Your IT Service Provider Might be Your Biggest Security Gap

CybersecurityManaged Services
Written By Ozark Technology

Many small to medium sized enterprises depend on IT service providers, also known as Managed Service Providers (MSPs) for cost-effective IT infrastructure management and security. However, IT service providers are increasingly being targeted by hackers and some IT vendors are unable to adapt quickly enough to protect their clients due to hiring budget constraints and a lack of client education about proper IT security processes. 

MSP-Targeted Attacks on the Rise

In fact, according to security provider Check Point Software, the frequency of MSP-targeted cyberattacks rose by 67% between 2020 and 2021.

The large-scale Kaseya attack in July 2021 was a prime example of the risks MSP cyberattacks pose. Kaseya, a provider of IT management and security software for small to medium-sized MSPs unknowingly delivered ransomware to over 50 Managed Service Providers that used their product after their servers were hacked. The attack paralyzed more than 1,500 organizations.

In addition, ConnectWise’s recently released 2022 MSP Threat Report predicted a continued rise in MSP-focused ransomware attacks in 2022 and beyond.

Why This Problem Exists

What’s clear to those of us in the IT industry is that we have a problem. The question is “why?” 

The answer is… it’s complicated. 

For starters, the IT profession has a labor problem. The growth in IT jobs in the U.S. has consistently outpaced the number of qualified candidates available to fill open positions. The Bureau of Labor Statistics estimates that over 500,000 new technology jobs will be created in the next decade while U.S. universities are only graduating approximately 35,000 CS degree students per year. Demand is outpacing supply.

Because of this, tech salaries – especially for the most talented employees – have continued to increase faster than most industries. For many MSPs, talent has become so scarce and so expensive that hiring the level of skills required to solve the most current set of security challenges is difficult. Because of this – often in a case of “the cobbler’s son has no shoes” - MSPs can lag behind current security management standards.   

Informational asymmetry is also a problem. How can you be sure you’re dealing with someone who knows what they’re doing? Much like hiring a lawyer or accountant, the relationship you’ll have with your IT provider is built primarily on trust and track record because the difficulty consumers have judging work quality. 

How Weak IT Affects The End User

Unfortunately, you often won’t know you have weak IT until it’s too late, and the cost of hiring the wrong help can leave you unable to operate your business. To make matters more frustrating, many of the businesses who have experienced a breach originally trusted their MSP, so how do you trust your own judgment?  

This informational asymmetry problem is exacerbated by the many convoluted ways IT services companies charge for their work, and how they communicate the value they provide.

For example, on any given day you can receive a proposal for IT services that charges by the number of devices you have, the number of users who will be supported, a flat fee, or an hourly fee based on work done. Similarly, a basic service package might include just monitoring and basic anti-virus protection, not enough to really prevent an attack. Another vendor’s agreement might be worded similarly, but include unlimited helpdesk, onsite support, projects, after-hours support, high level security threat detection and network monitoring, vendor management and virtual Chief Information Officer services. 

As you can imagine, the price difference between the packages can be dramatic. So why is this all so complicated?

It’s a common joke within the IT industry that many businesses are just not prepared to invest what is really required to maintain good IT standards. Instead of losing 100% of your business, many service providers make the choice to take some of your money, hoping to eventually convince you to upgrade to better service packages. For some businesses, the choice to go with the cheaper plan has few consequences. For other businesses, the difference in cost and hard to compare packages create a perverse incentive to underspend on IT infrastructure that can be potentially very harmful.   

What You Can Do

We have three recommendations to help you:

1) Treat IT as a Critical Role

Unlike many positions, the cost of a poor IT hiring decision can be catastrophic. Much like hiring a bookkeeper who may have access to your check stock and banking information, an IT person will control the fate of all your company’s data. You should feel confident whoever you choose to work with is a trustworthy, responsible person because this is the one thing you have within your power to assess well. If possible, we also recommend you seek help from a neutral 3rd party expert to assess your options.   

2) Trust but Verify 

If your IT provider does not already provide it, we recommend you create – at a minimum - a quarterly reporting process to verify security tasks are being completed. In addition, we recommend you review your IT department annually just like any other employee. With IT services providers, ensuring that work is being completed is critical to your security so it is often wise to use an outside IT expert to evaluate your provider.

3) Ask for a Referral from a Credible Professional

Not all referrals are born the same. As you know, some people in your professional network are more capable of evaluating IT vendors than others. Our recommendation is to seek the advice of multiple professionals who understand your IT needs and have dealt with multiple IT providers. 

Ozark Technology is a Business Technology Provider that helps organizations across the country rethink the value technology brings to their business. Want to partner with us? Let’s chat.

Ozark Technology
Previous

Top 10 Phishing Email Subjects: Q2 2022
Next

A Message from our CEO