While the so-called SolarWinds data breach was originally characterized by some as an “act of war,” that’s probably unfair. It’s better classified as an act of espionage or intelligence gathering operation—by an adversary. In other words, there could be more—and even worse—still to come.
The potential ramifications, both near and long term, are enough to keep leading cybersecurity executives up at night—especially since many SMBs (and the MSPs that serve them) are still inadequately prepared to respond from cybersecurity and business perspectives. That needs to change, according to a panel of executives during a cybersecurity panel powered by the CompTIA ISAO at CompTIA’s Communities & Councils Forum.
“The cost of mitigation to government and industry will be significant. It may be time to restore public confidence and the integrity of our cyber ecosystem,” said Samuel Spector, director of U.S. government affairs and public policy at BlackBerry. “But for me, the nightmare scenario involves the adversary using the information to sabotage, manipulate, disrupt the data or physical infrastructure controlled by governmental or private sector. Something we didn’t’ see this time around.”
MJ Shoer, CompTIA senior vice president and executive director of the CompTIA ISAO, agrees with Spector’s take.
“SolarWinds is not a hack or breach the way it’s constantly reported. This was an intelligence operation,” Shoer said. “What worries me is that the connection of dots between areas bears watching. We haven’t yet drawn out what those connections could mean. But it is a watershed moment to talk about cybersecurity.”
Rising Cost of Cyber Risks Demands More Attention, Action
There are 29 million small businesses in the U.S., many of whom don’t understand how vulnerable their company is to a cyber event, nor how to respond, according to Jay Ryerse, ISAO EAC vice president of cybersecurity initiatives at ConnectWise and member of the Executive Advisory Council of the CompTIA ISAO.
“They don’t know what they don’t know. That could come back to hurt them. They don’t have [great] visibility and they’re not seeing what’s coming in on their networks. Small businesses don’t have big budgets, so balancing security with [other costs] is always an ongoing issue,” Ryerse said.
Just a few years ago, the average cost of a ransomware attack was about $4,000. Late in 2020, it was $178,000. “When it was $4,000 it wasn’t the end of the world for a small business. Now it could be,” Ryerse said. “This is causing conflict for small businesses already challenged with COVID.”
It’s not just customers that need help protecting against cyber threats at any given time. MSPs also need assistance to ensure they’re protecting clients too, said Tracy Holtz, director of security solutions at Tech Data and co-chair of CompTIA’s Cybersecurity Advisory Council.
“How do we help partners stay ahead of attacks? Keep it simple. There are very elementary skills lacking in IT organizations today that are creating vulnerabilities. Also looking at the right technology, services, education, and help with the partner community,” Holtz said.
Sophisticated attacks like the SolarWinds event aren’t going to go away—they’re going to get more sophisticated and more targeted, Holtz said. As a result, businesses of all sizes need a sharp focus on lowering their risk and being more resilient. That means more technology, more education, more collaboration from MSPs and other solution providers.
“The stakes are getting higher. When you think about cybersecurity, you’re betting all the time. You put your best defense forward and lower your risk,” she said.
Alex Rutkovitz Spigel, COO of Choice Cybersecurity and chair of CompTIA’s Cybersecurity Community, said she talks to customers every day who lack education and awareness of cyber risks.
“They don’t know where their personal identifiable information lives. We ask when we go in and they say things like ‘We don’t have sensitive data,’” Rutkovitz Spigel said.
Of course, the MSP discovered that the customer had sensitive information stored in a number of different areas. “There’s a huge source lack of communication internally. Finance doesn’t talk to HR. They have the same sensitive data, but they’re not using it the same way, they’re not on the same page,” Rutkovitz Spigel said. “We’re only strong as our weakest link, and we’re protecting those weakness where we can.”
Collaboration, Education Are Key to a Better Defense
Ransomware attacks have increased in both frequency and severity for three reasons, according to Jacob Ingerslev, head of global cyber risk at The Hartford, which offers cyber insurance to businesses. First, cryptocurrency has become the go-to format for ransomware payments. Second, criminals are more organized. Third, they have better tools to collaborate and identify targets.
Cyber insurance for ransomware, hacks and other incidents offers some protection, but with the dizzying increase in the size and magnitude of attacks, insurance companies have also taken on an increased role in educating customers on the need for increased protection, Ingerslev said.
“SMBs are struggling with this. We increasingly use automated tools for risk assessment. We also use them for conversation starters. We can say, ‘This is what we see. Here’s a report. We encourage you to make these changes to be a less attractive risk to threat actors out there,’” said Ingerslev.
The market is receptive to this information but there’s a long way to go because ransomware attacks are no longer limited to enterprise-sized targets. “We have an important role to play besides insurance. All that said, today, unfortunately some [attacks] are not preventable. An SMB does not stand a chance against a nation/state actor,” Ingerslev said.
Ryerse likened an MSP’s role right now to being a fire department.
“If you think of being an MSP, we are really good at running into fires. When there’s a problem, firefighters taken on the challenge. Going forward, we need more fire marshals who are analyzing the impact of business from a cyber-attack, figuring out where data is located, what is the third-party risk to a business,” Ryerse said.
That fire marshal role has become increasingly relevant during the pandemic, he added.
“We rushed to work from home, in uncontrolled environments. [Many people] are not using VPN,” Ryerse said. “How do we instill that proactive view in the world? If we get that message right, we can take more of a fire marshal approach, then Jacob has less claims to process.”
CompTIA’s Shoer noted that the last breach he was involved in when he ran an MSP business had nothing to do with failed technology, and everything to do with poor business controls.
“A big part of what we’re trying to do with the CompTIA ISAO is bring that threat intel into an actionable and understandable format for MSPs that need to understand there’s more than just tools and technologies to address the problem,” Shoer said.