Amy Art 0618by Amy Weiss, The Imaging Channel

Superheroes are hot right now, and for good reason — they go around saving not just the world, but the galaxy. It’s impressive, and at some point we’ve all imagined being in their shoes (boots?). And while arc reactors, infinity stones and radioactive spiders are a bit hard to come by, there are other ways to be a superhero — just ask anyone who’s brought a company back from a ransomware attack. Hackers are much more common threats than extraterrestrial supervillains, and stories of cyberattacks, ransomware and hacking continue to make the news.

Mitigating risk

“We’re losing the battle,” says Greg Sparrow, data and security policy expert at CompliancePoint. “If you look at the last couple of years, the threat from a cyber perspective is huge. Lots of organizations need to improve.”

Bill McLaughlin, chief technology officer at Atlantic Tomorrow’s Office, agrees there is a lot of work to be done — and it needs to be done yesterday. “Stop talking about ‘maybe we should get a vulnerability test done’ — it shouldn’t even be a thought,” he says. “It should be ‘here’s what we’re going to do and where we’re going to do it.’ There’s no time to sit back and wait. You will become a statistic.”

A vulnerability test — the first step McLaughlin recommends to customers — is an assessment of the organization’s security and procedures, network design, and controls, looking for any weakness that would allow unauthorized access, aka hacking. The catch, he says, is that the organization’s managed services provider should not be the one doing that test. “As an MSP, you’re providing a service; managing infrastructure and providing support. If I provide a vulnerability test on an environment I’m currently managing, it’s like a CFO auditing his own books. There’s no checks and balances.” A technology or financial auditing firm can perform the assessment without bias. A relatively new job title, complete with certification, is “certified ethical hacker” — someone who performs penetration testing on organizations using the methodology a hacker might. Once the audit is complete, the results can then be turned over to the MSP so they can see where the vulnerabilities lie. At that point they can provide the right support and infrastructure to solve or mitigate the issues.

That assessment can serve another purpose as well. According to Sparrow, cyber insurance has gained a lot of traction over the last few years — unsurprisingly, as organizations are looking for any way possible to mitigate risk. But based on the increasing number of breaches and payouts, there’s enhanced scrutiny from the insurance providers. “Before they underwrite you they want to do a health check — just like with life insurance, before they sign off they want to know if you’re smoking cigars,” he says, noting that it has become more common for claims to be disputed if the environment was misrepresented during the discovery phase. 

The silver lining — opportunity

This high-risk environment can offer opportunities for managed service providers, as organizations are looking for partners who can help them navigate today’s treacherous waters. 

Sparrow is emphatic that the SMB in particular needs to outsource. “These threats are so prevalent and complicated at this point that you really want dedicated security resources looking out for your infrastructure. That needs to be their focus and their job,” he says, noting the difficulty of trying to keep the business running while having the right amount of focus from a security standpoint — both of which need to occur on a daily basis.

McLaughlin understands the opportunity exists and that it can represent a win for everyone involved. “We’re doing a lot of training with our sales reps just to get in the door,” he says. When dealing with the ever-present issue of how to get valuable face time, particularly with an account that may have previously viewed them as just a source of copiers, McLaughlin notes that the ransomware epidemic has allowed them to differentiate and be viewed as a trusted advisor. “We’re calling and we’re not talking about speeds and feeds,” he says. Instead, for a company dealing with a security scare, “we’re calling and talking about things that are extremely impactful to a business.”

The need for trusted partners is only going to increase as the risk does — and the attacks are not showing any sign of abating. “We see ransomware every day,” says McLaughlin, who also notes that increasingly those attacks are focusing on the SMB, which is often perceived as being less sophisticated and having less money to spend on risk mitigation and recovery. “If I’m an SMB and I’m asked to pay $500 or $1,000, I’m going to pay it. It’s a sweet spot,” he notes. 

The verticalization of cyberattacks

Other vulnerable sectors include verticals such as hospitality, retail, government and, of course, healthcare. “The hospitality industry sees a lot of breaches,” says Sparrow. “It’s in the way they operate — very distributed IT systems with numerous potential points of entry into the network. Retail is also very distributed, and they tend to struggle the most,” he says, also noting “they have very tight margins.”

Government is also vulnerable, as the SamSam attack on the city of Atlanta proved. That attack crippled numerous systems, cost a reported $2.7 million and was likely caused by a lack of preparedness — although city leaders were pretty tight-lipped about the whole thing, which is not uncommon for organizations caught with their pants down. (If it’s any consolation to Atlanta officials, they’re not alone and are not likely to be the last.

However, it is healthcare that always seems to be the target of the most attacks — twice the number of other industries, according to CSO online. Most recently, the attack group called Orangeworm made news by installing a custom backdoor called Trojan.Kwampirs in corporations operating in the healthcare sector in the United States, Europe and Asia.

“We’re seeing the unfolding of one of the most dangerous scenarios for connected healthcare — a persistent and polymorphic worm that is specifically adapted to exploiting unprotected network shares in old Windows networks, which are very common in medical devices,” says Leon Lerman, CEO of Cynerio, a security solution specifically designed for connected healthcare. “The fact that this threat was most successful in healthcare systems brings to light some of the biggest pain points in the security posture of this industry today: unpatched devices, permissive network configurations and a complete lack of visibility and control over medical devices, their servers and their network peers.”

And for every cyberattack that makes headlines, there are many more that don’t make the news. “They don’t want to talk about it,” says McLaughlin, who notes the very real fact that HIPAA fines often far outweigh the ransomware payment. (This can be true for many organizations — the ransom in the Atlanta attack was reportedly $50,000). 

Plan, prepare and patch

There’s no end in sight for the era of the cyberattack. “It’s going to get worse before it gets better,” says McLaughlin. “The bad guys are releasing 1 million new variations of code to the dark web per day, and the good guys are trying to defend against all variations. Unless new technology comes out that isn’t available today, this is going to go on for a long time — and whoever comes out with whatever the technology is that can stop this will be the next Bill Gates.”

So unless you’ve got a lead on that technology, what do you do? Lerman called out outdated and unpatched devices as a key vulnerability in healthcare, and Sparrow concurs that it is a key issue for most organizations. “Patch your systems,” he says. “That’s my No. 1 recommendation. Keeping your systems up to date is the most important thing, and it’s amazing how many people don’t have it consistently applied across the enterprise. The main thing we see is the lack of mature patch management.”

McLaughlin agrees that there is a notable lack of follow-through when it comes to organizational security. “A lot of people will go out and buy technology and will have a backup disaster recovery solution, but they don’t build a plan around it. They think they’ve taken the appropriate steps just by going out and buying something and implementing it,” he says. “But they don’t test the solution. They don’t go through what the recovery process would look like. It’s not just about technology, it’s about what to do from a protocol perspective in the event that you get ransomware.” 

Anyone who has ever lost a document is familiar with the importance of backing up, and it’s just as true and even more important in the security field, because once the attack happens, a recent backup will be critical to getting back up and running. McLaughlin says he typically likes the company to do a backup every three hours. “You want to have a backup solution that not only backs up the data, but the software that reads the data,” he stresses. “If I have a backup image and can run it on an NAS device or in the cloud where the data lives, then I can run it while the issue is being resolved.”

“We must have redundant systems or backup systems,” agrees Sparrow. “We have to think about worst-case scenarios.”

And let’s face it, the worst-case scenario is not an unlikely one — just ask city employees in Atlanta or healthcare providers or government workers everywhere. Managed services providers have an opportunity to be heroes, and they don’t even need Captain America’s shield, Thor’s hammer or Iron Man’s armor. An understanding of the dangers of outdated software, the ability to stress the need for employee education and up-to-date knowledge of technology will serve you well, and when all that fails, having a solid, implementable backup plan will make you a hero beyond all imagination. 

This article originally appeared in the June 2018 issue of the Imaging Channel