The issued CISA guidance for IT Managed Services Providers has some salient points, some impractical solutions, and others that live somewhere in-between. We’d like to take a moment and take a deeper dive therein and address how it affects SMB that utilize MSP service offerings.
(A quick aside before we begin: Certified CIO does not use Kaseya VSA, the product described below. None of our customer systems were compromised as a result of this attack. However, please remember that no system is immune from attack and it is important to maintain a steadfast cyber defense at all times.)
Over the July 4th weekend, 2021, Kaseya suffered a massive security breach. Kaseya products support thousands of MSPs with IT tools that connect the MSP with their customers. As a result, many of these tools have elevated security permissions—something we like to refer to as “keys to the castle”—and thus any security breach is of utmost concern. Described by many as a supply chain attack, referring to the nature of infiltration via an upstream product vendor, MSPs and their customers were powerless at the onset outside of shutting systems down before infection occurred.
Soon after this attack, the Cybersecurity & Infrastructure Security Agency, a bureau under the Department of Homeland Security and commonly called CISA, issued guidance for MSPs to avoid the exposure that cost many businesses millions of dollars in both real terms and lost revenue.
How it affects SMB
Much of the issued CISA guidance revolves around the principles of managing risk, which adequately prepared MSPs are already doing. However, we find that miscommunication or a lack of communication can lead to a breakdown in understanding or result in assumptions (which, frankly, can be made by either MSP or the SMB customer).
We believe the guidance document magnifies the importance of recommendations that we make to customers to increase their readiness. This can cover several layers of the cyber defense shield including login security, system fortification, and backup efficacy. In addition, it is important that communication occurs, ideally in both directions, between MSP and SMB in finding and addressing security gaps. We often try to do this via quarterly business reviews and customer communications, but our customers should know that our office doors are always open for questions that may arise. We encourage you to better understand how ready your business or organization is for the unexpected!
A further step could involve Cyber-Resilience and Vulnerability Management testing. While it can be interruptive (although should be planned to be as non-intrusive as possible), this type of testing is invaluable for SMB decision-makers to understand what “bad” looks like; we believe that some of our customers, for example, would be pleasantly surprised while others may lack understanding as to how harmful a major incident could be.
We do understand that IT budgets are finite and risk decisions must be made by small business decision makers. However, there are times when only so much compromise can safely be accomplished. There are inevitably items that, as an MSP, we feel are core solutions and, thus, are simply due diligence to have in place. Upon a SMB refusal to enact these products or services, we may take the step to require a related “hold harmless” agreement in the event intrusion occurs. (At the risk of repeating the obvious, if an MSP is asking a SMB decision-maker to hold them harmless over a particular service, a decision-maker would be wise to give pause before refusing the service. The MSP views the item as critical; refusing the service violates due diligence principles in the IT company’s view.)
This, again, highlights the need for communication between the MSP and SMB. A properly functioning MSP should be able to tailor an appropriate solution to a reasonable SMB budget, informing of the pros and cons of the specific spending decision.
How to get started
The CISA guidance can be complex. If you’re already working with an MSP to increase your cyber defenses, I encourage you to contact them and ask how items can be improved. If you need an MSP to help you get started, GET IN TOUCH with us! We’d love to help you save your business from cyber catastrophe!