Imagine you wake up to a call from your IT department informing you that your company is locked out of all systems and data because your Managed Services Provider (MSP) was targeted with a ransomware attack. The attack targeted their systems, but now you’ve lost access to yours, and they can’t tell you when you’ll be able to gain access to your systems again.
As unlikely as that call may have been just a few short years ago, sadly, more and more CEOs and executive teams are facing that horrifying reality today.
Largely gone are the days when a small team of IT network administrators managed the IT resources, security and access for companies and organizations. With the proliferation of cloud services, cloud-based software and “technology-as-a-service” capabilities, scores of corporations and nonprofit organizations have embraced outsourcing their IT networks and infrastructure.
Today, those responsibilities largely fall to MSPs — companies that deliver critical network management services to dozens, hundreds, or in some cases, thousands of other companies, simultaneously and largely remotely.
For the most part, this has been a positive development for organizations as they can now outsource their IT support needs to a company dedicated to that endeavor, rather than focusing on an area of their business in which they don’t specialize.
These migrations, however, have not been without their hiccups. The quality and technical sophistication of MSPs varies greatly, as does the pricing of their services. Not all MSPs are created equally, which corporate and nonprofit executives alike have discovered in their searches for a provider that is the right fit for their needs.
Just when the business world has grown comfortable with this approach to managing critical data, access and systems, MSPs are facing a new threat.
Cyber threats and ransomware attacks, cyber targeting that infiltrates a computer network then denies access until a ransom has been paid or systems are recovered otherwise, have plagued companies large and small for years, as the business world struggles to stay at least a half step ahead (or behind, depending on your perspective) of the bad guys.
And now they’ve found a new target. Cyber criminals are infiltrating MSPs directly with ransomware attacks, leaving thousands of companies locked out of their critical data for days and weeks at a time, while helpless and powerless to do anything about it.
In April 2020, the FBI reported through their Internet Crimes Complaint Center (IC3), that since the beginning of the COVID-19 pandemic, the Bureau has seen the number of reported cyber incidents increase from 1,000 per day to upwards of 4,000. Additionally, a late 2019 report from threat intelligence firm Armor found that 13 MSPs, and possibly more, were hit with ransomware attacks during the year.
In one instance that was well documented in the news, a California company, Synoptec, was impacted by a ransomware incident that brought thousands of its clients to their collective knees for several days. More recently, during the height of the COVID-19 crisis, an MSP that serves mostly healthcare organizations experienced an attack that impacted hundreds of its health services clients, who were already struggling to provide services through these difficult times.
The threat is real, and the enterprise-wide risk to CEOs and business owners is significant. The solution isn’t to bring IT services or cloud-hosted platforms back in-house. Outsourcing network administration is still the right answer, and there are hundreds of outstanding service providers throughout the country who provide reliable services to organizations and create much needed flexibility and nimbleness.
That said, there are a few steps that all business leaders can take to provide reasonable assurances that their MSP is utilizing best practices to ensure their systems won’t be infiltrated, and that if they are, they can recover without issue. Depending on how an organization utilizes MSP services, actual risk may vary greatly. The steps are as follows:
- Review your MSP’s capabilities, network architecture, backup and recovery procedures, to ensure they have made the necessary investments to reasonably protect themselves and their clients’ data. If you are a healthcare provider or are an organization that works with healthcare data and providers, your risk may be even greater. Have you taken the appropriate steps to ensure that your partners aren’t putting you, your data and your clients’ data at risk?
- Review your MSP contracts to better understand your own rights and obligations should your MSP be hit with a ransomware attack.
- Conduct an enterprise asset risk assessment to understand which aspects of your data and network are most at risk and provide the most significant impact to your business and your clients’ businesses. Where are the single points of failure? How can and should you mitigate those risks?
Hartman Executive Advisors, as one of the only truly independent technology advisory firms, can conduct a thorough, yet cost-effective review to help organizations currently engaged with an MSP evaluate their risks and develop a plan for mitigation.
The bottom line is that your MSP relationship can’t be a ‘set it and forget it’ endeavor. These relationships, like all critical vendor relationships, need consistent and effective management in order to ensure continued effectiveness. For these relationships, this has never been more critical.