Is Your IT Provider a Security Dumpster Fire
Many small businesses and a lot of large ones use third party IT service providers called MSPs or Managed Service Providers.
In almost all cases, these MSPs have the keys to your IT universe. They have access to your data. They also have access to all of your access rules. If they also help you with your cloud applications, they that access too.
Sometimes companies use one third party to manage their in-house computers, servers and networks and a different one to manage, say, their Azure and AWS environments.
Here is the situation.
The hackers know that the MSPs have all of this access and, as a result, the hackers target these MSPs. Sometimes the MSPs have decent security, but rarely do they have great security.
Here is a real world case; someone we know and dentists we know. This is public now since Brian Krebs reported about it. If you want to know all of the gory details, you can read Brian’s article, but here are the basics.
This Managed Service Provider was compromised and the attackers loaded ransomware on about 100 dentist’s networks, shutting down all of these dental practices. The MSP didn’t have the resources to repair a hundred networks at once, so it took a long time for them to recover. Some paid other companies to recover. If they didn’t have good backups, their only realistic option would be to pay the ransom. Other examples of MSPs that got hit are PerCSoft and Medix.
Until now that has been your problem.
But now, it has escalated.
If you are a vendor to one or more large companies, many of them are started asking you about your security – and that includes the security of your managed service providers.
In some industries service providers have to sign an agreement regarding their security practices.
Many insurance companies are asking aggressive questions about your security and that includes third parties like your MSPs.
In one industry, the defense industry, it is even more rigorous. Usually the Defense Department is behind the times. This time, they are leading the way.
For companies that need to meet DoD’s CMMC certification requirements, their managed service providers have to meet those same security standards.
From our personal experience, almost no MSPs are ready to meet that standard. That is a two fold problem. First, for the MSPs because if they can’t meet the standard they are going to lose customers. Second, for the customers of those MSPs, it means disruption, finding a new vendor and “breaking them in” and likely more cost to the customers.
But here are more things we are seeing.
Smart MSPs are getting prepared to get certified when the time comes.
Smart customers are looking for new MSPs now, when the timing is under their control.
We are also seeing customers being asked about their compliance with the underlying CMMC standard, NIST SP 800-171, even though the customer of our customer is not a defense contractor. Why? Because these customers are figuring “why reinvent the wheel? If NIST has already come up with a standard for cybersecurity, lets just use that”. I think we are going to see a lot more of that.
So, while legally, only government agencies and their vendors (such as, but not limited to, defense contractors), MUST comply with NIST 800-171, expect that to spread.
We are already seeing other executive branch agencies using it for their vendors. These include the Department of Education and Homeland Security. And there are conversations with numerous foreign governments over the standard.
SO, if you are not thinking about this now, you should be.
If you want to learn a lot more about CMMC, check out this article from the CMMC Center of Awesomeness.