It doesn’t matter how small your managed services customer is, they’re still a target.
Cybersecurity has been a concern for more than a decade. Initially, the risk centered around hackers accessing proprietary data and valuable systems or unauthorized transactions. A bad thing to happen, to be sure, but nothing like today’s ransomware attacks, which can wipe out an entire company’s computer systems in the blink of an eye.
While many large computer systems have been hacked in recent years, the shutdown of the Colonial Pipeline in May that threatened fuel supplies to the eastern U.S. by hackers identifying themselves as DarkSide catapulted the menace of ransomware attacks into the public eye.
Suddenly, many companies were racing to play catch-up, upgrading security systems that were outdated or poorly implemented.
A ransomware attack often starts with a phishing email designed to trick someone with access to a secure system into clicking a malicious link. From there, hackers can use that person’s credentials to access and encrypt a company’s servers, rendering files inaccessible until a ransom is paid. It’s an expensive mistake to make, and only good security systems can prevent it.
Blake Renegar, director of managed network services at Kelly Office Solutions in Winston-Salem, North Carolina, leads the fight on the other side, consulting on security systems for companies large and small. Many smaller companies may think they’re unlikely targets, but that’s far from the truth.
“Security has always been a hot-button topic, but now more than ever, it’s the key selling point in our services. It’s our area of expertise,” said Renegar. “You look at all these companies that are getting hit, and it’s top of the mind for business owners. They’re looking for folks to guide them in the right direction.”
The right direction can be challenging for a layperson to identify. Many businesses start by looking for insurance coverage against cyberattacks, only to learn that the insurance policy is actually the step that comes after a security checklist of upgrades.
“Insurance companies may require you to have two-factor authentication implemented before they’ll even write a policy for you,” said Renegar. “Maybe they want to know that you’re backing up your data. They want to know that you have a business-class firewall, that you have a VPN in place, that security patch updates are being pushed out. That helps MSPs in our space because folks realize hey, we’ve got to have all of these things checked off.”
Renegar sees cybersecurity consulting as a natural offshoot of the managed services sector but cautions it takes a great deal of specialized expertise.
“It’s a totally different business from a service standpoint,” he said. “There’s a lot of little caveats that we deal with that you wouldn’t be aware of on the copier side.”
Aside from designing and implementing the hardened systems, a cybersecurity consultant must be aware of insurance policies, especially as they intersect with law enforcement. Cybercrimes are crimes, after all, even if the culprit is anonymous. Insurance claims frequently can’t be paid out until an incident report is filed with the local law authorities, which means being ready to produce certain kinds of evidence that require expertise to obtain.
“We’re in a unique position because we have some engineers on our team that have a law enforcement background in the cybersecurity space and post-incident response, and we’ve got basically a digital forensics group,” said Renegar. “We’re able to go in and analyze after there’s a compromise. We can collect those devices, analyze the data, see what happened, and help those customers navigate the insurance companies and the law enforcement side if they want to press charges.”
If a client is hit, Renegar’s team investigates, trying to discover when and how the security breach happened. Even when evidence can be uncovered, the odds of catching the culprit are slim.
“Finding these guys is next to impossible,” acknowledged Renegar. “That’s hard for us, for the FBI, for anybody. That’s because most of the time they’re out of the country and they’re pretty much untraceable. It’s gone to the point where cyber insurance companies are basically forced to negotiate with these guys to pay the ransom to get the data released.”
The only remedy is prevention that includes robust, regularly maintained security systems and well-trained users. The downside to these preventions is that stronger security measures can feel onerous to end-users, who may then subvert the proper procedures, intentionally or unintentionally. Two-factor authentication, where a user must enter their password and a one-time code, slows down and complicates the login process, however trivially. Watchguard programs can make accessing the web for legitimate reasons difficult until the whitelist (approved software and executable files allowed on a computer system) is properly assembled. Regardless, these are essential elements of a modern cybersecurity system.
“It’s just a matter of training the user and letting them know that this is something you need,” said Renegar. “That’s just the way of life now, and once they get used to it, it becomes pretty seamless. We just try to hold the customer’s hand as much as possible.”
There’s no room for error with cybersecurity, which means that every person in the workplace has to be willing to take it seriously.
“You’ve seen it so many times, the Post-It with the passwords on the monitor, and that’s what leads to compromise,” said Renegar. “You’ve got to have buy-in from the top. If you get that, then folks will fall in line, and it’ll become company policy and then it becomes a normal thing. That initial training is very important.”
The moment of compromise isn’t necessarily the time of attack either. Hackers have become smarter, learning to embed their malware in a company’s servers and run silent for months, gathering data and ensuring that victims have as much motivation as possible to pay the ransom.
“Even if you’ve got backups, you would have to go all the way back a year or more to get to a clean upload in order to get that data back,” said Renegar. “Now, if they’re amateurs, you might be able to roll back and only lose a week’s worth of data, but the real sophisticated guys hide for a long time, and when they pop up, they’ve already got an extensive amount of encrypted data, and you’ve got to pay.”
So back to prevention. After setting up two-factor and a web guard, Renegar stresses that the most essential thing to do is keep all software security patches current.
“You need a company that’s doing this for you on a day-to-day basis,” he said. “If you’re on top of your patches, you get those holes plugged before they’re compromised.”
The MSP has an inside track on offering these services because they likely already have some automation set up in the client’s workplace, allowing them to build on their existing knowledge of the client’s systems. It’s something the whole client book needs. In fact, the smallest businesses, which may not ask for much in the way of printing and copying, are actually some of the most important to reach out to about security services.
“That’s a hundred percent fallacy that some people have,” said Renegar. “They think, well, I’m just a lawyer here by myself with two paralegals. I’m not big enough to be a risk.”
Nothing could be further from the truth.
“You are at risk as long as you have sensitive data,” emphasized Renegar. “Your information is just as valuable as anybody else’s.”
Access Related Content
To become a subscriber, visit www.thecannatareport.com/register or contact cjcannata@cannatareport.com directly. Bulk subscription rates are also available.
