It’s time to make public a conversation that has been brewing inside the IT and managed services industry for most of the last year but has largely not broken out of those circles.

Your managed service provider is now a target for hackers because if they can get to them, they can get to you.

This is new.

2019 saw major incidents in places such as Texas and Spain where the clients of managed service providers were breached using the tools the managed service provider used to maintain client networks and keep them secure. There were at least four other significant incidents that have been written about inside in the industry but names have not been named.

This isn’t actually surprising.

2010-2016 saw the rise of ransomware, largely targetting enterprise customers.

2017-2018 saw a major shift away from big companies — who were beefing up security — to smaller companies who were not.

2019 was the year that hackers realized that if they could breach a single managed service provider they could simultaneously breach all of their customers.

Think about that for a second: what is your IT provider going to do if every single customer was hacked at the same time and they can’t use their standard toolset to fix it?

Two years ago you were your own biggest risk, and today it may be your IT provider instead.

Where do we go from here?

I don’t have all the answers, here are some places to start.

  1. You can’t adopt a weak security posture or you’ll still run into trouble. All the advice from the IT industry on using strong passwords, using multifactor authentication and using security-focused firewalls still applies.
  2. Managed IT service providers must make internal security their top priority, it is the only way to secure their customers. Sadly, many focus on revenue-generating customer projects instead of securing their own house.
  3. As an IT industry: we need to take our own medicine. We move fast and sometimes leave things partially done or less than totally secure because we had customer projects. We have to change our stance.
  4. You need to enforce it: It’s up to you to be asking your current and prospective IT vendors the right questions about what they are doing. Such questions include, (1) how do you ensure that hackers don’t have access to your tools, (2) do ALL of your critical accounts have two-factor authentication turned on for ALL employees, (3) are all of your devices encrypted and is this documented, (4) is your firewall as locked down as ours, (5) do you train your employees, regularly, on security, (6) do you carry proper cybersecurity and E&O insurance, (7) have you had any security incidents in the last 3 years?

This is only a start, it is going to get worse, maybe a lot worse, before it gets better.