The newest cybersecurity threat to your business may not be targeting you directly. It may be targeting your IT service provider.
Managed Service Providers (MSPs) are outsourced organizations that manage the IT for small and mid-sized companies. Rather than hire a team of IT professionals, these companies often use an MSP to take care of their IT so they can focus their time and energy on the rest of their business.
Hackers have identified that, rather than trying to infiltrate individual companies, it’s easier to target MSPs. By hacking into one MSP, they can infiltrate multiple companies simultaneously through the remote management software that they use for their clients. Because an MSP may service dozens if not hundreds of companies, by infiltrating just one MSP, it has the potential to install ransomware on dozens if not hundreds of businesses at once.
A nearby example of this was in the news this summer. PM Consultants, Inc., a Portland-based MSP, was hacked and their software used to place ransomware on dozens of dental clinics that they serviced in Oregon and Washington. PM Consultants was not able to remedy the situation with any of their clients, and they closed their doors shortly after the incident. The dental offices had to call other IT firms to help them out, had to cancel appointments, and shut down their offices for days as they sorted through the mess.
This is starting to become the norm. An MSP in Texas that served municipalites across the state was hit in August, shutting down 22 cities for weeks. In Wisconsin, another MSP was targeted which left 400 dental practices across the country without access to their files. And just last week 100 dental offices were shut down in Colorado because their IT provider was hacked. These are just a few examples of the dozens happening across the country.
IT companies are not cybersecurity companies
Many companies believe that, by having an MSP take care of their IT, they don’t have to worry about cybersecurity anymore. Unfortunately IT does not mean cybersecurity. Many MSPs lack the expertise and the training to deal with the ever-evolving cybersecurity landscape.
If you’re using an MSP, make sure you understand whether or not cybersecurity is part of their DNA. Here are a few questions you can ask to find out:
- Are they SOC 2 Certified?
- Do they have dedicated “Trained and Certified Cybersecurity Professionals? What certifications do they have?
- What is their coverage and can they provide a copy of their insurance certificate?
- Are they audited by a third party which looks at security and privacy practices?
- Do they have a third party audit how they handle sensitive client data?
- Do they have a third party auditing their own internal technology for security vulnerabilities?
The SOC 2 certification is a “Good Housekeeping” seal for MSPs. SOC stands for “system and organization controls” and the controls are a series of standards set by the AICPA (American Institute of CPAs) to “provide specific users with information about controls related to security, availability, processing integrity, confidentiality or privacy.” By becoming SOC 2 certified, it means that the organization has proven that their operations are in line with general security practices.
Choosing an organization to take care of your IT is critical. Do your due diligence now to avoid surprises later.