HOUSTON, TX: There are a lot of adjectives one can apply to a cybercriminal — opportunistic, greedy, heartless — but it’s hard to call them “stupid”. Hackers can be quite resourceful when it comes to planning their attacks, and once they identify an easy target, you can expect them to tap that well until it runs dry.
You’ve almost certainly heard about the most recent well around which many cybercriminals are gathering: IT managed services providers.
The managed services provider (MSP) business model has been growing in popularity for years, with thousands of MSPs operating nationwide. These companies provide outsourced IT support for any number of organizations, from small businesses to hospitals and banks.
In doing so, they typically have access to the networks and data of their customers. This is why they’re such a juicy target for hackers.
This effective new strategy goes hand-in-hand with the trend toward more targeted intrusions rather than “casting a wide net”. Cybercriminals are exploiting weak credentials, unpatched software, or using phishing to single out high-value targets. As such, we’re seeing more attacks like those carried out against IT giants Cognizant in April and Conduent in May.1
MSPs Come Under Fire for Lax Cybersecurity Procedures
Huge IT providers like Conduent (with revenues over $4.4B in 2019) are lucrative targets, but even small MSPs are finding themselves in the crosshairs. In truth, no MSP is safe because hackers know it’s easier to compromise one organization to gain access to dozens more rather than hacking each individually.
What makes it even easier for the cybercriminals is a lack of regulation in the MSP industry. These IT providers are able to label themselves “cybersecurity experts” without showing any proof of their knowledge or capabilities, and there is no standardized notion of what constitutes “complete cybersecurity”. Many MSPs don’t even have their own systems properly secured.
Lawmakers and business owners have taken notice of this fact and are beginning to demand answers. Some, such as Louisiana Secretary of State Kyle Ardoin, have publicly called MSP’s security capabilities into question.
“Firewalls and system patches and antivirus: what used to be sufficient for MSPs, they are no longer,” said Ardoin. “As attacks grow more sophisticated, many MSPs have not been upfront with their clients about the need to invest more in security. This leads to serious problems for their clients, and the MSPs themselves.”2
Cybersecurity Expert Jason Rorie Creates a Solution
The next logical step to fix this gaping hole in the IT industry is, of course, regulation. With representatives like Kyle Ardoin citing the implications of hacking on elections and other functions of democracy itself, it’s only a matter of time.
That being said, regulations take time to write and even longer to adopt. In the meantime, the number of sophisticated attacks being carried out against MSPs and their clients is growing by the day. It’s evident that neither MSPs nor the businesses they service can wait for the government to come up with answers.
Enter Jason Rorie, successful MSP owner of over 20 years and experienced cybersecurity expert. Jason holds a veritable buffet of certifications (including CSIE, MCSE, C|EH, CISM, CCSP, and CISSP) making him the ideal candidate to lead the charge against this growing menace.
“MSPs are taking on significant liability by promoting themselves as cybersecurity experts without having proof to support those claims,” says Rorie. “If and when an incident happens — especially if the MSP is involved in the breach — the client wants to know how the ‘expert’ could have let it happen. Then come the lawsuits and a burden of proof after the fact.”
Rorie says that his MSP, Elevated Technologies, has been successful — and secure — for decades, and they can prove it. Policies and heaps of documentation are part of their overall strategy. Rorie is sure to emphasize that they focus on “information security”, not just cybersecurity.
“Cybersecurity is only part of the bigger picture. Information security includes other critical elements such as physical controls, training, and employee termination policies.”
Elevated Technologies is on to something, but how does this help the IT community as a whole? Jason Rorie is bringing his expertise and experience to other MSPs through a third-party certification created by himself and a board of credentialed security experts. Called the TISC-2020 certification, Rorie’s team spent months researching existing government requirements, privacy regulations, and state security doctrine to develop what he believes is a reliable measure of an IT provider’s security competence.
“I imagine that if the government were to create a security regulation for MSPs, it would look almost exactly like this,” Rorie adds. “We’ve covered almost 70 critical controls that impact an MSP’s internal security, as well as their ability to secure their clients.”
Rorie even created an online platform called MSP Overwatch™ that allows MSPs to submit evidence and documentation for each control, allowing them to earn their TISC-2020 certification. It’s not an easy process, but MSPs began lining up to take the challenge immediately after the online platform went live.
At the time of this writing, Rorie reported that an MSP in Detroit is expected to earn the first third-party certification by the end of this week.
Says Rorie: “When they’ve passed inspection, this MSP will probably know more about their own security posture than any MSP they’re competing against. Their risk and liability will decrease, and most importantly, they’ll be able to prove to customers that they really are as secure as they can possibly be. Everyone is safer. Everyone wins.”