Is Your MSP a Target for Hackers?

The newest cybersecurity threat to your business may not be targeting you directly.  It may be targeting your IT service provider.

Managed Service Providers (MSPs) are outsourced organizations that manage the IT for small and mid-sized companies. Rather than hire a team of IT professionals, these companies often use an MSP to take care of their IT so they can focus their time and energy on the rest of their business.   

Hackers have identified that, rather than trying to infiltrate individual companies, it’s easier to target MSPs. By hacking into one MSP, they can infiltrate multiple companies simultaneously through the remote management software that they use for their clients. Because an MSP may service dozens if not hundreds of companies, by infiltrating just one MSP, it has the potential to install ransomware on dozens if not hundreds of businesses at once.

A nearby example of this was in the news this summer. PM Consultants, Inc., a Portland-based MSP, was hacked and their software used to place ransomware on dozens of dental clinics that they serviced in Oregon and Washington.  PM Consultants was not able to remedy the situation with any of their clients, and they closed their doors shortly after the incident. The dental offices had to call other IT firms to help them out, had to cancel appointments, and shut down their offices for days as they sorted through the mess.

This is starting to become the norm. An MSP in Texas that served municipalities across the state was hit in August, shutting down 22 cities for weeks. In Wisconsin, another MSP was targeted which left 400 medical practices across the country without access to their files. And just last week 100 dental offices were shut down in Colorado because their IT provider was hacked.  These are just a few examples of the dozens happening across the country.

Image courtesy of InfoSec Insights

IT Companies are not Cybersecurity Companies

When organizations like the ones above look for an IT service provider, they often think they don’t have to worry about cybersecurity. However, IT and cybersecurity are two very distinct disciplines. IT deals with computers and networks being operational on a day-to-day basis through the hardware and software that keeps them running. Cybersecurity ensures that a company’s data is safe from both internal and external threats, most of which is done behind the scenes. When your IT isn’t working, it affects you directly. When cybersecurity isn’t working, you often won’t find out for weeks or likely months after, which will come at a much higher cost and risk to your business. In short, IT is not cybersecurity.

If you use an IT service provider, make sure you understand whether cybersecurity is part of their DNA. Here are a few questions you can ask to find out:

• Are they SOC 2 Certified?
• Do they have dedicated “Trained and Certified Cybersecurity Professionals? What certifications do they have?
• What is their coverage and can they provide a copy of their insurance certificate?
• Are they audited by a third party which looks at security and privacy practices? 
• Do they have a third party audit how they handle sensitive client data? 
• Do they have a third party auditing their own internal technology for security vulnerabilities?

What is SOC 2?

The SOC 2 certification is a “Good Housekeeping” seal for MSPs. SOC stands for “system and organization controls,” which are a series of standards set by the AICPA (American Institute of CPAs) to “provide specific users with information about controls related to security, availability, processing integrity, confidentiality or privacy.” By becoming SOC 2 certified, an organization has proven that its operations are in line with general security practices. When an MSP is SOC 2 certified, the likelihood of your security being affected because of your provider drops significantly. This is the standard by which many companies like financial institutions and other highly regulated industries are using to ensure that their data and the data of their customers remain safe.

The reality is that the state of cybersecurity for businesses is changing at an unprecedented rate. With breaches in 2019 increasing at a rate of 44% month over month, it can be daunting to know where to begin to protect your business. A good place to start is doing your homework on vendor due diligence when selecting an IT service provider. Those that fail to do so may be caught off guard in 2020 by a cybersecurity event itself or the unexpected and drastic rise in costs to secure and protect their business.

If you’re looking for IT security services in the Tri-Cities, Washington or Bend, Oregon areas, or simply want to learn more about how to effectively structure your security, give us a call at 541.848.6072 in Oregon or 509-396-6640 in Washington.