Hey MSPs, cyber security isn’t a chance for piecemeal exploitation

Recent high-profile cyber security threats have put managed service providers (MSP) squarely in hackers’ sights and have exposed their vulnerabilities, as well as perpetuating the belief that they treat cyber security solely as a profit-driven model without proper strategy behind it.

Recent reports that ransomware group KillSec, also known as Kill Security, had allegedly breached Queensland-based IT service provider Hexicor, was a reminder of the growing threat to those in the industry.

James Davis believes this incident should be a warning to all technology business that it’s a “major target and “high-risk” to clients.

“There are a lot more incidents that aren’t publicised and a lot of fortunate near misses; I am the one that is trusted by partners to share the stories with,” he said. “To put it into perspective I hear about one or two incidents/near misses affecting partner businesses.”

Davis has been consistent in telling the industry about this and what they should be looking at doing in their own businesses. However not enough partners are taking action and hopefully this incident can be that spark to take action.

Equally as disappointing has been the “absolute vultures” that are leveraging this incident directly in their marketing and thought leadership to try and pick up the affected clients.

“Surely, we as an industry are better than this. I usually see partners reach out and offer to help, but it seems there [are] still slimy people that will use this kind of thing to their own benefit,” he said.

These are the ‘cowboys’ of the industry that need to be reined in, especially considering MSPs’ lack of foundational knowledge which can lead to inadequate incident handling, OpSys managing director Matthew Fabri said.

ARN Fabri explained to ARN the need for transparency, accountability and regulation in the cyber security industry.

“People like me are out there screaming from the hilltop saying, ‘We’re having all these idiots now providing cyber security in ‘services’,’ but they don’t actually know what they’re doing,” he said

Fabri also said that there are a lot of MSPs out there selling products without knowing what to do in the state of an incident or how to gear up for an incident.

“They just think, ‘We supplied the product and when it comes to an instance, the customer gets breached, well, that’s the vendor’s problem’,” said Fabri. “That’s their issue and they should’ve stopped that.”

According to Fabri, they don’t think about the program that works or what it takes to get them “fully protected” and have everything in order.

Aegis cyber security chief information security officer Luke Irwin told ARN that a lot of good cyber professionals have crossed over from IT and there’s a lot of people who think they know cyber security because they know IT.

“They have different objectives,” said Irwin. In IT, the core concern is price, availability [and] performance.”

With cyber security, Irwin continued, the key concerns are confidentiality, availability and integrity.

“We align on availability and that’s about it,” he said. “We both want the client to get what they need to when they need to.

“The fact that IT implements some security controls has created the perception that IT is cyber both in the heads of the workers and in the general public, who go, ‘Oh, my IT guy does that’. No, he doesn’t.”

Tax accountants don’t do estate planning, or tax lawyers don’t deal with criminal law, Irwin noted. These are niches and require specialised skills.

“MSPs, I feel, are great at what I refer to as the frontline cyber: the antivirus, the patching, the firewalls, the network segmentation,” he said. “They are fantastic at that.”

“But when I ask the MSPs I work with about risk assessment on the environment, or what the crown jewels are, they just look at me blankly.”

“They don’t know what to protect”, said Irwin. “If they don’t know what to protect, they can’t budget properly to get the right systems, controls, and processes in place”.

Who’s the problem?

Sometimes the customers also don’t see cyber security as a priority, noted Fabri.

Enex TestLab managing director Matt Tett told ARN the issue with a lot of these small businesses is they don’t even have time to run their own administration, let alone their own security, which is why they tend to MSPs.

Legitimate businesses that really are trying to do this comes with a cost to their business to conform with that governance, risk and compliance.

Small to medium businesses should be empowered with the questions to ask their providers on who looks after their data, where it resides, how they transit the data and how that data is secured and how it’s going to be made available.

“Confidentiality, integrity and availability [are] three key pillars of good security,” said Tett. “That’s really what consumers of those service providers’ offerings need to know what to ask and then to understand the answers aren’t just sales fluff.”

Getting the end user to understand this is a value proposition.

However, a lot of consumers purchase based on product, not value; they might want to spend only $99 instead of $109 regardless of the value.

“At the end of the day, they can offer a cut-down service for the customer,” noted Tett. “Look at TPG Telecom – they get you to disclaim the Australian Consumer Guarantees.

“Therefore, [customers are] willing to waive [their] rights to consumer guarantees.”

An MSP needs to make it obvious to the customer that their security is in their own hands, Tett said.

“Do you want to buy this car without airbags? It’s saving you $1,000, it’s your risk if you go through the windscreen,” he said. “Or, do you want to buy with the airbags and pay the extra $1,000 bucks? That’s another way of looking at it.”

OpSys, noted Fabri, makes sure to have everything it does entered into a report for customers and lets them know when they were warned about risk. If they continue to ignore their risk profile, then that’s on them.

“We are evolving this over the next six months,” he said. “Every single customer, from our top-tier customers to our one-seat organisations – we will evaluate their risk for them.

“If they become too risky for us, or they do not subscribe to a minimum cyber security standard, they’ll be very quickly looking for a new MSP.”

Irwin noted that MSPs can get indemnity insurance for themselves which covers legal costs and damages if a client claims advice, service, or failure caused them loss.

However he noted that this was not the same as cyber insurance, which typically covers a business receiving MSP services.

“We’ve had very serious conversations, and they strongly advocate to all their clients take out cyber security insurance,” said Irwin. “The challenge is that so many clients think that the MSP’s insurance policy covers them. They think the MSP’s disaster recovery plan, incident response plan, cyber plan also covers them. No, that’s for them – you need your own.”

Get yourself a partner

According to Fabri, not all MSPs still don’t fully understand cyber security. For example, there are IT providers out there who give customers ISO 27001 and ISO 1001 frameworks while “charging them through the nose for it”.

“We’ve come in and said, ‘You’re not compliant in many places,’” he said. “When they ended up having an issue, they brought us on to take the service over.”

“The biggest problem with this MSP was when we wrote them to request the delete all of the customer’s data – all the help desk tickets, all emails, all backups. The MSP actually wrote back to me personally saying ‘that ‘This data is ours.’ I noted they received this data in the midst of doing a contract and it’s still the client’s data.”

According to the Australian Privacy Principles (APP), specifically APP 11.2, organisations are required to destroy or de-identify personal information once it is no longer needed for any purpose for which it may be used or disclosed under the APPs.

This obligation applies unless the information is contained in a Commonwealth record or the entity is required by law or a court/tribunal order to retain the information.

“If you’re holding vulnerable people’s data and health data that you shouldn’t be holding,” he said. “Once the contract is done, that’s it. You need to remove all that information.”

For Fabri, MSPs don’t have to make the investment that is required to the own the supply chain of a cyber security operations and all the hardware that comes with it, which takes money and time to build. However, there are things they can do to make sure they are doing the right thing by their customers.

“Just on my LinkedIn, somebody asked me what MSPs should be doing,” said Fabri. “They should partner with a cyber capability that they can trust.”

From a cyber security perspective, OpSys works side by side with Adelaide-based Loftus Technology.

“It’s an IT firm and we don’t touch its IT,” he said. “We don’t want to know about the IT and we raise things with this team, for instance, about things it needs to look at or if there’s a sales opportunity because something needs to be fixed.”

However, a key challenge Irwin sees is that when he’s engaging with MSPs, they’re concerned he’s going to eat their pie.

“What they need to do is be aware that there are other people they can engage as partners who aren’t going to steal their clients from them and make them look bad,” he said.

Irwin does think that perhaps in the general technology industry there needs to be “some form of governance” like MSP regulations coming out of the UK.

“I’m not sure if that’s the best approach, but I don’t know of another one,” he said.

Regulation for regulation’s sake isn’t right either

This then begs the question of whether or not regulation is the right way to go. The industry isn’t regulated but what cyber security professionals do is regulated, which makes the risk higher, said Fabri.

As cyber security providers, there’s an obligation to let the directors and board chairmen be assured that all necessary actions and security measures have been completed. This is to ensure that everything was done if a breach occurs.

However, MSPs don’t have the same obligations and can pass responsibility and claim they weren’t given the right access or data, explained Fabri.

“There’s a very different and distinct framework between what’s going on,” he said. “The other side of it is we have to report a hell of a lot more.

“Every month, what’s occurred [includes] how they’ve increased the strength of the cyber program, what’s been rolled out [and] what projects are delayed.”

For cyber security partners, if someone came “knocking because of a breach”, they need to be able to show that they’ve done their job.

“Otherwise, the risk comes straight back to us,” said Fabri.

“I believe both sides, MSPs and MSSPs, need regulation,” he said. “I’m not talking about that bloody professionalisation, everything that everybody’s up in arms about and having arguments and fights. From a regulation standpoint they need to be held accountable for the advice they give like anywhere else … like tax or legal advice.”

Tett believes regulation for regulation’s sake is not great, while self-regulation by industries also doesn’t work.

“Sadly, our government ends up regulating to give themselves work and build silos/empires within departments and agencies that have little experience, understanding or expertise in the field that they’re attempting to make rules for,” he said.

However, Tett believes good effective regulation with supporting legislation that’s in plain English and has a path for policing and enforcement with penalties is needed.

Cyber security is a team sport

At the end of the day, an MSP is not going to be able to provide 100 per cent guarantee when it comes to cyber security, noted Tett.

“There are no guarantees in security and so the consumer also must be responsible for their own security, their configurations and how they behave,” he said.

You can make security simple and straightforward for them people, so they don’t end up misconfiguring things.

“Each link in the chain has its part to play in it, but training and education for individuals is pretty critical, he added.

Ultimately, Tett wants to take a holistic approach to cyber security.

“Managed service providers are managing a service on behalf of the consumer that can’t do it, and if security is an integral part of technology, privacy, confidentiality, then they need to make sure that they’re, wherever they possibly can, either being honest and transparent about what they do and don’t provide,” he said.

Irwin also believes MSPs need to be aware of the cyber landscape and they also need to be aware of the limits of their capability and skills and it is “unreasonable” for an MSP to know everything.

However, they do need to understand that “cyber security is not another vertical under IT, security is a horizontal that sits at the top of technology,” he added.