Managed IT services: MSPs Could Be Giving Clients Ransomware
A part of my week here at TSI is always spent wading through news stories to stay ahead of all the latest trends and best practices in our industry. After all, how can I provide clients with the most complete, accurate and actionable information to work from if I don’t have access to that data myself?
Most of the time, the trends I spend so much time researching fall squarely in the “positive” category… though unfortunately, that isn’t always the case. Recently, I’ve been reading a lot about the spread of ransomware and what I’ve been finding has been concerning to say the least.
It isn’t just that ransomware is on the rise, although anyone who has ever been a victim themselves can tell you how distressing that is. No, what’s really given me pause has to do with how that ransomware is spreading:
Managed services providers!
It’s absolutely true, and it’s something that is happening far more frequently that one could even imagine. In June, one MSP actually gave more than $150,000 to recover client data after a ransomware attack where in another situation, customers of three MSPs were impacted by a totally separate incident that encrypted the entirety of their customers’ networks.
All of this recent activity is certainly worth a closer look, not only so that you can understand as much about what is going on as possible – but so that you can also take steps to avoid it altogether.
What do These MSPs have in Common?
Other than the fact that they’re all managed services providers, the major factor that all of these instances have in common is that the ransomware targeted the MSPs’ remote monitoring and management tools. Such tools from Webroot and Kaseya were used to distribute the malware in these different instances, and all of this was possible due to stolen or otherwise compromised credentials. Unfortunatley, the troubling questions of how these credentials were stolen is still up in the air.
The incidents were so severe that in their immediate aftermath, Webroot actually sent out an email to customers letting them know that two-factor authentication (otherwise known as multi-factor authentication) was now being enforced on their own remote management portal. This is a significant step, but also a critical one, as it requires not one but two forms of identification before access to the system is granted.
Had this step been in place earlier, those compromised credentials wouldn’t have been as much of a problem. But sadly, some lessons need to be learned the hard way.
The other thing that these MSPs have in common is that they were simply behind the fast-changing IT security curve. The fault for this isn’t all (if any) on Webroot and Kaseya – had those providers been more proactive about their own security, a lot of the risk could have been mitigated entirely. But they’re managed services providers, not managed security services providers – they were simply unequipped to deal with the changes taking place all around them.
Likewise, some of the blame for this situation has to fall squarely on the impacted clients and the MSP Managing their environment. Yes, you need to put a certain amount of faith in your MSP to handle your security needs in an adequate way,but that doesn’t mean that you shouldn’t still make sure that your own house is in order, so to speak. We saw this recently when businesses who failed to update their Microsoft Windows-based systems were hit with the WannaCry worm. All told, that incident impacted more than 200,000 Windows computers around the world – not all of that is the fault of a lackadaisical MSP.
The Major Lessons to Be Learned
All told, many of the incidents I just told you about are still playing out – meaning that we still don’t know precisely what happened, and whether everything was decrypted or not after the ransoms were paid. There are, however, a number of important lessons that we should ALL be paying attention in the future.
First, this is nothing if not a reminder on the importance of a quality backup plan. One of the impacted MSPs was able to quickly recover about 30% of their end-user systems in less than a half hour because those clients employed the company’s Veeam-powered air-gapped offsite backups.
Another consideration to keep in mind is that hackers themselves are quickly becoming more sophisticated all the time. Many of the hackers repeatedly targeted not only RMM platforms but also remote access, remote control and remote desktop services. The FBI and the United States Department of Homeland Security have even taken the extraordinary step of repeatedly warning MSPs about these types of vulnerabilities.
All told, hackers are repeatedly targeting MSPs due to the sheer volume of data (and the value of that data) that they can potentially access. Why spend your time going after one company when you can target an MSP and gain access to all of their client information in one fell swoop?
In an effort to combat this, the FBI (and technology vendors, for that matter) have recommended that MSPs follow the NIST Cybersecurity Requirements and Guidelines. This allows businesses to better assess the unique risks they face by looking at areas like operations, their workforce, their customers, their strategy and even their leadership. It provides guidelines on identifying threats, protecting against those threats, detecting incidents, responding to incidents and recovery.
How to Protect Yourself: The Questions You Need to Ask Your MSP.
All of this also proves that businesses will need to be proactive about making sure that their MSP is acting with their own best interests at heart in the first place. To help guarantee that they are – and to better protect yourself – you should ask any MSP that you’re thinking of partnering with the following questions:
- Is your MSP actually following the NIST requirements and guidelines? If not, why aren’t they?
- Are they up-to-date on all related compliance matters, like PCI compliance for the storing and transmission of credit card information? Never forget that if your MSP isn’t compliant, your business isn’t likely compliant, either.
- How are they managing your passwords? What steps are in place to make sure that credentials aren’t stolen and used against you? Is multi-factor authentication enabled wherever and whenever possible?
- How are their own end users educated as to all the latest security best practices? Remember that the vast majority of all incidents still occur because of user-related activities.
- Are they using Webroot or Kaseya? Have they gone to the measures needed to make sure that they don’t fall victim to ransomware like all those MSPs outlined above?
- Do they use proactive or reactive anti-virus products? Reactive products are designed to respond to a security issue after it has already occurred. A proactive product is one designed to immediately detect suspicious activity to stop that issue from happening in the first place.
- How often do they review the IT security landscape? In my opinion, they should be reading industry news daily. Things are changing incredibly quickly – you need to be proactive about staying ahead of the curve or you WILL get left behind.
Looking Forward: The Future of Cybersecurity
Ultimately, it’s important to understand that when it comes to cybersecurity, we’re all in this together. Yes, those news stories I referenced above involved significant security failures at the MSP level, but they also represent major shortcomings at ALL levels of a relationship, up to and including end users as well. We ALL need to take the most proactive approach possible to keeping our critical information safe from harm. Hackers are getting more advanced all the time, and that isn’t going to stop anytime soon. Therefore, the only choice we have is to advance right along with them – for the benefit of all of us, everywhere.
It’s Your Move!
If you'd like to take a more proactive approach to cybersecurity, I recommend giving us a call. It'll give us a chance to learn as much about your business as possible, so that we can figure out how to mount the specific, organic cybersecurity defense you need.
Vice President Sales & Business Development
Jeremy Louise serves as Technical Support International’s VP of Sales and Business Development. In this role, Jeremy is responsible for all of TSI’s new business and plays a central role in the vision and overall strategic direction at TSI. His personal and professional experience growing up in the family business not only contribute to TSI’s continued success, but its emphasis on understanding SMB needs and the technology solutions needed to accomplish their objectives. Prior to his role as VP Sales, Jeremy earned his MBA from UIBS Belgium and his bachelor’s degree from Hobart College in Geneva NY. When not working with clients helping navigate today’s constantly changing technology landscape, he is out on the water fly fishing.