COMPTIA CHANNELCON — Look out, managed service and managed security service providers: new requirements related to the Biden Administration’s recent cybersecurity executive orders “will be coming your way.”

That’s the word from Theresa Payton, keynote speaker at CompTIA’s virtual ChannelCon event and president and CEO of Fortalice Solutions.

On Wednesday morning, Payton conducted an exclusive Q&A with attendees at the virtual gathering. Most of the inquiries came from MSPs and MSSPs concerned about leveling up their security postures. With that in mind, one MSP wanted to know how cybersecurity executive orders – one issued in May, another signed late last month – could affect his business.

As a refresher, both orders stem from cyberattacks on private companies and federal government networks since 2020. Hackers ramped up their efforts during the pandemic — and show no signs of relenting. After breaches hit SolarWinds and the Colonial Pipeline (and before Kaseya and others), Biden this year has moved to batten down the country’s cybersecurity hatches.

For example, the order from May comes with several requirements. Among those mandates, government agencies and departments must “make bold changes and significant investments” in zero-trust architecture, software standards and more.

The similar, separate order from July sets performance standards for technology and systems used by private companies in food, energy, power and water. However, the feds cannot force compliance.

At least, they can’t right now. That will change, Payton said.

Fortalice Solutions’ Theresa Payton

“Depending on what industry you’re in, chances are, you have a regulator of some sort,” she explained. “So, this will turn into activities you will be required to do.”

MSPs need to plan for that eventuality, although there’s no clear timeline.

“How this turns into legislation, and a potentially onerous checklist for all of you, I’m concerned,” Payton said. “Executive orders serve a really wonderful purpose but sometimes there’s a one-size-fits-all approach.”

‘Have Your Voices Heard’

That can mean an MSP must spend thousands of dollars proving compliance — something no business wants to do. To possibly help avoid that outcome, Payton encouraged ChannelCon attendees to participate in public comment windows.

“OMB pays attention, the Hill pays attention,” she said.

Payton would know. She served as the first female CIO of the White House during the George W. Bush years.

“Have your voices heard,” she added.

Another way MSPs and their clients can do that is by talking with elected officials.

“Many times there’s a lot of turnover in staff and not enough understanding around cybersecurity,” Payton said.

And that translates into an ongoing, problematic conventional wisdom, she said — “that penalties are the way to go.”

“I would like to see us help change …

… the Hill’s thinking on this,” Payton said. “I would like to see each of you get research and development tax credits for spending money on cybersecurity … and your clients getting the same. …Why shouldn’t you get a break on your taxes and your insurance?”

In other words, work with lawmakers to motivate, rather than punish, the private sector, Payton said.

On that note, the May Biden cybersecurity executive order calls for the public and private sectors to remove barriers to sharing threat information. This could prove tough to implement, but it’s an initiative CompTIA itself has actively been pursuing on its own for some time. Indeed, much of the discussion at ChannelCon this week revolved around how people can talk about breaches and hacks without incurring blame. The shaming has to end, Payton said.

Getting Rid of Victim-Shaming After a Cyberattack

“Cybercrime is one of the few places that, when you’re a victim, somehow you must be at fault,” Payton said. “It’s one of the few places where we still blame the victim somewhat. … I’d like to see us change some of that.”

If it did, IT professionals would be open to talking about how they were hit and why, and, in essence, exchange “actionable intelligence” with their peers, Payton said. Problem is, people fear their “dirty secrets” spilling into the marketplace.

“We have to have a way in real time to take that intelligence and share it for the greater good,” Payton said. “I do see a much more concerted effort to do that but there is still some hesitancy. … We’ve got more work to do there. … Is there a way for members to share ins and outs … in ways that they’re anonymized?”

Part of the solution also could come in the form of a cybersecurity version of 911. Payton introduced that idea when an attendee asked if MSPs should immediately look to insurance companies for help when a breach occurs.

“My concern of having the first step to be calling the insurance company before emergency services … is they’re going to have a bias,” Payton said. “They are not incident responders … they’re underwriters. They’re going to be thinking about the premiums.”

Rather, businesses – including MSPs – across the country should have access to a checklist of steps to take when confronted with a hack, she said.

“There’s an opportunity here in the NIST Framework to provide some guidance,” Payton said. “I would caution us not to say, ‘it’s one single type of entity.’ … For example, should there be a national response center?”

More Guidance: Takeways from the Full Q&A

Payton fielded a number of questions from MSPs and MSSPs on Wednesday. Here are some takeaways (not in direct quotes unless otherwise indicated) from those conversations:

Channel Futures: How do I start threat hunting for my customers?

Theresa Payton: Follow the NIST Framework, run clients’ most important business and personal email accounts through databases such as LeakPeek, go through various logs to identify …

… any “indicators of compromise.” Undertake those activities once a month.

CF: When it comes to information sharing and cyber shaming, what do we need to keep in mind?

TP: That there’s also an emotional response. “It’s not just about, ‘Oh no, am I going to get fired?’ It’s different. And it lands on each victim differently. … I do have mental health concerns for CISOs and IT professionals — small, medium, large.” An emotional toll does emerge from breaches, “and there’s no counseling for that. … It would be great if we could have a framework for survivors of incident response. But then also, what are you doing as remediation so people can learn from that?”

CF: What should MSPs/MSSPs be doing to protect our own networks and systems?

TP: Use the NIST Framework and any others as they apply to you by vertical and geography. Focus on who you serve and the ecosystems in which those clients reside. Understand your users’ stories. For example, if you work with a lot of doctors’ offices and regional hospitals, consider how much they are under attack right now because of “strong belief systems about vaccines.” Perform threat hunting and Red Team events and segment data wherever possible. Keep important logs (for example, user access) in cold storage in case you ever need to pull them up. (Red Team engagements look for flags malicious actors would use in a real attack. These events help businesses uncover vulnerabilities in networks, applications, IoT devices and personnel. Once executives and IT teams know the risks, they can address them.)

CF: How do I talk with my customers when a vendor I recommended gets hit with a cyberattack?

TP: “Help [clients] understand that even the best security products have to struggle to keep up with new techniques of cyber criminals. …This is going to be an ongoing business crisis of our time.” Also, teach customers that security consists of layered defenses. Assist them in building a resilient business that can bounce back after a cyberattack.

CF: How do I manage a client’s IoT devices that used to operate separately but that now have to communicate with other systems on the network?

TP: “Think about having them on their own segmented network and when they need to communicate; it’s a one and done.” Make sure security updates still reach every device. Change all passwords from the ones listed on the devices’ boxes. “Those are fairly known by cybercriminals.”

CF: How do I train my users to spot phishing?

TP: “Focus on the hearts and minds of your staff. Where are their hearts and minds when they’re outside of work? It’s on their loved ones. … Show them what phishing campaigns look like that prey on their parents and the elderly … and their children.” Helping users in their personal lives will pay dividends at work. Also, consider different types of testing and education. “There are some incredibly valuable, helpful free resources.” Some of those include OnGuardOnline, National Cybersecurity Alliance and VirusTotal.

CF: Can my email marketing campaigns inadvertently catch and distribute malware?

TP: “I have not seen a research report on this. … I have not seen statistical evidence.” But, that does not mean it couldn’t happen. Hackers take advantage of every significant holiday and day of significance (think Tax Day in the United States) to lure people into clicking links via email. They could insert code into a campaign somehow. Above all, avoid e-cards. “Never open e-cards, even from your grandma.”