This week’s blog features an article from our partners at Huntress “Reducing cyber risk and liability with managed threat detection”.
In the business world, there’s always some type of risk involved. But in the last two decades, cyber risk has become one of the fastest growing threats. In fact, cyber risk is listed as the third most important business risk in 2021.
At its most basic level, cyber risk is the risk of damage to an organization through cyberattack or infiltration.
Let’s take the SMB market as an example. As their technology environments have become more complex, they’ve also become more vulnerable, and their cyber risk has grown. SMBs often lack the budget, staff or resources needed to stand up a proper cybersecurity practice. And for the managed service providers (MSPs) who have set out to protect their SMB clients, providing security services also includes a level of risk and liability.
But here’s some good news: there are steps you can take to lower risk and liability for both MSPs and your clients. Read on to learn more…
What’s Your Cyber Risk?
In a best-case scenario, a cyberattack ends with a simple intrusion. There was no exfiltration or modification of data, and any potential persistence mechanisms were located and removed. This means there’s no cause for concern because the environment is safe. Even more so, you’re walking away with a lesson learned—improving security and patching up a previously unknown vulnerability.
However, in a worst-case scenario, the situation can spiral out of control. Hackers have breached your or your client’s network, and you’re unable to locate or stop them as they actively exfiltrate critical data. The infection may be spreading to other machines and the network file share, destroying backups as they go.
What Is a Managed Service Provider Liable For?
When a breach happens, clients are going to want to blame someone; depending on how an attacker got in, that someone will likely be you. Regardless of how good of a relationship a managed service provider has with its SMB customer, the MSP will be held liable to some degree.
Of course, the severity of the breach can only be determined once you perform an extremely time-consuming and intensive investigation. You’ll have to comb through every log and line of code so you can build a timeline that lets you determine when and where the breach occurred and everything that happened from that point on.
You’ll also need to do a thorough review of every asset you have connected to the network, such as:
- Protected endpoints
- Attached storage devices
- Mobile devices
And you can leave no endpoint to chance. You have to ensure there’s no lingering malware tucked away in a hidden corner of the environment. If you don’t, the breach and the aftershocks could happen all over again.
To protect your MSP and your SMB customers, there are several safeguards you can take that will also lower the risk and liability of providing your services to an SMB. We recommend the following course of action:
- Identify Your Assets
- Get It in Writing
- Be Quick to Respond
1. Identify Your Assets
To identify your assets, you first need to understand the Identify stage, the primary phase of the NIST Cybersecurity Framework. Most people assume Identify means identifying threats, but it actually means you need to acquire situational awareness of your assets and the potential impact they could have on your network. This includes
Each of these has its own set of vulnerabilities that could potentially open your environments up to an increased risk of cyberattack.
While a network diagram gives you full visibility into every device, software and system on your network, it’s not something that remains static. As your business grows, you’re bound to add more solutions, changing the configuration of the environment. This means you need to rediscover your layout periodically, giving yourself an up-to-date network diagram and a solid foundation to protect yourself and your clients.
2. Get It in Writing
The written agreements and contracts you establish with your customers will protect all parties involved if a data breach goes bad. These upfront agreements can help:
- Stipulate security conditions that both parties must maintain, such as timely installation of network patches and continued education.
- Require the purchase of a cyber insurance policy.
- Establish actual monetary value for different types of cyberattacks.
All of this should be ironed out and agreed to from a legal perspective so there’s a clear understanding of what is expected and what can be done. If a prospect isn’t willing to abide by these agreements, then you have to decide if they are worth the liability.
No matter the amount of additional revenue, it may not be worth the risk to your organization if they’re not willing to implement the most basic security measures.
3. Be Quick to Respond
When a cyber or ransomware attack takes place, the goal of the managed security service provider is to catch the threat as early as possible so you can disrupt the attack process.
Step one? Remain calm and activate your endpoint detection and response plan.
Your response plan should be predetermined and answer key questions such as:
- What is the nature of the cyber or ransomware attack?
- Who is involved, and what are their roles?
- When do you communicate with external parties?
- What is our step-by-step process?
- Which customers are our top priority?
The most important thing is to implement a response plan as soon as possible to minimize the impact of the attack. And in addition to being able to prevent attacks, the key to quick response is an ability to detect if systems or data have been compromised and mitigate damage when they are.
This is one of the reasons why Huntress offers their Ransomware Canaries service. It enables faster detection when ransomware hits a protected endpoint, allowing you to quickly implement your incident response plan and keep the incident closer to the best-case scenario we discussed earlier.