What separates the bank robber from the burglar or the pickpocket? More risk, more planning, and the potential for a far bigger reward. There’s a reason why Hollywood mostly produces heist films where a bank vault and/or jewels are the target as opposed to a some iPhones and a TV.
For criminals of any sort, heading “upstream” is generally going to make for better rewards. That’s why MSPs are quickly becoming primary targets for cybercriminals. Our research found that attacks on MSPs have doubled in the last 18 months. Right now, it appears hackers see the MSP community as an opportunity to attack many businesses at once—meaning MSPs must do all they can to not be the weak link in the supply chain.
Supply chain shift
Why are hackers shifting their tactics? Small businesses have small IT budgets so the investment in security can’t be the main priority. Many of these businesses simply don’t understand standard security frameworks and rely on MSPs to guide them.
It follows, then, that an MSP is a more difficult target than an SME—so why bother? The pandemic may have been the catalyst for this change. Businesses that may never have considered remote working had to adapt quickly. Many turned to MSPs so they could do this in a structured and safe way. And in helping to secure these businesses, MSPs painted a big target on their back.
By taking control of an MSP, an APT (Advanced Persistent Threat) group can gain access to a much larger number of systems—MSPs can serve over a hundred clients and taking over their remote access and data privileges makes a hacker’s job all too easy. This popular strategy is a form of supply chain attack, where a bad actor infiltrates a system from a third party. While the MSP is compromised, they’re not the main target, so an APT will sit in their system and use it like a command center and quietly encrypt or steal data from small businesses.
The numbers show how popular (and effective) this approach can be. Our research found that almost all MSPs have suffered a successful cyberattack in the past 18 months. In fact, 90% have seen an increase in the number of attacks since the start of the pandemic. On top of this, one-third have been successfully attacked in the last quarter alone.
The effect of the pandemic has changed the equation in favor of taking on a trickier heist for bigger rewards.
It is crucial that MSPs fight back against this trend and not allow it to take hold. Today, it seems pretty much every business is under a near-constant assault of cyberattacks. If MSPs gain a reputation for being a weak link, businesses are less likely to trust them with this important task. The fact that the international cybersecurity alliance Five Eyes has issued an advisory aimed at MSPs to keep business secure should show just how important this issue has become.
There are, however, simple measures some MSPs are failing to take that would limit their exposure to risk. Our research revealed that a significant minority of MSPs are not following best practices when it comes to security hygiene.
For example, while almost all MSPs implement multi-factor authentication (MFA) for their customers, only 40% of MSPs—not even half—use it themselves. Even fewer MSP customers, one-third, are actually using MFA. MSPs that are not using this type of authentication are putting their systems at risk from phishing and other password-based attacks, giving hackers exactly the sort of access they require for a supply chain attack. Not only does this leave customers at risk, both from direct and supply chain attacks, it will make it tougher to convince a business to adopt extra authentication measures if its security partner does not. However, MSPs report they have plans to migrate 95% of customers to MFA in the next five years, with most being done in the next two years.
There are also a minority of MSPs failing to automate maintenance. Eighty percent of MSPs are automating patches and 85% are automating backup (both reassuringly high numbers), but it implies that 20% and 15%, respectively, are not. MSPs not automating these vital tasks, particularly patches, are leaving their own networks open to attack as well as their customers’ networks, and without the proper backup in place, it’s impossible to “roll back” from any compromise.
MSPs gained a great deal of trust thanks to their efforts during the pandemic in helping their customers roll out remote working at an exponential pace and keeping them secure throughout. But this success comes with a price—they are now targets for hackers looking to hunt bigger game, no longer satisfied with taking down single businesses for small rewards. MSPs cannot afford to let the trust they’ve accrued be eroded by being an easy target and failing to protect their own systems—their future success relies on reinforcing their reputation as a reliable, safe pair of hands.