In December 2018, the United States Department of Justice unsealed an indictment charging two Chinese nationals with intellectual property theft. Over the course of 12 years, the defendants allegedly stole IP from American organisations operating in 16 industries, from banking to telecoms and engineering to healthcare. Rarely, if ever before, had such a far-reaching campaign gone unnoticed for so long. But this wasn’t a typical cyber attack.
The hackers, US officials revealed, hadn’t targeted each of the businesses individually. Instead, they had infiltrated the managed service providers (MSPs) who maintained their IT systems. Once the MSPs had been breached, the hackers were able to move laterally within their network of clients, secretly exfiltrating data over the course of several months and, in some cases, years.
According to Gregg Lalle, ConnectWise’s senior vice president, international sales and strategy, this is a classic example of the cobbler who “builds shoes for everybody”, but whose “son goes to school with no shoes”. While MSPs are often tasked with taking care of their clients’ security, it seems some are failing to maintain their own.
The risks posed by poor cyber hygiene are high, even for businesses that are unlikely to be targets of corporate espionage. Recent research by the US National Cyber Security Alliance revealed that 60 per cent of small and medium-sized businesses which suffer a cyber attack close down within six months.
Against this backdrop, MSPs could be forgiven for feeling uneasy about discussions about their clients’ security. To overcome this awkwardness, Lalle says they must first get their own house in order. “They’ve got to spend a lot more time at home making sure that they’re secure and they need to start with a holistic approach,” he says. “We want to give them that before we recommend tool-sets.”
Over the summer, ConnectWise – which offers products to service providers and resellers – launched a campaign called “Protect Your House”, providing free frameworks and tools for MSPs to assess their own security posture.
As part of a broader security drive, the company has also called on its competitors to participate in a data-sharing initiative which will identify common threats and enable MSPs to rapidly respond to them. The idea, described as an Information Sharing and Analysis Organization (ISAO), is borrowed from one of the most highly regulated and sensitive sectors of the global economy: financial services.
“It’s a shared security analytics engine that we can all feed into,” says Lalle. “We’ll take the responsibility in our role at the centre of the service provider community to look beside our competitive stuff, to see what we can put together for the greater good of everybody.” The company is keeping tight lipped about progress to date, but has promised to provide an update on the response from its competitors in the coming weeks.
ConnectWise has also devised new guidance, based on NIST’s security framework, to assist MSPs in discussions about clients’ risks. “We said how do we build this so that it’s easy for someone who’s not so comfortable maybe in the conversation to go out to your customer and ask those questions,” says Lalle. “In the background, it produces a nice report with a heat map, and it also prioritises based on the risk for you to give you something to digest and give to your customer prospect.”
Key to these conversations, Lalle adds, is that clients take responsibility for their security – especially given that employees, rather than technology, are often to blame for breaches. “They should know that you’ll help them if there’s an incident, but you’ve had this conversation about how to mitigate it ahead of time,” he says. “It’s a little bit about transferring that risk so that the customer thinks: ‘now we do own it’.”
While the scale of the threat may seem overwhelming, security ultimately presents a chance for MSPs to strengthen their relationships with clients. “If they’re doing a better job of educating [their customers], there’s value there,” says Lalle. “You’re agreeing on what the path should be and your client is investing in that outcome.”