Cybersecurity Expert: SMBs Are Trusting Their MSP ‘Way Too Much’

'SMB are starting to wise up, and are starting to be forced to wise up. We were just seeing cybersecurity not really get done in the SMB space,' says Solis Security Executive Vice President and CTO Chris Loehr.

Small businesses are too willing to trust MSPs to keep them secure without doing due diligence or understanding the challenges the MSP faces, according to an industry expert.

SMBs typically choose their MSP based on either price or word-of-mouth references, and too rarely look to see if the MSP is following best practices around items like third-party assessments, according to Chris Loehr, executive vice president and CTO at Solis Security. At Solis, Loehr is heavily involved with helping businesses respond to and recover from ransomware incidents.

“There’s just too much trust,” Loehr told attendees of XChange 2020, hosted by CRN parent The Channel Company and taking place in San Antonio this week. “The SMB is saying, ‘Hey MSP, you’re just doing it all, and I don’t have to worry about it anymore.’”

[Related: ‘Pandemic Crisis’ Of MSP Ransomware Attacks Will Grow In 2020, Experts Say]

But that’s typically not the case. For instance, when a customer hears that an MSP is monitoring its firewall, Loehr said it typically thinks the MSP is involved with delivering security. Yet in reality, Loehr said all the MSP is doing is making sure the firewall is up (and possibly patched).

SMBs are too often turning to very small MSPs who they don’t realize are out of their league security-wise until it’s too late, Loehr said. Oftentimes, Loehr said the MSP relationship has been struck up by the organization’s lone IT person and isn’t subject to any scrutiny from other parts of the business because both the IT person and the MSP have been around forever.

A lot of smaller MSPs have in recent years transitioned from a break/fix shop to a recurring revenue model, and Loehr said they often lack the time or energy to change their model once again particularly as it relates to building out a security offering.

And MSPs that do offer security tend to overstandardize, Loehr said, delivering the exact same products with the exact same configurations regardless of whether the business is a medical facility, a legal office or a mom-and-pop retail operation. MSPs that provide the exact same security bundle to every customer will end up getting themselves in trouble, according to Loehr.

Moreover, Loehr said too many MSPs still see security as an upsell rather than a requirement, particularly as it relates to multifactor authentication on Microsoft Office 365. Even though turning on multifactor authentication takes less than a minute, too many MSPs make it an optional upsell rather than part of their basic bundle, which Loehr said puts both customer and MSP at risk.

Loehr also cautioned MSPs to be careful with RMM (remote monitoring and management) software, which he called “the most dangerous program in the world.”

“It can literally destroy small businesses in a heartbeat,” Loehr said.

FlightPath IT tries to be proactive rather than reactive in its ransomware protection for its customers, according to Thomas Bechard, vice president of the Burlington, Mass.-based MSP.

Bechard has found that larger customers are pretty willing to take proactive anti-ransomware steps such as audit testing for applicable regulations, penetration testing and social engineering exercises. As a result of proactive measures and good backup and recovery practices, Bechard said no FlightPath IT customer has ever lost any data from a ransomware attack.

But Loehr said that too many MSPs are still not equipped to handle a cybersecurity incident, with half of all MSPs that don’t have cyber insurance at the time of an attack going out of business. And even if they do have cyber insurance, Loehr said MSPs that are looking to pay the ransom have to initially put forward the money themselves and them ask their insurance provider for reimbursement after the fact.

After paying the ransom, Loehr said many MSPs find themselves in a position where they’re unable to make payroll. MSPs must also make sure they have a tech policy rather than a cyber policy since the former covers IT service providers while the later only insures end customers, according to Loehr.

Most insurance policies don’t set aside any money for betterment, Loehr said, meaning that MSPs or customers are on the hook for purchasing new servers, workstations or licenses after a cyber incident. MSPs should be familiar with the cyber claims process before a problem arises, Loehr said, and need to know their coverage, deductible and sub-limits from the get-go.

In addition, Loehr said insurers are getting more aggressive about coming after MSPs if they believe the MSP was at fault in the breach rather than just paying all submitted claims from MSP customers. Reimbursement for claims that are deemed valid doesn’t happen overnight, but Loehr said MSPs are usually made whole pretty quickly.

“SMB are starting to wise up, and are starting to be forced to wise up,” Loehr said. “We were just seeing cybersecurity not really get done in the SMB space.”