ConnectWise Identifies MSP Security Holes Through Risk Assessments
ConnectWise partners have conducted more than 1,000 risk assessments and discovered a disturbing number of MSPs and their small-to-midsize business partners aren’t implementing basic security practices.
Through its offering, ConnectWise Identify, the business management service provider – which is both the RMM and PSA provider most used by the 2019 MSP 501 – has found that 57% of participating MSPs and SMBs don’t do security awareness training, 48% have not assessed or analyzed cybersecurity attack targets and tactics, and 48% don’t have a security incident response plan in place — all while more than 60% of SMBs experience cyberattacks or data breaches, according to the “2017 State of Cybersecurity in Small and Medium-Sized Businesses (SMB)” report from Ponemon Institute.
This makes SMBs risky customers for MSPs to have and, as ConnectWise’s CISO John Ford said, “They don’t want risky customers.”
Why? Because MSP security isn’t that mature either, so they have problems of their own to deal with.
MSP Security Insights
“MSPs are a target today,” Ford said. But “they’re still in blocking and tackling mode for the most part,” which isn’t where targets want to be.
The findings ConnectWise has gathered so far through Identify are in line with what they’ve seen MSPs struggle with firsthand, so it’s not particularly surprising. But it should be concerning.
“The attackers that are out there are very smart, but they’re also commonly lazy,” Ford said. “If you can get to an MSP, then you have access to all of the MSP’s customers; one breach gets you 60 or 70 targets.”
Not only that, but the tools MSPs launch to do their business give them completely open access to their customers’ environments. So not only does that make MSPs desirable targets, but “in a lot of cases, MSPs simply don’t have adequate controls in place,” he added.
How did MSPs get to a place where, according to Ponemon, the average security incident costs companies $1.2 million to recover, but ConnectWise found that 43% of its respondents don’t actually have a recovery plan for a security incident?
There are several reasons, though there are definitely some MSPs out there doing security right.
“There’s still a fair amount of MSPs practicing deliberate ignorance,” Ford said.
These MSPs haven’t had to deal with a security incident and don’t think they will, so they don’t prioritize security as a business need. MSPs may just not have the education about security and don’t believe they are a target until …