More than half of MSPs don’t do basic security awareness training, according to new data from ConnectWise.

August 13, 2019

7 Min Read
Padlock with Hole in it
Shutterstock

By Maddie Bacon

ConnectWise partners have conducted more than 1,000 risk assessments and discovered a disturbing number of MSPs and their small-to-midsize business partners aren’t implementing basic security practices.

Through its offering, ConnectWise Identify, the business management service provider – which is both the RMM and PSA provider most used by the 2019 MSP 501 – has found that 57% of participating MSPs and SMBs don’t do security awareness training, 48% have not assessed or analyzed cybersecurity attack targets and tactics, and 48% don’t have a security incident response plan in place — all while more than 60% of SMBs experience cyberattacks or data breaches, according to the “2017 State of Cybersecurity in Small and Medium-Sized Businesses (SMB)” report from Ponemon Institute.

This makes SMBs risky customers for MSPs to have and, as ConnectWise’s CISO John Ford said, “They don’t want risky customers.”

Why? Because MSP security isn’t that mature either, so they have problems of their own to deal with.

MSP Security Insights

Ford-John_ConnectWise-2019-2.jpg

ConnectWise’s John Ford

“MSPs are a target today,” Ford said. But “they’re still in blocking and tackling mode for the most part,” which isn’t where targets want to be.

The findings ConnectWise has gathered so far through Identify are in line with what they’ve seen MSPs struggle with firsthand, so it’s not particularly surprising. But it should be concerning.

“The attackers that are out there are very smart, but they’re also commonly lazy,” Ford said. “If you can get to an MSP, then you have access to all of the MSP’s customers; one breach gets you 60 or 70 targets.”

Not only that, but the tools MSPs launch to do their business give them completely open access to their customers’ environments. So not only does that make MSPs desirable targets, but “in a lot of cases, MSPs simply don’t have adequate controls in place,” he added.

How did MSPs get to a place where, according to Ponemon, the average security incident costs companies $1.2 million to recover, but ConnectWise found that 43% of its respondents don’t actually have a recovery plan for a security incident?

There are several reasons, though there are definitely some MSPs out there doing security right.

“There’s still a fair amount of MSPs practicing deliberate ignorance,” Ford said.

These MSPs haven’t had to deal with a security incident and don’t think they will, so they don’t prioritize security as a business need. MSPs may just not have the education about security and don’t believe they are a target until …

… they become one — that’s incorrect thinking.

Kinsella-Patrick_Onepath.jpg

Onepath’s Patrick Kinsella

“We have a giant bull’s-eye on our roof,” said Patrick Kinsella, SVP of engineering and CTO at MSP OnePath. “We are viewed by the marketplace, or at least by the bad actors out there, as holding the keys to multiple kingdoms because we’re a publicly known face that’s going to have access to networks of hundreds or thousands of clients.”

Another major reason MSPs often fall short on security is the budget, particularly for SMBs.

“It’s a very fragmented market and there’s a perception that the cost of undertaking a security posture is something that’s unmanageable for a small business,” said Kinsella.

The final reason, according to Ford, is that MSPs often build their success on being highly efficient, and security doesn’t seem easy to integrate into that efficiency. But it’s not all bad.

“There’s also a lot of momentum on the part of the MSPs to quickly change [their security posture],” said Ford. “I think the bigger ones have more capital and more ability to improve where some of the smaller ones may struggle.”

Kinsella echoed that optimism when it comes to preventive security measures.

“The cost of prevention has come down significantly and the ease of access to those tools has significantly improved,” he said. “There are quite a few [security] providers out there becoming multitenant-friendly and they support a multitenant environment, which is really designed to support MSPs that are willing to invest in that capability.”

The Problem with SMB Security and the Skills Gap

Small MSPs tend to have more constraints that could prevent them from having a mature security posture.

“Anytime we’re talking about the smaller ones, it’s an education experience, it’s a talent experience, and it’s a budget experience,” Ford said. “And it’s a business decision to go out and procure the talent or the services to protect your own business.”

Eventually, all MSPs all have to decide whether to outsource their security or hire talent to handle security internally.

“There’s a fine line between where you build, partner or buy,” Ford said, though smaller MSPs could likely outsource their security and protect their own environments more easily than building a team internally. This is particularly true because of the widespread and well-documented skills gap facing the security industry.

“Large MSP, small MSP — they’re both still facing those skills types of challenges” and finding available talent is tough for any-size business right now.

Kinsella agreed, noting that after a security incident, “there’s still a Men In Black feel to the individuals who can help remediate.” They’re expensive and largely inaccessible to many MSPs, particularly small companies.

Regardless, MSPs need to find a way to secure their environments and thus protect their customers.

How Poor MSP Security Affects Customers

Many MSPs have clearly not prioritized security, but they need to for the sake of their business and …

… their customers.

“Most of the [MSPs] we’re working with have full access, unfettered access into the systems and data of the customers,” Ford said. “So if an MSP is breached and, as a result, a customer is breached, the MSP is carrying a tremendous amount of liability with regard to that incident.”

Not to mention, if any of the affected customers are in a regulated industry, there will be a huge mess to deal with.

“It’s our responsibility not just to provide the services that our clients ask us for, but to be their advisers and to be their coaches as they navigate this challenging world,” said Kinsella. “With a growing number of attackers and bad actors out there, it’s our job to tell them what they need to be doing. If we’re not doing it ourselves, we’re failing at our responsibility to them as an adviser.”

Both Ford and Kinsella also noted the reputational cost to an MSP affected by a security incident.

“Think about what Capital One is going through or what Equifax is going through today — what is the cost not just in the hundreds of millions of dollars that a firm like Equifax may be losing in lost business, spent on forensics and remediations plans, but how many users are less likely to procure security services and identity protection services from Equifax versus Experian?” Kinsella said. “The competitive market is such that a lot of these firms aren’t necessarily selling something that is in a monopoly-type environment, and that reputation is everything … the same goes for MSPs.”

Ford and Kinsella agree that MSPs without basic security practices don’t fully understand their own risks or the risks to their customers. According to Ford, that’s exactly what ConnectWise Identify is trying to fix.

“ConnectWise Identify is step one of many in which we’re trying to assist the MSPs in their security journey and help them help their customers,” he said. “Sometimes I find myself talking to people who have not been in security very long and they don’t understand that the risk assessment is the most fundamental thing that you can do.”

ConnectWise Identify is a tool aligned with the NIST Cybersecurity Framework that MSPs can both offer their customers and use themselves to perform a security risk assessment. They can use the information to identify the top risks to their business and start to form a plan to strengthen their security posture.

“What we’re trying to do is increase the velocity of decreasing risk,” Ford said. “We’re getting there by taking this very fundamental first step and opening up their eyes.”

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like