Louisiana has been besieged with ransomware attacks and a top state official blames MSPs for not providing enough protection to their government clients.

At a recent meeting of the National Association of Secretaries of State, Louisiana Secretary of State Kyle Ardoin said too many MSPs are using outdated techniques, exposing themselves and their clients to dangerous ransomware attacks from bad actors.

Louisiana Secretary of State Kyle Ardoin

“If MSPs aren’t protecting themselves, how can they protect their clients?” he asked. “MSPs must be more up front with their clients. Too often, MSPs are worried about asking for a client to invest more for their security, which is more difficult to protect in the age of sophisticated attacks.”

Ardoin outlined ransomware attacks last summer on multiple Louisiana school districts. And last November, a ransomware impacted many clients of an MSP, including seven clerks of court offices.

“The MSP was compromised by an attacker, who then pushed ransomware out to many of the MSP’s clients,” he said. “By the time this event occurred, we learned from past events and other ongoing events that it is not necessary to ‘pull the plug’ as a first resort. We have learned to trust our layered defense mechanisms that are in place and stay in contact with our MSSP to help monitor the situation. While our MSSP was monitoring the situation, we were constantly reviewing logs to verify that no unusual behavior was occurring on our network. We also were in contact with affected offices and incident responders to keep up with the incident as it played out.”

A larger ransomware attack last November impacted numerous state agencies, Ardoin said. The state’s Office of Technology Services shut down network traffic and was able to prevent a larger spread, he said. The attackers infiltrated 200 of the state’s 5,000 servers and about 2,000 computers were damaged.

“Due to the November attack occurring the day after the general election, conspiracy theories, misinformation and disinformation became a more serious problem,” he said. “Our office had to directly respond to numerous inquiries and social media posts purporting to tie the cyberattack to the general election results. Cyberattacks are a prime opportunity for some to cast doubt on our elections. Election officials must be ready to respond to citizens and media outlets that tie cybersecurity news to election infrastructure, even when no tie exists. Luckily, we were able to quickly provide accurate information to our partners in the media who helped broadcast the truth about the cyberattack and undervote, thus maintaining voter confidence in the election.”

In the past, firewalls, system patching and antivirus software were sufficient, Ardoin said. However, in recent years, attacks have become much more sophisticated yet many MSPs, mostly “mom and pops” with very limited experience, are still operating under what worked several years ago, he said.

“As attacks grew more sophisticated, many MSPs have not been upfront with their clients about the need to invest more into their security,” he said. “This leads to serious problems for their clients and the MSPs themselves.”

Local officials should consider using MSSPs, Ardoin said. While MSPs attempt to protect systems on a “very basic level” to ensure operability, MSSPs are focused on keeping those same systems safe and secure by preventing and detecting, rather than simply responding to, attacks, he said.

Dave Sobel, longtime channel veteran and host of the news and commentary podcast “Business of Tech” and co-host of the “Killing IT” podcast on MSP Radio, said MSPs should take Ardoin’s speech “incredibly seriously.”

“This is the voice of the customer,” he said. “If I asked most MSPs if they would …

… like an entire state government as their customer, they would certainly be interested, and here, the key decision maker is telling a group of his peers that MSPs are not doing enough.”

Dave Sobel

The criticism is justified for those providers who are focused on just basic patch management, antivirus and backups as enough, Sobel said. In some cases, however, there are providers that are “so far behind on the basics” as to border or cross into recklessness, he said.

“Have you implemented two-factor authentication on every control system?” he said. “Have you properly closed off access, particularly control like RDP? The criminal profile has changed to be so much more sophisticated, and many providers are simply not keeping up, which is exactly what the secretary is saying.”

Because the human element is so important, security training and awareness for customers on an ongoing basis should be top of mind, Sobel said. Simulated recovery scenarios are another basic service to ensure better security, and if you worry about your capabilities, partner until you can build them, he said.

“I wouldn’t recommend avoiding MSPs as a rule, and don’t want to dwell on the naming differences,” he said. “Everyone is in the security business now. What I do believe is that customers are asking smart questions about the security of their networks and the capabilities of their providers. If you’re not ready, you’re going to have serious problems.”