Why is Cyber Security Important to MSPs?
Aside from the obvious - we are in the midst of an epidemic of cyber attacks - cyber security is important to MSPs because, whether they want to be or not, MSPs are the tip of the spear when it comes to protecting their clients. Especially when it comes to the small and medium sized business (SMB) community, MSP clients look to their MSP for all things technical or computer related. And if they suffer a breach, irrespective of how the service contract reads, they’ll be calling the MSP. Moreover, if you’re an MSP and you’re not providing cyber security services to your clients, another organization will deliver MSP security.
What is MSP Security?
In today’s environment, when anyone in the technology world uses the word “security,” it inevitably means cyber security. Thus, the phrase “MSP Security” is a reference either to the cyber security of an MSP’s organization, or the MSP’s clients, or both. Certainly, the protection of the data on the network’s of an MSP’s client is often either explicitly or implicitly the responsibility of the MSP. But, the security of the MSPs infrastructure may be even more important, simply because a compromise of an MSP’s network could easily lead to illicit access to the data of the MSP’s clients. Cyber criminals can breach one entity and potentially access many. Importantly, therefore, MSP security is the combination of protecting the MSP business’ infrastructure, as well as protecting that of the MSP’s client base.
What are the key Elements of MSP Security?
It’s easy to say that the key elements of MSP security are the same as any other business, but that’s not necessarily the case. Many MSPs service small businesses - medical practices, accounting firms, small law firms, title companies, for example - who can’t afford cyber security solutions built and designed for large enterprises with generous budgets and teams of cyber security analysts. Thus, MSP security has to be exceptionally wise, select cyber security products that match the threat posed to the SMB community, and be constantly aware of not only the costs associated with the security product, but also the complexity, ease of installation, and maintenance requirements. To reiterate, cyber security solutions are all designed for a target market, so those originally conceived for the large enterprise and “dumbed down” for the SMB community can introduce a mountain of challenges for the typical MSP customer, or even the smaller MSPs themselves.
How is MSP Security Different than Enterprise Security?
An experienced burglar can undoubtedly penetrate a home security system given enough time and commitment. But rather than expend substantial effort to rob the house with the alarm system, most thieves would likely choose to rob the house next door, the one without any defenses.
Seasoned pen testers can compromise just about any network given enough time and resources, but even those with little experience can penetrate poorly protected enterprises using freely available tools.
We’ve learned over the past few years that cyber criminals view the world through this kind of opportunistic lens, particularly when it comes to attacking the SMB (Small and Medium Sized Businesses) community. If professional cyber attackers from the Russian GRU, China’s PLA Unit, or North Korea’s Bureau 121 want to compromise just about any enterprise network, it’s very unlikely they can be stopped indefinitely. If an enterprise spending hundreds of millions of dollars is still at risk from sophisticated attackers, then the local roofing supply company, regional trucking provider, or 5-attorney law firm wouldn’t have a chance.
Fortunately, state-sponsored cyber criminals are focused with much more ambitious objectives than attacking the police department in a 10,000-person town in the midwest. Unfortunately, this does not spare the SMB community from the threat of cyber crime. In fact, there are countless cyber criminal entrepreneurs that see the SMB as a potential cash cow, largely unprotected and easy to target with broad, commoditized automated attacks that probably would be much less likely to work against a larger company. The logic is disturbing for the SMB community, but solid for the attackers: when they can use the same server to target thousands of businesses and get a success rate of 10%, cyber criminals can profit handsomely with little to no effort. Returning to our alarm system analogy, this means those houses without an alarm system are an easy mark, and will eventually be exploited.
What Does an Attack on an MSP’s Client Look Like?
When a nation-state actor targets a large private or government organization, the attack can take months to plan, involve weeks of probing, reconnaissance and extensive research, target specific individuals, leverage obscure vulnerabilities or spear phishing, and require multiple, highly-skilled cyber attackers. If you’ve never reviewed the MITRE ATT&CK Framework - you really should - it is a fascinating piece of work (see: https://attack.mitre.org/) that details attack methodologies observed over time by cyber bad actors.