MSP Following Kaseya Ransomware Attacks: We’re All Complicit
‘The days of any software or hardware vendors thinking about security, secondarily, are over. You just can‘t survive that way. The adversaries will find the weakest link. It’s just far too easy for them today, so I do think we have to up our game,’ says Dan Schiappa, chief product officer of Sophos.
All channel partners and end customers must put IT security first if they want to prevent cyberattacks similar to the Kaseya breach going forward, industry leaders are saying.
“The Kaseya compromise wasn’t the first and won’t be the last,” said Derek Gabriel, cofounder/CEO of Ignite Solutions Group, a Honolulu-based MSP. “We can’t lay this at the feet of the tool vendors. We’re all complicit. We need customers to ask more questions about security from their service providers. We need service providers to ask and demand better from our vendors before we’ll see significant changes. And we all need to wake up to the fact that breaches will happen and become much more prepared.”
The industry is “loaded with legacy technical debt,” he said, with engineers working on products “that were first written when they were in grade school,” arguing that until changes are addressed there will continue to be “systemic risks.”
Not only does the technical side need to be addressed, but the human side as well.
“What I hope comes out of this is our industry’s ‘Jerry Maguire’ moment,” Gabriel told CRN. “It’s time for, ‘The things we think and do not say,’ about IT service. It’s time to address the legacy technical debt weighing down the products and services that we rely on day in and day out, the ones that were initially engineered 15 or 20 years ago. It’s time to ask a lot more questions.”
[Related: The Kaseya Attack]
It’s also important for MSPs to admit what they don’t know or understand, he added.
“It’s not a weakness to not understand cybersecurity and the potential hidden risks. It’s a weakness not to admit to needing help and to ask for it, or to take the time to educate ourselves,” he said. “We’re burdened by what I refer to as the tyranny of the unknown.
“There will always be gaps in our knowledge, and we have to do more than blindly rely on other’s products and services to fix it,” he added. “There’s going to be a lot of, ‘We were going to; We should have; We wanted to - but we didn’t have the time,’ or, ‘Didn’t get around to it,’ after the dust settles. But what they’ll be saying is, ‘We didn’t consider it important enough.’”
In addition to having cyber insurance policies, Gabriel said MSPs should also have incident response plans in place that are exercised at least annually by both solution providers and their customers.
It’s crucial for an end customer, with limited IT resources, to demand that their MSP provide them with Defense in Depth (DiD) strategies for better protection, said Dan Schiappa, chief product officer at U.K.-based security firm Sophos.
“Any organization, of any size, has to have an incident response plan put together,” Schiappa said. “It‘s not something you can wait to do on the fly and learn from an experience. It’s something to have in order, just like any apartment building has an escape plan if there’s a fire. You don’t want to wait for the fire to happen before you start figuring out how to get people out of the building. If I’m an MSP customer, I want to see my MSPs’ incident response plan.”
But the work doesn’t end with MSPs and their customers. Everyone needs to strive to do better, he said.
“As an industry, we have to up our game,” he said. “Vendors have to be very cognizant of vulnerabilities in their product, they have to be very open minded to responsible disclosure programs, so third parties can report those vulnerabilities and give them an opportunity to fix it before it‘s publicly known, and then they have to take those disclosures seriously.”
Regardless of the size of the company, a security operation is key, Schiappa added. If a company can’t build its own, they need to seek out a third party to do so.
“We‘re living in a world where you just have to have these capabilities,” he said. “When you see an attack like (Kaseya) that really targets the small companies who don’t have sophisticated IT capabilities, that’s when it hits home that this is something that’s relevant to everybody.”