Ignorance is bliss for cybercriminals. What you don’t know means you won’t do anything about it. That’s precisely what the criminals are banking on. And who do organisations blame when they fall victim? Not themselves. According to ConnectWise, 82% who use an IT service provider would hold the provider partly accountable, and 68% would take legal action against their IT service provider. So, be warned MSPs, ISPs, and TSPs (technology service providers) of any flavour, if you’re not careful, you’ll be the fall guy.
“Clients think, ‘I have an MSP that manages my technology. And cybersecurity = technology. Therefore, my MSP is managing cybersecurity,’” ConnectWise noted in its Art of the Cybersecurity Assessment ebook.
“I thought you were already doing this for me!” is just one of the misconceptions clients have that needs to be addressed to ensure the establishment of the most suitable defence system for the organisation. Companies forget that the responsibility of protecting their data is on them. They own the data, they control the budget, and they are the final decision-makers. Because they outsource IT functions to a contractor doesn’t mean they can wash their hands of the risks and responsibilities of securing data.
Then, there’s the “My business is so small, no one would bother to attack me!” logic. How humble and naïve. Small fry is a favourite of opportunistic criminals. For them, it isn’t about the organisation size; it is always about the data. Those who are complacent with their security measures are making it easier for attackers. Some may not even know their data has been breached until months after an initial attack. According to the Cost of a Data Breach Report, the average time to identify and contain a data breach is 280 days (approximately nine months). The 2020 report gave an average 296 days for Australia. When (or even if) organisations finally realise they have been attacked, they would say it was a sophisticated and well-coordinated operation rather than admitting that the criminal probably just waltzed right in.
“My security has been fine for ages now. If it ain’t broke, don’t fix it!” is another mistaken belief held by some. Just because a company hasn’t experienced a data breach, it’s thought that its legacy system is sufficient. However, threats and vulnerabilities are changing all the time. Unfortunately, legacy security tools and techniques are not keeping up with the threat landscape.
So, hate to burst the bubble, but the criminals are upping their game while you’re sitting on your laurels. The hackers may not even undertake attacks themselves — they just develop the technology and sell it to others. Think of them as the IT service providers for bad actors. The perpetrators could be anyone who has enough motivation and money to cause harm. These bad actors could be business rivals, a jealous friend, a teenager experimenting with the tech, or some random person with time on their hands fooling around out of curiosity. More often than not, however, monetary gain is the primary motivation — and hacking indubitably pays and pays very well.
“TSPs and MSPs realise that the stakes have never been higher in cybersecurity as ransomware, cyberattacks, and other emerging threats are increasingly causing major business catastrophes,” said Jason Magee, CEO of ConnectWise. However, market research firm Vanson Bourne found that only 13% of MSPs talk to their clients about cybersecurity as a regular part of their business practice. ConnectWise also reported that 83% of MSPs believe their clients would take legal action following a cyberattack, and 80% have difficulty selling cybersecurity services. So, it’s not surprising that some of the clients’ misconceptions could have been dismantled by starting a conversation.
- Overcome objections and misconceptions.
- Understanding the client is on the same page regarding security’s scope, intention, and expectation.
- Create an assessment of the situation with tools visualising the current system, and identifying its vulnerabilities.“What’s unique about us is we’re focused specifically on the channel, including MSPs, ISPs, and TSPs,” Drew Sanford, senior director of ConnectWise’s global SOC operations, told CRN last June when its new Cyber Research Unit (CRU) was announced. “And we’re focused on the SMB (small-medium business) space. Others are focused on the enterprise. The problem is, SMBs have different requirements from enterprises. So, we provide information to help partners in SMB.”
In June, New Zealand government agency CERT NZ reported that the country saw a 25% increase in cyber security incidents over the same time compared to the previous year. It identified almost 500 vulnerable Microsoft Exchange servers and a further 100+ other compromised email servers between the start of January and the end of March this year alone. Small businesses owned the majority of the compromised email servers.
In April, the US Department of Justice took an unprecedented step to remove web shells from compromised on-premise Exchange servers using a court order. If the web shells were left alone, they could allow attackers to administer the hacked system remotely.
ConnectWise’s independent research conducted with small businesses worldwide suggested that about 92% of SMBs change service providers to get the right cybersecurity protection. On average, they’d pay over 34% more to do so. If there is ever a time to begin a cybersec talk with clients, it is now. Unfortunately, the risk of losses is getting higher, not just for clients but also for service providers. Not just in stolen data but also missed opportunities. That is certainly not in anyone’s vision of success.