In this second of a two-part Q&A, Jay Ryerse, vice president, cybersecurity initiatives, ConnectWise, continues the discussion about ransomware attacks on the dealer channel and highlights measures that can reduce the risk. In Part 1, he responded to the recent spate of ransomware attacks on the dealer channel, surmising why these events are occurring and likely to continue happening. This is an edited version of our conversation.
CR: When a ransomware attack occurs, how much of the blame is put on the existing IT staff within the organization? Is that a common scenario?
Ryerse: It is. Owners and executives always point to IT or their outsource [IT] providers. It’s common for either the service providers or the IT people on staff to get repositioned after a cyberattack. At the end of the day, though, compensation drives behavior.
CR: What do you mean by that?
Ryerse: If I own a large business and I have an executive team running that business for me, I’m going to include part of their compensation based on keeping our company secure. But that’s so far ahead of its time. We’re not seeing it in the dealer space yet, but it’s coming.
CR: When a situation occurs and fingers are pointed at the IT department or the service provider, is that always justifiable?
Ryerse: Sometimes. There’s lots of human error that occurs when there’s a cyberattack. People left things open that shouldn’t have been left open. Maybe no one ever trained them. “Hey, you shouldn’t do this because it’s a bad practice and you should know that.” Well, how do they know that? I don’t know about you, but I’ve never spoken to a dealer or IT service provider that has engineers sitting around with nothing better to do. They’re maxed out. One of the first things is education. Technology is moving at a rate today where if they’re not keeping up with the current technologies, how can they effectively do their job? So, who do you blame? Do you blame the executive team, or the IT person that didn’t do their job? If a dealer is providing managed IT services and they’re not keeping their team up to date on current trends and technology and threats, who do you blame?
CR: How do we get around the situation of ensuring that the appropriate education is provided while ensuring that IT staff also have plenty of time to handle their daily responsibilities?
Ryerse: Start by putting somebody in charge of cybersecurity in the company. They probably need a technical background. They don’t have to be technical, but they should understand the technologies and where they fit. We offer training on a lot of this information at our ConnectWise University for our partners and dealers. It’s a place to start. It’s not going to solve every problem, but it gets them on a path and in the right direction.
CR: For a dealer that doesn’t offer managed services, can a ConnectWise assist them?
Ryerse: We can, but we’re probably not the best solution at that point. I would look for a third-party cybersecurity or risk management firm that just focuses on assessing risk and bring them in to do an analysis of the dealer’s network. You want both a tactical and a governance-based analysis. You want to review the policies and procedures. You want to understand the technology, you want to do a third-party pen [Penetration] test that shows where there are gaps. You want to rotate these companies a couple of times a year. Maybe you have your network scanned twice a year, but you use a different company each time because their techniques and tactics might be a little different. This allows you to make sure you’ve got full visibility into where your gaps are and how best to solve them going forward.
CR: What types of gaps might be exposed through a pen test?
Ryerse: Machines and devices that are not updated, not maintaining current patches and patching. We see remote-control tools that are wide open, to a single user using a password with no multifactor authentication. Without multifactor authentication and tools in place to control access, it’s easy for somebody with stolen credentials to work their way into their client’s networks. Next, we see common human mistakes, leaving the web interface to a firewall open to the internet. It shouldn’t have access into the network to see that port. Often, IT people have a tendency to do shortcuts or what is on the checklist that nobody ever actually looked at and said, “Is this a secure method of deploying the solution and building out this network?”
CR: How challenging is it to make changes to alleviate these issues?
Ryerse: It’s not hard to adapt those changes and drive improvement, but it goes back to knowing what we don’t know will hurt us. If we don’t know how to deploy a machine securely, or what we thought was secure really isn’t, how will we know? That’s where a third-party validation typically mines that value. Several dealers have gone so far as to hire a CSO (Chief Information Security Officer). These are people with extensive backgrounds in cybersecurity. They’re spending time on the internal first, finding all the vulnerabilities with a vulnerability management program so that they can reduce the impact that any of one of these vulnerabilities could cause to them or their clients.
The dealers that are doing that, typically find that it takes anywhere from nine to 12 months to get their own house in order. You don’t just hire somebody to flip a few switches and you’re secure, it takes time. You need somebody to look at all the security positions of all your technology and make sure that you’re delivering it correctly and securely.
CR: How pressing of an issue is this for the dealer community?
Ryerse: There’s a lot of understanding and learning that needs to be done at every level of the business. Don’t wait. The longer you wait, you’re going to fall behind because cybersecurity is going to become, if it hasn’t already, the dominant force in technology that we have to solve. It can be done. We will do this, but right now, we’re fighting from a position of weakness. We want to get the dealers out in front of that, give them a chance to build that practice and understand where it fits. Even if they don’t sell managed services, they need to understand where cybersecurity fits in their business and what the impact of an attack on themselves or one of their clients would mean to them.
Access Related Content
To become a subscriber, visit www.thecannatareport.com/register or contact cjcannata@cannatareport.com directly. Bulk subscription rates are also available.
