SolarWinds MSP's security head says that SMBs are the next target for hackers, looking to break into major enterprises and national organisations. And most customers are in need of help and advice in reducing their vulnerability.
SolarWinds MSP, which supplies IT service management solutions to solution providers and MSPs, has new research on senior security executives’ awareness of and readiness for increased malware and ransomware threats. This says that most respondents do not think their organisation has the budget or technology to deal with cybersecurity threats.
All of which brings it down to a discussion on risk, says Tim Brown, VP of Security at SolarWinds MSP; he was previously Security Director at Dell, Symantec and CA Technologies
The good partners are those who are business partners for their clients - not just the technology provider, he says. “Then you can have a risk discussion. Trying to do everything or even protect everything is impossible. When I was at Dell, it was taking $1m each minute on dell.com, so we were not going to let that fail. But other areas in the business were not as well protected.”
That is what risk analysis is about, and MSPs have to be in a position to advise. “It is not rocket science –just they need to ask the right questions. We have to help educate them on the appropriate questions – what data do you have? where is it, what would happen if you had data disrupted? The questions are not hard, but what do you do with the answers.”
Once it gets to questions of actual impact it gets contractual, reputational and in regulation there needs to be specialist knowledge, but a lot of down to basics - so many clients just have bad cyber-hygiene.
“You can do a basic risk analysis and vulnerability report, and we can help provide that to the client. We have products that do that. It will value the given assets and that helps the MSP – many use it as an entry point. This SolarWinds Risk Intelligence is being well used by MSPs as that.”
The study revealed that while most senior executives at clients agree that attacks are increasing, they are confused about what threats pose the most risk and lack the means to defend against them. Just 45% said that they had the technology to prevent, detect, and contain cybersecurity threats, while only 47% felt that they had enough budget to cope.
“We want the MSP to take more control – and tools such as SolarWinds Risk Intelligence works well as a sales tool and for doing regular assessments. It can be combined with threat analysis to show what the MSP delivers. “It is important that the weighting of the dollar figure goes with the risk, so if something is out there, then we can assess the risk. We might need to improve the wording of these reports so that it makes more sense for CxOs, saying ‘this is actually what we have done for you’”.”
How often should the MSP be having that conversation on risks and threats? “It is a balance. Our best MSPs are absolutely the business partners an IT group for the clients, in some ways independent, saying “I am protecting you” at a level that both sides are happy with, and they are also working on projects. They are involved in strategic planning, and planning of the risk reduction projects.”
Nothing is ever finished, though. “SolarWinds MSP itself has a number of strategic projects for example; where we have planned changes, and this is continuously moving forward.”
“The people are the hard part – getting the right skilled security people is never cheap – those with enough business sense who are not security purists are hard to find. Good hygiene is not sexy and cool, but if you don’t do them, you are in trouble. The most undervalued skill is keeping good cyber-hygiene – watching for messages and keeping up on all of those – done well it addresses a lot of the problems.”
“The mistake is that people look for the newest and shiniest fix. I do it by having separate teams including security and then a network team. I get reports on every team each month; but this recognises that everything does not get finished. We keep track and just look at how we are doing; perfection is not possible. I also have special project for newer technologies such as analytics. But hygiene is reported on constantly.”
“Not all the security work is the same. Someone good at threats and research will not appreciate working on hygiene, but it is a great entry point and learning model to get immersed in the programme. I think MSPs should do the same from a skills point of view.”
“These are different roles – some had a help desk background and are used for the hygiene – they don’t need the skills of a security specialist. This is a piece that is often missing – it does not need to be highly skilled labour – just managing a queue of things and get things done, by escalation. The specialists are looking at the future and what needs to be done. But without the basics team, I’d be rally uncomfortable.”
The SMB is the next big area for security, he believes. The larger enterprises all have smaller subcontractors, and they will be the easy way in for the hackers, hence the need and interest in the SMB. The small firms will be the entry point to the larger firms, and this is particularly true in the more sophisticated attacks.
“We are in a collection mode at present – where the attackers are collecting entry points in case they need them in future. It is not a new model, but they have different tools now. The reason why we know that some nations have access to our critical infrastructure is that we have access to theirs. The SMB could be collateral damage – it is just so easy. If you need to get into a company, you can. The penetration testers don’t fail – it might just take them longer.”
“I’d like to start moving the needle on the MSPs, to give them education and start them thinking, and help them be more effective, to encourage their customers to take the appropriate risk and make the appropriate investments,” he concludes.
The full report is available for download here.