A Key Cybersecurity Threat: Targeting of IT Vendors by Cybercriminals
A managed service provider (MSP) is a company that remotely manages IT infrastructure for customers on a proactive basis, typically under a subscription model. Many small businesses rely on MSPs on varying levels from supporting internal IT resources to outsourcing an entire IT operation and everything in between. Overall, the relationship between a small business and an MSP can be very deeply interconnected.
Rose & Kiernan, Inc. uses Beazley Breach Response (BBR) Services for a large number of our clients. Recently, Beazley reported an increase in ransomware attacks on MSPs. We know from previous analyses that small businesses can be more vulnerable to cyber-attacks. According to Beazley, they made up 63% of all ransomware incidents reported to BBR Services in 2019. They also noted a 37% increase in incidents targeting IT vendors (MSPs) in Q3 2019.
Why the increase? According to Joshua Dann of Lodestone Security, “MSPs have to balance a need for speed and convenience when it comes to being able to respond to clients, with ensuring the right security controls are in place. Too often, speed and convenience win out over security controls.” This should not (and cannot) be the case.
It’s vital for companies to thoroughly vet potential IT vendors (MSPs). To help you out, Beazley provides the following checklist questions:
- Does the organization have a security program in place? This would include period risk assessments.
- Does the organization have ongoing security awareness training?
- Does the organization have a SSAE 18 SOC 2 Type II report or similar type of report available to customers?
- Are security and availability requirements enforced in master service agreement contracts with the organization?
- How does the organization protect protected health information (PHI)?
As a business owner, it’s imperative to be aware of any and all risks. You take measures to protect your data, and as such, you want your vendors that you work with to do the same.
Of course, cybersecurity insurance is important and recommended, as it helps a business recover from a security breach or other cyber event. For more information on Rose & Kiernan’s cybersecurity risk management, please contact us at firstname.lastname@example.org. Click here to learn more about cybersecurity insurance.