December 28, 2018
Datto CISO: Four Considerations for 2019
In the coming year, you may plan to grow your business, merge with, acquire or be acquired by another managed service provider (MSP), expand your service offerings, move into or out of a vertical market, or focus on maintenance within your existing customer base.
Regardless of your plans, as an MSP, it is important to set aside time to consider the cyber landscape in which you will be operating as well as account for the unique challenges associated in your operating plan. To that end, and as it specifically relates to information security, as you look toward 2019, here are some considerations worth your time investment:
- MSPs will persist as a target for Advanced Persistent Threats (APT) groups: In Q4 of 2018, it became widely published that advanced attacker groups, known as APTs, have chosen to target MSPs and hold them and their customers for ransom. There is no reason to expect that will change as APT groups seek their own profitability on the backs of you and your customers. To that end, map your attack surface relative to such threats, review your controls and processes for gaps and effectiveness, use frameworks like MITRE ATT&CK or Cyber Kill Chain to help you do that analysis, and make sure you have effective countermeasures in place to prevent or detect attacks. Figure out your current posture in terms of credential security and password management, deploy MFA on all network entry points (VPNs, etc.) and critical SaaS services, as well as put those key service behind SSO with MFA for easier monitoring and assurance.
- New and existing domestic and international privacy and data breach regulations will require your time and attention: In 2018, IT professionals around the world shared in the joy that was GDPR. In 2019 (and beyond), we’ll see more data privacy regulations domestically and internationally. These new regulations will be additive to the mesh of regulations and compliance that MSPs already need to understand, comply with themselves, and help their customers comply with. The majority of these laws will continue to require a similar base level of process, controls, and understanding of data security, residency, and privacy measures. To get a head start, help yourself and your customers review where personal data or PII is stored or processed with a data inventory exercise that answers what data exists and where it is stored. Review the controls and process around that datas access and sharing. The result will be an understanding of the critical controls and processes to implement ahead of the upcoming regulation effective dates. Even an informal two-hour tabletop exercise to achieve these goals will pay dividends.
- MSPs will expand security services offerings, or consider it: Cyber crime is not going away and the need for competent professionals who are committed to solving the real security challenges of today and tomorrow is very real. IT professionals who can grok the problem and create a model for cyber risk reduction, that addresses core facets of an attack lifecycle, have the opportunity to create tremendous opportunity and value to their business and those of their customers. As you consider moving down the road to data security or expanding existing services in the space, focus on ensuring you have the right visibility into the network, applications, services, and end points. This visibility will enable you to build in countermeasures that provide real security value. Find one control that you can focus concentrated energy into mastering, whether it be a next-gen firewall, advanced endpoint anti-malware solution, breach detection and response software for threat hunting, dark web monitoring, or something else that makes sense to you. Alternatively, partner with another MSP or a Managed Security Services Provider (MSSP), that is already dialed in on a tech stack, problem area and knows the landscape, in order to create cross-sell opportunities.
- Multi-Factor Authentication (MFA) is almost a table stakes control to combat attacks: Just as cybersecurity awareness training and nextgen firewalls (a.k.a. UTM) have become widely accepted as table stakes in data security and breach prevention, it is my belief that we are standing on the threshold of multi-factor authentication (MFA or 2FA) joining those ranks. MFA is largely a solved problem that is commercially reasonable thanks to vendor saturation, easy to deploy MFA and SSO technologies as well as the advent of smartphones that can carry second-factor tokens in mobile apps. Given the attacker focus is on using stolen credentials, MFA is a key control for yourselves and your customers that is important to deploy as soon as practicable. I would also not be surprised to start seeing MFA get worked into more regulations in the coming years.
I’ll leave you with one hope I have for the MSP channel in the new year. My hope is that, before folks dive into selling security services, they take a long hard look at their current IT security basics and assure they are being done right and consistently (i.e. configuration and patch management). Getting those core practices and processes working effectively all the time has massive risk reduction benefit and is potentially more effective in protecting customers than deploying the latest security technology. Focus on core OS upgrades as well as third-party applications. Map out the top 10 third-party software solutions that make up the most vulnerability on endpoints under your care and add those to patching regimens to keep those system free of exploitable vulnerabilities. From this position of operating effectiveness, you are best positioned to identify protection gaps and make the more data-driven decision on new technology that increases protection.