There has been a troubling rise in ransomware attacks on supply chains, with such attacks having tripled between 2019 and 2020. This year alone has so far seen a disturbing string of high-profile ransomware attacks, including those against Colonial Pipeline and Kaseya. Supply chains critical to the energy, food and IT infrastructures are increasingly at risk, and threat actors are coming up with more sophisticated ways to exploit vulnerabilities within these supply chains. Because of this, traditional cybersecurity tactics are no longer enough, and this applies not just to large and prominent organizations but to smaller businesses as well. Understanding some of the factors behind current trends can help organizations who wish to survive the new era of cyberthreats to take proactive measures to protect themselves.
The growing role of MSPs and MSSPs
What recent supply chain attacks are showing is that managed service providers (MSPs), also known as managed security service providers (MSSPs), are increasingly becoming points of vulnerability that ransomware groups can exploit. This is somewhat ironic in that cybersecurity is one of the services commonly offered by MSPs. In the case of MSSPs, that is their entire focus. But, it’s also not surprising given that MSPs and MSSPs not only increase the attack surface of the companies that use them, but they also make it possible for cyber criminals to reach many organizations at once and are therefore attractive targets.
MSPs are expected to grow to a $296 billion industry by 2023, and over the next year or so, roughly 70% of organizations will outsource security to an MSP or MSSP. For small companies, especially, this growth is good news in the sense that MSPs and MSSPs make it possible for many of them to access services they otherwise would not be able to afford. But, it also makes them more vulnerable, as seen with the attack on Kaseya, in which up to 1,500 small businesses were affected.
How organizations can better protect themselves
Despite the potential risks, organizations shouldn’t necessarily stop using MSPs because there are certainly benefits to doing so. Rather, they can continue to take advantage of what MSPs and MSSPs have to offer while also doing their own due diligence to reduce the likelihood of getting hit with ransomware.
For example, when an organization is considering an MSP or MSSP, they should make sure to examine the security specifications of that provider and determine if they’ve been previously involved in any breaches before. Businesses will also want to make sure that the security trust they have for an MSP or MSSP coming into their network is as secure as possible. For example, you can ask the MSP to conduct periodic penetration tests and make the results of these tests transparent so that any security gaps in the networks can be addressed. It’s in companies’ own interests to take such a proactive, involved role and not leave such important matters of security entirely to the MSPs and MSSPs.
In the current era of constantly multiplying threats, using both an MSP and an MSSP (or companies currently using just one or the other) may also be worth considering. Even though MSPs may offer some security features, cyber criminals have more sophisticated methods at their disposal than ever before. Since MSSPs approach everything through the lens of security, using both an MSSP and an MSP can free the latter up to focus on the daily upkeep of managing a company’s network while the former bears the brunt of the responsibility for keeping it secure. Organizations should also try to remember that even though improving security definitely involves a cost, it can be far costlier in the long run to not make that investment.
Small companies are equally at risk
Large organizations generally understand the risk of ransomware attacks, or at least they do now thanks to recent events. For them, the challenge is less about awareness and more about taking action -- allocating adequate funds to cybersecurity as per the advice and counsel of their chief information security officers. However, many small businesses do not realize how much they too are at risk. A common assumption is that profit-seeking cyber criminals would rather go after large organizations since they have more money. But, what the Kaseya ransomware attack showed was that if a ransomware group can target hundreds of small companies all at once, it would be more than worth their while to do so. Another thing that’s appealing for threat actors is the fact that small businesses may lack the means to eliminate threats once attacked, leaving them feeling like they have no choice but to pay the ransom. When 50-70% of ransomware attacks are targeted toward small businesses and 60% of those small businesses go out of business within six months of being attacked, small businesses can’t afford to deprioritize security. Unfortunately, that is exactly what many of them do.
In addition to carefully researching any MSP or MSSP that they’re interested in working with, small companies may also need to tap into creative ways to strengthen the security of their networks as much as possible, especially since many of them are constrained by budget concerns. For example, thanks to a grant, Maryville University’s Cyber Fusion Center is able to offer cybersecurity services free of charge to small businesses and non-profit organizations who otherwise wouldn’t be able to afford such services, including the kind of penetration testing mentioned earlier. There are resources out there, but small companies need to do their own homework.
What 2021 is showing us, in no uncertain terms, is that the proliferation of supply chain attacks will only continue to increase. Sometimes it may be ransomware motivated by profit, as in the attacks on Colonial Pipeline and Kaseya. At other times it may be state-sponsored espionage, as with the attack on SolarWinds. But, regardless of the motive, when the impact of an attack cascades through a supply chain, many large, medium and small organizations alike can all be affected. And, even as MSPs and MSSPs can offer numerous benefits, they are becoming a popular way for threat actors to reach many organizations at the same time. In the face of this new reality, it’s critical for organizations—including or especially small ones—to recognize the scale and urgency of the risk and take active measures to improve the security of their networks and supply chains.