Spartak - Fotolia
MSP cybersecurity gaps call for cultural shift
Service providers face issues from broken alerting systems to unsupported operating systems. Those that shore up internal security have an opportunity to offer external services.
Cybersecurity services offer a compelling business opportunity for MSPs, but most service providers have internal security flaws that demand attention.
Industry executives speaking at IT Nation Secure, a live and online event hosted by ConnectWise, encouraged attendees to transform their MSPs around rapidly growing security services. But there were also reminders to look within for MSP cybersecurity gaps that could endanger clients.
Bruce McCully, chief security officer at Galactic Advisors, said his Nashville, Tenn., company has evaluated 1,078 MSP networks over the past year. McCully, who summarized his assessment activities at IT Nation Secure, found that at least 80% of the service providers have problems such as broken alerting, overprivileged users and unsupported operating systems.
Galactic Advisors tracks vulnerabilities on MSPs' networks. McCully launched the company after running an MSP, which he sold in January 2019. McCully's MSP worked with hospitals to recover from ransomware. The hospitals were often managed services customers.
"About half of the hospitals we recovered in 2018 were supported by the MSP community," McCully said.
Minding the security gaps
With that experience in mind, Galactic Advisors focuses on MSP cybersecurity. Alerting is one common pain point. MSPs have alert-generating systems such as remote monitoring and management software, but those signals don't necessarily "drive all the way back to a ticket or to a response," McCully said.
In one case, Galactic Advisors encountered an MSP that had inadvertently unplugged the alerting system on its firewall. The company changed internet service providers, and, in the process, cut off its security operations center (SOC) service provider from receiving alerts.
Bruce McCullyChief security officer, Galactic Advisors
"They switched the address that the SOC should have been looking for with their SEIM [security information and incident management system] in order to pick up that alert," McCully said. "A very small change, but it broke the entire capability of the SOC to respond or know what's going on."
MSP attempts to fix such shortcomings, however, may miss the mark. That's because organizations tend to combat security flaws with policies, procedures and standards, McCully noted. Culture, however, proves more powerful than policy documents.
"Culture eats policy for breakfast every morning before policy even wakes up," McCully said.
He urged MSPs to create a security culture at their organizations. That tasks begins with educating employees, which can include using vivid examples to reveal their security exposure. "You have to educate them by showing them their risk. You can't just tell them about their risk," McCully said. "You have to shock somebody in order to start this educational process."
The next step is to create simple tasks for MSP personnel to accomplish and turn into a habit. An MSP, for example, could create a test plan for its alerting system. Such a test would involve attempting to trigger an alert -- such as a series of failed log-in attempts -- and following up to make sure an alert is generated, McCully said. An MSP working with a SOC provider should coordinate such tests.
The final step is to measure the results of the security culture regimen.
Looking outward
Getting security right internally puts an MSP in a position to pursue cybersecurity as a line of business.
"You have got to secure and protect your own business before you can help your customers," said Jay Ryerse, vice president of cybersecurity initiatives at ConnectWise, speaking during IT Nation Secure's keynote session. "You can't jump in feet first and make it up as you go along. What you don't know will hurt you."
For the prepared MSP, however, high customer demand for security services -- coupled with the difficulty of finding and retaining security specialists -- creates an opening.
"This is a big opportunity for you," said Craig Fulton, chief customer officer at ConnectWise, who also presented at the keynote. He called cybersecurity services "the most important thing you can be doing in the world right now."