[Approx. 6 minutes reading time]
If you're a business owner, you might be under the impression that your IT needs can be handled by a single person—an IT generalist.
However, what you may not know is that having a cybersecurity expert on your team is essential to keeping your business safe from cybercrime.
Last year, I attended a technology conference with my business partner.
While listening to the speaker, my business partner tapped my shoulder and said, "we have a problem."
I excused myself from the session and stepped into the hallway.
I pulled my phone from my laptop bag and noticed I had several missed calls from the head of my security team.
Over the next several hours, I sat on a Zoom call with my business partner, 2 of my engineers, the head of my security team, and an incident response engineer.
We scrutinized sign-in logs, correlated logon, and access events, and poured over user mailbox settings.
Shortly after 6 pm that day, we concluded a 5-hour long Zoom call and got to work on a BEC Report, or Business Email Compromise Report.
If you've never seen a BEC report before, it's a very lengthy document that outlines:
- An overall Incident Response engagement
- The incident or event that triggered the response
- The scope of the investigation
- A storyline of the attack
- Whether sensitive data was accessed
- A root cause analysis; and
- Recommendations going forward.
This is the type of document you want… to prove that a proper investigation was performed by a recognized authority so that any future legal issues arising from such an incident can be more easily dealt with.
I run an MSP, and while I consider myself a highly competent engineer and technology generalist, I would never consider myself to be a cybersecurity expert.
This is why I hired an MSSP… to be the security experts that my clients deserve.
One of the MSSPs that caters specifically to MSPs is Futuresafe.
I recently spoke with their CEO, Jason Whitehurst, about the differences between IT people and Security people on my podcast, Legends of I.T.
Jason shared several stories with me, including one that was particularly alarming and had me thinking even harder about how to convince people that they must make SIEM (Security Information and Event Monitoring) and SOAR (Security Orchestration, Automation, and Response) a part of their cybersecurity stack.
Jason has a ton of experience working with MSPs (Managed Service Provider), providing them with the cybersecurity tools and expertise they need to service their clients properly.
He feels very strongly that IT people and Cybersecurity people are two completely different animals.
When I asked him to explain why he feels that way, this is what he had to say:
"I could give you countless examples of us sitting in arbitration hearings or lawsuits where the MSP had made some disastrous decisions early on during a compromise that led to the loss of necessary forensic data that was needed to settle the lawsuit or was required by the insurance carrier to pay a ransom on behalf of the client.
I've sat it in those incidents where the cybersecurity stack the MSP had chosen was horribly ineffective and the way it was implemented, without the proper amount of oversight, without the proper SOC (Security Operations Center), without the CISO (Chief Information Security Officer), and without the proper monitoring, was completely insufficient."
Cybersecurity is one of those verticals that will not shed its human capital requirement in the near term.
The folks required to properly monitor for and respond to threats must be skilled cybersecurity experts, not IT generalists.
The IT person and the Cybersecurity expert are two very different things.
Running into MSPs that have landed themselves in hot water is not a new experience for Jason, and often, these MSPs will call Jason when they get into trouble.
I asked Jason to recall an incident response story that drives home the reasons why IT people and Cybersecurity people are fundamentally different.
"We had an MSP contact us whose client had been compromised… of course, he was terrified. He decided to contact the threat actor himself and negotiate a payment reduction. I assume he took this course of action because he didn't want to lose his client. He proceeded to pay the threat actor and then received confirmation that the threat actor had removed the malware and did not have any exfiltrated data from the client network.
As a matter of fact, the threat actor 'promised' that they were no longer in the environment and that contacting the property reporting authorities was not required because they had not actually 'stolen' anything; therefore, it was as if the cyber-attack never took place!This MSP was eventually prosecuted criminally because he took it upon himself to pay the ransom.
There is clear guidance on how ransom payments to cyber criminals should be handled. He was not protected by attorney-client privilege, and the efforts he undertook to communicate with the threat actor and pay the ransom were not covered by his MSA (Master Service Agreement), or any MSA I've ever come across in this business. When an MSP takes action like this, they are doing so within the limitations of liability that are typically included within a standard MSP's MSA.
This happened to a smart IT guy who thought he was making smart decisions and doing the right thing for his client, but every one of those decisions was wrong.
The critical component of this story is that IT people and Cybersecurity people are different.
If you put the average cybersecurity person in that MSP owner's place, they would have made the right decisions throughout the lifecycle of that event.
That is not because one is smarter, but because they think and operate fundamentally different from one another."
What baffles me is that so many MSPs I know of are doing their own cybersecurity work without the help of an MSSP.
At the risk of sounding self-serving, I asked Jason why he thinks so many MSSPs are going it alone.
This was his response:
"I speak with MSPs all the time who hire my firm to conduct a penetration test of their network. I ask them how they handle ongoing cybersecurity requirements for their clients, and they tell me they feel confident in their tools and how they handle their own security. They don't believe that the assessments we conduct will discover any vulnerabilities because they feel like they have it well handled; however, when we're done with our tests, we find this is seldom the case.
I believe these MSPs are handling their own cybersecurity and the cybersecurity for their clients because they've been inundated with information from vendors who want to sell them something. These vendors convince the MSP that they can handle this on their own, without knowing whether or not the MSP has the requisite security people on staff to handle cybersecurity work. You wouldn't ask a SQL developer to handle server administration and there is an even bigger difference between IT people and security people."
This makes me wonder…
How many businesses out there are being serviced by MSPs who have convinced them they are cybersecurity experts, and how many of those businesses will fall victim to a cyber-attack in the next 12 months?
How much will it cost those businesses and when all is said and done, will they even understand that this event that cost them thousands or even millions of dollars could have been prevented?
As a business owner or IT leader, learning how to ask the right questionswhen searching for the right IT vendor is critical.
Additionally, IT people who work in the enterprise must also understand that cybersecurity is a specialized skill set that should be handled by the folks who have received the proper training and have the proper experience to handle cybersecurity incidents.
