap to access, and they are going to start targeting more and more places.”
Besides attacks on IT infrastructure, disinformation spread online is something to watch out for in the years to come, said Rhea Siers, senior legal and policy fellow, Institute for Information Infrastructure Protection, at George Washington University. Siers warned that disinformation is poised “to become a weapon of choice for nation-states” and not limited to the political sphere. Nation-states “will aim [disinformation] at American companies and western companies, seeking to do them significant reputational harm,” Siers said.
Where the managed services industry is today: Break/fix
Despite MSPs’ eagerness to transition to advanced cybersecurity, some apparently remain stuck in a reactive mindset. One IT Nation 2019 session, “Are We Living in a Break/fix World of Cybersecurity?” explored this struggle.
The break/fix model, which many traditional MSPs evolved their businesses from, is making a comeback as cybersecurity issues proliferate, said Andrew Morgan, solutions strategist for vendor alliance at ConnectWise. For example, instead of customers calling up their providers to fix a broken machine, they are now calling about their systems acting up after they clicked on a strange email. MSPs respond by trying to put out the fire. “Today, it is the same thing. … Everything is reactive,” Morgan said.
MSPs have cited a range of challenges for making the cybersecurity transition. Some have said that the vast selection of cybersecurity vendors and tools are tricky to sort through. Moreover, vendors’ marketing lingo can obscure what tools actually do. Other MSPs have said the skills gap makes it tough to hire, train and retain security-focused staff. Even once an advanced cybersecurity offering is put in place, MSPs have complained it is difficult to convince customers to pay for it.
Karl Bickmore, CEO of Snap Tech IT, an Atlanta-based MSP that has transitioned to cybersecurity, said MSPs need to build out an internal cybersecurity framework and then present customers with a comprehensive security plan. “You have to think about how to put your offering together. You do need tools in that offering. But it is much more about how are you filling out the parts of the [security] framework and how are you addressing the components, and the tools just become that thing that you use as part of your process. But you don’t sell the tool; you sell the process or the plan,” he said.
“A lot of [MSPs] are not recognizing that this is just a replay of the cycle. … This is just another break/fix thing happening that now needs to be taken in and programmatically addressed.”