There was a time not so long ago when company leaders could dodge anything technology related with the familiar "IT does that". Those days are over. Forward-thinking leaders know that technology is a foundational piece of their long-term success. These strategic leaders are adopting a tech-savvy mindset to inform their sound decision-making.
SolarWinds is facing an SEC civil lawsuit over the way the company and its Vice President of Security and Architecture mislead and concealed its poor security practices from customers and investors.
Why Should Every Company Care About the SolarWinds Lawsuit?
Why does this matter? After all, none of us is a company on the scale of SolarWinds. This is important for several reasons. Here are two that directly relate to all of us.
1. Cybersecurity is top down. This claim is a reminder that responsible cybersecurity practices start at the top of the organization. It doesn't matter if you're a company of one or thousands. The obligation to implement, continuously monitor, and adopt a proactive security posture lands squarely on the company leader's desk.
2. IT people are being held legally accountable. The company's CISO, the person responsible for architecting, executing, and ensuring the soundness of their cybersecurity policies, is being held liable. He is a named defendant in the lawsuit. This same finger of blame pointed to Uber's CISO in 2022.
Clarify What IT Services You Are Really Getting From Your Provider
The size of your company doesn't matter. Your legal and ethical responsibility to safeguard your customers, employees, and partners is no different. There are a lot of facets to your cybersecurity footprint that we could talk about all day long. Right now, we're going to focus on one topic -- inviting the right people into the room.
This is where the "IT does it" dodge doesn't work anymore.
We analyzed 45 managed service providers (MSPs) Google found within a 10 mile radius of our office. The purpose of this (very) exhausting website dive was to learn how MSPs are positioning their cybersecurity expertise and services.
We're not alone in our campaign to curb the way MSPs mislead their clients about their scope of services. There have been a lot of recent articles and posts from respected MSP thought leaders citing the misguided expectations MSPs are setting for their clients. Some of these false promises border on malpractice.
These words from one website are all too common. This promise sounds reassuring, doesn't it?
What Can Company Leaders Do?
But MSPs don't bear all of the blame.
Company leaders rely on, trust, and abdicate too much of technology to their IT team, both outsourced MSPs and internal. After all, the reasoning goes, nothing has happened (yet) so why rock the boat? It’s time to put that shortsighted rationale aside and shift to strategic leadership thinking.
As we mentioned, MSPs are doing their valued clients a dangerous disservice by not clearly addressing practical cybersecurity policies.
In many cases, MSPs simply don’t have the skills and expertise to deliver what companies need.
They do an adequate job of reacting to day-to-day “it doesn’t work” requests.
They apply patches and updates.
They exist in the small box of firewalls and free or low-cost legacy anti-virus.
This is an obsolete model.
The reality is your long-standing IT partner isn’t going to sit in front of you and disclose their limitations. That’s understandable. Who would? They have a relationship to protect.
So as the company leader charged with adopting the technology-as-foundation posture, you will have to start the conversation.
How to Lead the Awkward Conversation
To help you kickstart this awkward discussion, here are 13 questions that you should ask your IT team. If you’re relying on an internal team instead of an MSP, the same applies to them.
We’ve include a short what to listen for with each question, but these are for guidance only.
Each of these topics needs thorough discussion. That’s where you go next. Can your IT folks explain in non-technical words why these are important to you? If they don’t provide them, why not? “You didn’t buy this service” isn’t the right answer. (We actually heard an MSP tell a prospective client that.)
Q1: Start with a basic, softball question --will you explain what cybersecurity includes?
Listen for: You want to hear phrases like proactive endpoint security, SOC monitoring, content filtering, proactive monitoring, intrusion detection. If they say firewall, backups, and antivirus software, then they are not providing the essential proactive security services you need today. These are still important, but they aren’t adequate for your company.
Q2: How often do you run vulnerability assessments and pen tests?
Listen for: These should be run at least twice a year. If they tell you these are being done, then ask for the reports. They should be reviewing these with you, identifying vulnerabilities, and recommending appropriate actions.
Q3: When performing a vulnerability assessment/penetration test, does your scan look for only known vulnerabilities or does it also look for zero day?
Listen for: The answer is both. Have they explained zero day?
Q4: If we have to
restore from a backup, what security tools do you use to scan that the backup is malware-free?
Listen for: We know that malware lives quietly, undetected for months before it is discovered. That means your backups are also at risk. An AI machine learning tool such as SentinelOne that is continuously scanning mitigates the risk of infected backups.
Q5: How do you manage and secure our network from BYOD (bring you own device) risks?
Listen for: Most MSPs limit their support to company-owned devices. What about the use of employee-owned devices for business? This includes phones, tablets, laptops, and desktops.
Listen for terms like VLAN, segmented network, and sandbox. As a general rule, BYOD devices should not be connected to your company network for any reason unless they have been approved and scanned by an advanced AI agent. Continuous monitoring is required for those exceptions.
Q6: In the event of a breach, what do you do to prevent us from a complete company shutdown?
Listen for: We have a specialized department to handle these situations. All of this is detailed in your company plan that we prepared for you.
As a short overview:
we will provide onsite triage services to determine the level of access a breach has obtained,
disconnect the machine from the network,
create a raw disk image to preserve its current state,
run that image through a program such as Autopsy to scan the machine, identify all malware, where that malware is installed, who, when and how they took control of that machine,
report all of this information and more to you and the proper authorities in an executive report,
remove all malware (if possible) and return that machine to you.
if the infected machine can’t be salvaged or is too risky to bring back onto the company network, we will inform you that this machine is a total loss and it needs to be replaced.
Q7: Do you actively scan removable devices for threats before they can be used?
Listen for: If USB ports are enabled on a device (and they usually are), what happens when someone plugs in a USB drive? Is it safe? Where did it come from?
We use advanced AI machine learning tools to accomplish this. All plug and play devices are scanned by our AI agent for known and unknown (zero day) vulnerabilities. It forces any type of executable to run even if it doesn’t want to. If our agent spots something that it doesn’t like, it will quarantine that particular file for further investigation.
Q8: What percentage of security protection can you guarantee?
Listen for: If they say 100% or you’re covered, they’re not being truthful.
Q9: If we have an attempted breach or attack, how will we know?
Listen for: Proactive monitoring services identify and stop attacks before they happen. In most cases, you will never know that an attempt occurred. We deliver a regular recap of breach attempts to you simply to make you aware of the work being done in the background on your behalf.
Q10: If we have a loss of company or client data, what will you do to help us take the proper actions?
Listen for: Notifying clients and customers about a data breach is part of your cyber attack response plan that we have prepared for you. There are often legal obligations that you need to be prepared to address.
It’s important to remember that your clients’ data can have significant value to their competitors as well. Hackers know this and will quickly exploit this stolen data. Data loss doesn’t end with your internal data. The impacts expand quickly.
Q11: Do we have 24/7/365 proactive monitoring and attack prevention through a security operations center (SOC)?
Listen for: Security operations centers operate globally 24/7/365. They are staffed by highly skilled cybersecurity specialists who continuously use the latest tools, techniques, and intelligence to watch for and prevent cyber attacks.
The traditional managed service provider does not perform this sophisticated level of cybersecurity monitoring. They will provide these services to you through partnerships with SOC providers. Ask them for the provider's information.
Q12: We have
cyber insurance. Isn’t that all we need?
Listen for: Cyber liability insurance is not proactive prevention. Insurance might offer some monetary relief after you have suffered damages, but it cannot prevent an attack. In fact, insurance companies will review your documented cybersecurity policies and practices to determine how proactive your company is in preventing attacks.
Q13: What cybersecurity credentials does your team have?
Listen for: Certifications that sharpen expertise include Network +, Security +, GPEN, CPT, CISO, and CISSP.
Wrapping It Up
Cybersecurity practices need to be talked about often. We believe that company leaders deserve up-to-date information to make responsible decisions.
Cybersecurity isn’t a fad. It is baked into the foundation of every company regardless of size. As the SolarWinds lawsuit illustrates, the people who are charged with cybersecurity practices are being held accountable. How does this accountability trickle down to your organization?