Written by: Charles Weaver, CEO - MSPAlliance
MSPs are no strangers to the limelight. Very early in the managed services profession MSPs dealt with a variety of public relations issues, mostly centered around the value MSPs brought to their customers. Today, MSPs have another public relations issue brewing, although this one has far more significant consequences to our profession.
Ransomware attacks involving MSPs
The United States Cybersecurity and Infrastructure Agency (CISA) starting issuing advisory bulletins in 2017 and 2018 warning MSPs to be aware of advanced persistent threats (APTs) specifically targeting MSPs. The announcements did not get a lot of publicity, but MSPs began talking about them seriously at industry events (including MSPWorld).
While the focus of these attacks has always been the customer, the methods of achieving success seem to be leaning towards the exploitation of known vulnerabilities impacting MSPs. Specifically, administrative accounts used by the MSPs, such as RMM, ticketing, and other service delivery tools, are being targeted.
The good news is these exploits are extremely easy to fix. The bad news is there are a lot of companies calling themselves MSPs who do not possess strong security skills. These companies are not paying attention to these security bulletins and are potentially putting their customers at risk.
It's out in the Open
It's one thing for the channel press to cover these security issues, but quite another when the non-channel media does it. That is precisely what is happening now, and global MSPs need to a) realize this problem, and b) respond to it.
A recent story featured a medical customer who was attacked by cybercriminals by exploiting the technology consulting company who handled the outsourced IT management. The article describes the devastating effects of the cyberattack and what happened to the customer. The blame is put squarely on the "MSP."
Later in the same article, the author describes attacks on MSPs as increasing. There is only one problem; the technology consulting company was not an MSP. At best, they could be considered a break/fix or reactive IT company, but few people would classify that company as a provider of managed services.

