Third-Party Managed Services Providers Weigh in on Cybersecurity Threats, Education, and Awareness
Is the term “internet terrorism” overly dramatic? Maybe, maybe not. The U.S. Department of Justice (DOJ) doesn’t seem to think the descriptor is too strong. Actions speak louder than words, of course, which is why the DOJ brought charges against two alleged Chinese hackers late last year, the week before Christmas. The men are accused of conspiracy to commit computer intrusions, conspiracy to commit wire fraud, and aggravated identity theft.
Governments, vendors, and research companies all need to collaborate to prevent serious security breaches, noted Greg VanDeWalker, senior vice president of IT channels and services at GreatAmerica Financial Services Corp. “Bad guys are always figuring out new ways to attack,” he said.
Research shows that cybercriminals are releasing new network threats at an alarming rate of eight per second, according to security software firm McAfee, which also reports that internet of things (IoT) malware, and cryptocurrency-mining malware both rose more than 70% in the third quarter of 2018. Meanwhile, Experian Data Breach Resolution predicts that biometric data such as touch identification sensors, facial recognition, and passcodes are primary targets this year.
Some computer hackers are playful, trying to prove a point and demonstrate how clever they are. In late November, for example, the security of 50,000 printers was compromised to promote a popular YouTube personality. The hacker said he or she had identified 800,000 printers with open security settings.
“Printers, scanners, and MFPs are the No. 1 hack entry point and have been for a while, so that’s nothing new,” said Michael George, CEO of Continuum Managed Services.
More serious hackers, however, try to evade law enforcement and can be downright vicious. Identity thieves want credit-card numbers, and they want them now! Know this: Your firm and your customers are only a single click away from a security breach. Some unknowing victims of cybercrime haven’t a clue their data has been breached.
“It can take time for the impact to be leveraged,” observed Brian Downey, Continuum’s senior director of security product management. “Someone might not notice unauthorized access until six months after a breach. That’s one reason why real-time SIEM alerts are so important.” (See sidebar “Three Security Terms You Should Know”)
Security and information technology (IT) concepts often seem complex to many small- and medium-sized business (SMBs).
“The business landscape is scary, and we are all susceptible,” acknowledged Downey. “The challenges for SMBs are to identify the necessary portfolio of protection and to employ the right tools. What’s the right, layered structure for a given company?”
Sometimes, there is a common thread, such as ransomware, Downey noted this puts the end user in a vulnerable state. Companies have to ask themselves whether their risk is high or low for ransomware.
Other tactics, like cryptojacking, operate behind the scenes. Cryptojacking is the unauthorized use of someone else’s computer to mine cryptocurrency (think Bitcoin). Hackers do this by either getting the victim to click on a malicious link in an email that loads”¯crypto mining”¯code on the computer, or by infecting a website or online ad with JavaScript code that auto-executes once loaded in the victim’s browser.
Counter with Automation and AI
Fight automation with automation and artificial intelligence (AI), urged Continuum’s George. The company offers software and remediation services featuring remote monitoring and management (RMM), as well as back-up and disaster recovery (BDR). According to George, there are 1.25 million devices or end points in the average company’s network.
Many cyber-criminals now employ social-engineering tactics to play on emotions, according to Mark Murphy, practice directory, Security Services, at Konica Minolta’s All Covered subsidiary.
“Most people want to do the right thing, to be helpful, to please and do a good job,” he said.
But these positive traits can be preyed upon by hackers, who then apply the acquired data toward something nefarious. Social engineering is one of the latest attack vectors.
In the cyber galaxy of email phishers and network hackers, code crackers and breakers are good guys who wear the proverbial white hats. Third-party managed IT service providers such as All Covered and Continuum have their fingers on the pulse of security concerns at their office equipment dealer and customer sites. Another provider is Collabrance, a Master MSP that helps service providers profitably scale their managed IT services businesses. Through companies like these, dealers can provide end-user customers with a live-answer help desks and network operation centers (NOCs) that otherwise would be very expensive and, in many cases, cost-prohibitive propositions.
The parent company of Collabrance is GreatAmerica Financial Services Corporation, which handles highly sensitive information. The firm “funds its business by making commitments to Wall Street,” according to GreatAmerica’s VanDeWalker, so they know a thing or two about security.
“Security is not binary,” he said. “You’re either safe or you’re not. As long as you have employees, you have risk. It’s a sliding scale, a spectrum. And it’s everybody’s job””not just some firewall in a data center somewhere.”
GreatAmerica and Collabrance conduct penetration testing and phish their own employees to see if they click on click bait, shared VanDeWalker. “Users are culprits most of the time.”
From huge companies like General Electric to small businesses such as the local dry cleaners or a restaurant in Grand Junction, Colorado, employee awareness and education are the keys when it comes to network security, he said. “A typical hack can be devastating to a small business, and you’re not too small to get hacked if you have credit card info.”
Filtering can weed out only so much spam, according to VanDeWalker. The “soft” side of security is employee training. But to what extent are people willing to invest in it? About a year ago, Collabrance hired a vice president of information security services, putting its money where its mouth is.
“We have multiple layers and stages of security, roadways for our future,” stated VanDeWalker. “You can’t make investments all at once.”
On the enterprise level, things can change on the fly, and Collabrance has people on its team monitoring the web 24/7, 365 days a year, looking for oddities. If they flag something as odd, an alert goes out.
Selling IT vs. Buying It
For those copier-equipment dealers offering managed IT as a third-party provider, how do MSPs sell these services effectively? It’s not really that difficult these days, according to VanDeWalker. The question you want to ask your end-user customer, he said is, are you interested in operating your overall business in a more secure way?
While it’s hard to imagine anyone saying no to that rather rhetorical query, if you did, then, as with any sales pitch, reinforce their concerns by presenting the business case as to why they need to take advantage of these services.
“Again, no business is too small for security considerations,” VanDeWalker reiterated.
Many dealers are concerned about taking on some SMBs as customers and with good reason.
“Some [prospects] are too risky,” emphasized VanDeWalker. “To what extent are they willing to adopt what you are proposing? Some factors are non-negotiable. If they don’t [already] have a proper firewall, proper back-up, and proper anti-malware in place, we won’t bring them on as a customer.”
End-user training also is critical in the dealer channel. VanDeWalker recommends hiring a third party to do penetration testing.
“When they are hacked, they’ll need to get [systems] back up in a relatively short period of time,” he stated.
Continuum’s George emphasized that, unlike traditional managed services, security is not a “confidence” buy.
“Security is different,” said George. “It’s a “˜trust buy.” That being said, George added what a great opportunity it is for people in the office equipment space: “They can enter managed services through the security pathway.”
Practicing what they preach is an important mantra for third-party IT providers, or “eating your own dog food,” as Konica Minolta’s Murphy put it.
“Internally, you have to practice sound hygiene, [employ] SIEM, manage firewalls, and hunt for threats using solid scans that manage vulnerability and configuration changes on web servers,” he advised. “The core competencies of security are pretty basic, but how you do it and how you prioritize can pose challenges.”
Even basic security needs to be taken seriously. Being lazy and using default means and passwords make it too easy to get in and too easy to lock everyone else out, Murphy warned. And he’s not just talking about Windows patching either.
“All these things are required but can be difficult to execute,” he cautioned.
The challenge lies in identifying each customer’s needs, and the first step is locating all their assets.
“Everybody has gaps,” Murphy asserted.
A prime example in ransomware. It typically spreads through phishing emails or by unknowingly visiting an infected website. One indiscriminate click or link, and critical data is encrypted.
“It’s all about security awareness,” said Murphy. “People have to be trained in what to look for and what not to click. Most of the time it is too late if someone does click.”
Then, you’re only as good as your back-ups and disaster recovery. Even telephony can penetrate and pivot into a network, according to Murphy, which is why malware analysis and protection is so important.
Realistic or cynical?
“It’s a foregone conclusion that everybody is being breached or is in the process of being breached””every database, every client, every customer,” warned Murphy.
Continuum’s Downey believes Microsoft Office 365 subscriptions and SaaS and cloud computing increasingly are hacker targets about which SMBs should be concerned.
“The cloud exposes weaknesses and changes how we look at protection because the effectiveness of firewalls is reduced,” said Downey.
“Security is a journey,” Downey continued. “Concerns need to be identified””systems, environments, types of threats””then the gaps need to be filled, some with technology, some with people.”
Cyber security needs to trigger an instant response like any other disaster does such as a hurricane, winter snowstorm, or other loss of power, pointed out Murphy who lamented we’re not there yet.
“A lot of companies have plans in place, but in some cases you will be judged on how you execute that plan,” he stated.
All Covered can design a plan, manage it, and test it. In the event of the inevitable security breach, preserving the data is key.
“Having the data is like having third-party forensics,” concluded Murphy.
# # #
Three Security Terms You Should Know
- Phishing is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information such as passwords and credit card numbers.
- A distributed denial-of-service (DDoS)“¯attack”¯occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an”¯attack often is the result of multiple compromised systems (for example, a botnet) flooding the targeted system with traffic.
- Security information and event management (SIEM) is an approach to security management that combines SIM (security information management) and SEM (security event management) functions into one system. They provide real-time analysis of security alerts generated by applications and network hardware. SIEM might not apply to many small and medium-sized businesses (SMBs).
Access Related Content
Visit the www.thecannatareport.com. To become a subscriber, visit www.thecannatareport.com/register or contact cjcannata@cannatareport.com directly. Bulk subscription rates are also available.
