Skip to content

Rising Attacks on MSPs: Why Small and Medium Sized Businesses Should Think Twice Before Handing Over Control to Managed IT Service Providers

The mid-market businesses of our country are worried about a lot of things. They’re worried about their bottom line, hiring and retaining talent to take their company to the next level and meeting ever-demanding client expectations.

That’s what makes the prospect of using a managed IT service provider (MSP) so appealing to these companies. IT is generally not a core focus of small and medium sized businesses, so MSPs remotely manage a client’s IT infrastructure taking the need for these companies to hire multiple IT professionals off the back of the business.

Appealing? Yes, certainly—but there are risks that can lead to catastrophic consequences if the proper diligence isn’t done to vet a possible MSP partner.

These providers take care of a business’s servers, desktops, patching, load new software and configure new PCs for companies. What does this mean? It means that MSPs have access and control over a colossal amount of data and information, and that’s what makes them hot targets.

If a single company is breached, the perpetrators of the attack often have access to that business’s data alone. When an MSP is breached, the perpetrators of these attacks often have access to the data of thousands of companies who have handed over their most sensitive information and IP to the third-party provider.

For example, in May, cloud services provider Cetrom suffered a malware attack that had a direct impact on systems used by CPA firms. The virus shut down business for Cetrom until they were able to solve the issue issuing a third-party forensic security company, and the extent of the damage of the breach is still unknown.

Another set of examples came with a threat actor group named APT10, which is allegedly based in China, and is directly targeting MSPs in order to garner access to third party customer networks.

The attack campaign has been named “Operation Cloud Hopper”, and so far at least nine global MSPs have been hit by APT10 attacks.

According to a report from CRN, APT10 used remote desktop credentials stolen from a Visma employee in order to access the company’s network in August 2018. APT10 then returned in the following two weeks in order to garner further access to the company’s corporate network.

The attacks have compromised thousands of systems belonging to MSP clients with the MSP itself facing millions of dollars in ransom demands.

These types of breaches have become so common that the U.S. Department of Homeland Security (DHS) issued a bulletin to the world in 2018 noting the trend, and stating that if your business is using an MSP then it is of utmost importance to investigate the provider’s resilience because they could be vulnerable to attacks and compromise.

“Using an MSP significantly increases an organization’s virtual enterprise infrastructure footprint and its number of privileged accounts, creating a larger attack surface for cyber criminals and nation-state actors,” DHS said in the bulletin.

There are several questions that businesses should take into account when considering whether or not to allow an MSP to handle their IT infrastructure, here are a few examples:

  • Does the MSP have a business continuity plan in place?
  • What does the MSP’s incident response plan look like and how am I involved after a possible breach occurs?
  • Are there service level agreements enacted?
  • Have proper cybersecurity measures been put into place to protect my data and the MSP in general?

These are questions that a third-party cybersecurity team can certainly help businesses answer and monitor down the road.

According to Dark Reading, nearly “90% of small- to midsized businesses (SMBs) would consider hiring a new managed services provider (MSP) if they offered the right cybersecurity solutions, and nearly half would pay at least 20% more for the right security solutions from a new MSP.”

Brian Downey, a senior director of security product management for Continuum, shared a report with Dark Reading that his company drafted after collecting data from 850 mid-market businesses around the world. According to Downey, these businesses know they aren’t fully protected when they hand over their data to MSP’s and are willing to pay more for a service that prioritizes cybersecurity.

It’s vitally important that these businesses make cybersecurity measures non-negotiable when choosing their MSP, and they shouldn’t be afraid to switch providers if they think their current MSP isn’t doing enough to keep their data safe.

Utilizing an MSP can be a double-edged sword. If you’re a mid-market business you likely don’t have an IT department that is fully capable of properly managing an IT infrastructure, especially if you’re handling mass amounts of data. This forces a situation where an MSP should be approached, the trick is making sure it’s the right one given the risks involved.