Recently, hotel and casino giants MGM Resorts International and Caesars Entertainment not only had to partially shut down their operations in Las Vegas, but curtail them globally after being the victims of ransomware attacks from hacking groups Scattered Spider and ALPHV. With a little LinkedIn searching and a 10-minute phone call to one of the multibillion dollar companies’ help desks, these bad actors were able to bring operations to a halt and cost them millions of dollars in revenue.
At a glance, it’s a fascinating story about hotels many of us have no doubt frequented for industry conventions and meetings, but it should also be a sobering reminder of the risks businesses face in an ever-more-interconnected world. The cybersecurity threat doesn’t discriminate or spare the clients we serve in the office technology industry. In fact, small businesses account for 43% of cybersecurity attacks.
Multifactor authentication isn’t bulletproof
The battle between cyberthreats and cybersecurity is a constantly evolving game of cat and mouse with increasingly expensive stakes. Every time businesses and individuals raise their guard, hackers find increasingly clever and insidious ways to breach our defenses. Take multifactor authentication, which has become the enterprise standard over the last decade or so. It’s currently the second most popular workforce authentication method (54%), barely behind the traditional username and password (57%), according to Vanson Bourne’s 2023 State of Passwordless Security report. Similarly, a vast majority (87%) of IT and security professionals believe their organizations’ authentication defenses are secure.
Cybercriminals have adapted to this, however, with 74% of organizations admitting they faced authentication-related attacks in the last 12 months. There’s a clear gap between how secure businesses think they are and how frequently they are attacked. The latest evolution of the tried and true social engineering attacks that took down MGM Grand are push notification attacks, or MFA bombing, where malicious groups bombard an employee’s two-factor authentication contact in an attempt to coerce them into confirming their identity and ultimately granting access to sensitive company systems. This threat was reported by 28% of organizations, double last year’s figure.
Additionally, attempts to coerce or trick users into divulging passwords or sensitive identifying information like phishing, pharming, and smishing, remain the most common threat, with 42% of enterprises reporting these attacks in the last year. And when it comes to ransomware attacks, phishing is by far the most commonly used attack vector, based on Connectwise’s review of almost half a million security incidents last year.
The service side of MFA
When people think of multifactor authentication, they have a tendency to view it as a turnkey solution: A business sets it up, instructs its employees to use it, and doesn’t need to think about it anymore. But the reality is that MFA brings its own host of pain points and ongoing support. Common reported pain points include:
- Difficult securely authenticating remote workers
- Authenticating on unmanaged third-party devices
- Challenges managing the complexity or MFA or integrating it into existing IT infrastructure
The first challenge isn’t going to disappear; the mantra for businesses may now be hybrid work instead of fully remote work, but the days of every employee going into the office five days a week are over. The latter two pain points are a great chance for managed service providers to alleviate some of the burden. Many MSPs and dealers have already diversified into providing work devices. Similarly, maintaining MFA or logins can be a surprisingly large burden for small businesses. Businesses spend 32% of their IT help desk budget on password resets and authentication issues, which comes out to $375 per employee per year. MSPs able to benefit from scale and maintain dedicated IT professionals are well positioned to help small businesses avoid having to go through the expense of hiring a dedicated IT professional that they may not be able to afford.
Passwordless authentication may be the next step
According to the Vanson Bourne report, the next evolution of cybersecurity is trending toward passwordless authentication, with the vast majority of IT professionals viewing it as the highest level of authentication security. As the term suggests, passwordless authentication allows users to sign into their accounts without a password, whether it’s with a hardware token or key, one-time passwords, or biometrics. Passwordless authentication represents another arrow in the service quiver of office technology dealers. Gartner indicates that global spending on security and risk management is forecast to grow by double-digits through 2024, and top $200 billion before increased competition drives down pricing. The largest segment of this is consulting, hardware support, and outsourced services, which will account for $77 billion this year.
Where’s the fire?
Despite how prevalent cybersecurity attacks are, there are still important differences in which industries are most targeted. The most security incidents were reported for MSPs, Transport, Real Estate, Construction, and Education, according to the 2023 MSP Threat Report that covers MSPs and their clients. It was a similar story with ransomware specifically: Manufacturing, Transport, and MSPs were the most targeted, along with hospitality and education. These attacks were overwhelmingly in the United States.
When it comes to attacks on authentication, The Vanson Bourne report shows the most targeted industry was financial services, followed by energy/utilities and retail. On the other end of the spectrum, healthcare (59%) was the “safest” industry, with IT and technology not far behind. Geographically, businesses in the US were targeted the most often.
Similarly, some industries are more interested in passwordless authentication than others. Retail leads the pack, followed by financial services and IT and technology companies. On the other hand, energy/utilities and healthcare are the least sold on a transition to passwordless authentication in the next few years. In sum, the greatest opportunity for office technology dealers to assist businesses is where these two populations overlap – namely retail and IT and technology. Many service providers already have clients in these spaces. Helping them transition to passwordless authentication is a chance to deepen these existing relationships and ensure predictable, diverse revenue in the long term.
Education and expertise are the first line of defense
It’s important to remember that no matter the cybersecurity tool or system, it’s only as good as its implementation and day-to-day use. The 2023 MSP Threat Report shows that this is especially true as the Internet of Things increasingly becomes part of every office, with these systems often being overlooked when it comes to securing the office. Education, in fact, may be half the challenge when it comes to strengthening cybersecurity. Many businesses may not realize how vulnerable some of their practices and technology are. There’s also a lack of data scientists and other specialized tech positions, with 73% of IT leaders predicting difficulty filling these roles in the coming years.
Education is the first line of defense, and many businesses – small or large – will look to their office technology resellers for their subject matter expertise on cybersecurity. Risk assessments can help them grasp the gravity of the threats modern businesses face and understand what solutions fit their business best. At the end of the day, a zero trust policy that limits access and prioritizes vigilance is a valuable starting point. Dealers have a chance to not only strengthen existing relationships, but leverage their knowledge into new clients. A new client buying cybersecurity services is a chance to also offer them managed IT services, or any number of products or services from computers to printers.
More businesses need cyber insurance
No matter the defenses, security breaches will still happen. Should the worst happen and a company finds itself shut down by a cyberattack or under threat of having its confidential information leaked if they don’t pay a ransom, cyber insurance can be a valuable lifeline. These insurance policies can offset some of the costs of security breaches, from legal expenses to lost income due to work interruptions.
This is where the expertise of a trusted advisor comes in. A cyber insurance policy will require the policyholder to adhere to certain standards – using two-factor authentication or following other security practices, for example – and an insurance company will be looking for any excuse to reduce its payouts after a cybersecurity breach. Companies want a technology partner that knows the ins and outs of cybersecurity and can ensure they are in compliance. A good partner can also make sure you have a plan in place in the event of a cyber incident — will even have an incident response unit — and help you practice that plan so you’re ready. If, and more likely, when the time comes, it will be very difficult to go it alone.
Be ready to adapt
Cybersecurity is constantly evolving and will require full-spectrum solutions. It’s not only shifting to better authentication standards and investing in cybersecurity and cyber insurance — every business will have its own unique needs and require different solutions that complement each other. For example, keep your eyes open for secure access service edge (SASE) — technology used to deliver wide area network and security controls as a cloud computing service directly to the source of connection rather than a data center. The most successful and valued dealers and MSPs will be the ones that not only understand the needs of their clients, but what security advances are becoming available in the future.
John Schweizer is Vice President — Channels and Business Development, Connectwise. John has had tenured runs in key executive positions at office equipment giants like Alco Standard-IKON, Ricoh and most recently as the CEO of a Xerox owned company. He also had principal ownership in a dealership in San Diego. John currently serves as a member of the advisory board for the cybersecurity firm Fhoosh.