Posts

We just finished writing about an IT provider of managed services in Colorado who was hacked, and in turn all or most of their customers were hacked as well.

Well, it’s another day and this time the story comes from California.

Synoptek, a California business that provides cloud hosting and IT management services to more than a thousand customers nationwide, suffered a ransomware attack this week that has disrupted operations for many of its clients, according to sources. The company has reportedly paid a ransom demand in a bid to restore operations as quickly as possible.

Irvine, Calif.-based Synoptek is a managed service provider that maintains a variety of cloud-based services for more than 1,100 customers across a broad spectrum of industries, including state and local governments, financial services, healthcare, manufacturing, media, retail and software. The company has nearly a thousand employees and brought in more than $100 million in revenue in the past year, according to their Web site.

Much like other ransomware gangs operating today, the crooks behind Sodiniokibi seem to focus on targeting IT providers.

Every single IT provider is now a major target, because by successfully compromising a single IT provider attackers compromise dozens or hundreds of other companies in the process.

If you aren’t asking your current IT provider what they are doing to make sure that their own house is in order, you aren’t doing your due diligence.

Krebs on Security writes about a hacking incident in Colorado late in 2019:

A Colorado company that specializes in providing IT services to dental offices suffered a ransomware attack that is disrupting operations for more than 100 dentistry practices, KrebsOnSecurity has learned.

We’ve started talking about this in verbal conversations with prospects: today your biggest risk may be your IT provider.

Most IT providers (MSPs) put an RMM agent or remote-control software on each computer that they manage. This agent then connects back to a central source where the MSP can push out security updates, backups and other such measures to keep customers secure.

However, if the MSP’s central source is hacked then it is easily possible for all of their customers to be hacked at the same time.

The active targetting of MSPs is going to reach epidemic levels soon.

We’ll unpack what all of these means in a later post. For now, the top takeaway is that you should be asking your IT provider (1) how they are securing their own house, (2) what changes they have made / are making as the security threats change.

It’s time to make public a conversation that has been brewing inside the IT and managed services industry for most of the last year but has largely not broken out of those circles.

Your managed service provider is now a target for hackers because if they can get to them, they can get to you.

This is new.

2019 saw major incidents in places such as Texas and Spain where the clients of managed service providers were breached using the tools the managed service provider used to maintain client networks and keep them secure. There were at least four other significant incidents that have been written about inside in the industry but names have not been named.

This isn’t actually surprising.

2010-2016 saw the rise of ransomware, largely targetting enterprise customers.

2017-2018 saw a major shift away from big companies — who were beefing up security — to smaller companies who were not.

2019 was the year that hackers realized that if they could breach a single managed service provider they could simultaneously breach all of their customers.

Think about that for a second: what is your IT provider going to do if every single customer was hacked at the same time and they can’t use their standard toolset to fix it?

Two years ago you were your own biggest risk, and today it may be your IT provider instead.

Where do we go from here?

I don’t have all the answers, here are some places to start.

  1. You can’t adopt a weak security posture or you’ll still run into trouble. All the advice from the IT industry on using strong passwords, using multifactor authentication and using security-focused firewalls still applies.
  2. Managed IT service providers must make internal security their top priority, it is the only way to secure their customers. Sadly, many focus on revenue-generating customer projects instead of securing their own house.
  3. As an IT industry: we need to take our own medicine. We move fast and sometimes leave things partially done or less than totally secure because we had customer projects. We have to change our stance.
  4. You need to enforce it: It’s up to you to be asking your current and prospective IT vendors the right questions about what they are doing. Such questions include, (1) how do you ensure that hackers don’t have access to your tools, (2) do ALL of your critical accounts have two-factor authentication turned on for ALL employees, (3) are all of your devices encrypted and is this documented, (4) is your firewall as locked down as ours, (5) do you train your employees, regularly, on security, (6) do you carry proper cybersecurity and E&O insurance, (7) have you had any security incidents in the last 3 years?

This is only a start, it is going to get worse, maybe a lot worse, before it gets better.

I came across a website recently that decried contracts for IT services claiming that they were all written in the interests of the IT provider and out to get small business owners.

Here are three reasons you want to look for companies that not only have, but require, well-written contracts. #2 and #3 are items you should look for in any business contract you sign.

1. They Have Insurance

I can’t stress how important this is to you. Your IT company’s insurance protects you as a client as well, especially if you ever have to bring a claim against them. Any decent insurance in the IT industry requires that the underwritten maintain contracts. No contracts are a sign that they don’t carry proper insurance which leaves you as a business owner holding the bag if things go south.

2. You Lock in Rates

The costs for IT technicians and the costs for companies to carry insurance is only going one direction, up. Contracts allow you to lock in rates at today’s prices instead of tomorrow’s. Without a contract, your IT provider is free to change prices whenever they want.

3. The Contract Protects You

A well-written contract has language in it to protect your business with clauses like:

  1. Mutual non-disclosure agreements
  2. Non-compete agreements
  3. Agreements not to hire each other’s employees
  4. Specific processes for working out issues, if they arise, including court jurisdiction. (i.e., specifying a local court, instead of one in Texas or Deleware even if that is where the business is legally incorporated)

Given that your IT provider has access to nearly 100% of your data is responsible for keeping you secure I can’t imagine a reason you wouldn’t want to sign a well-written contract that protects your interests.

Call us today and we’ll walk you through the ways we protect our customers, but digitally and legally. 865-240-2716

HELP! Someone has hacked Jim’s email and just tried to place a $15,000 order at Verizon.

-Actual Customer, December 10th, 2019

As the owner of an IT Company that specializes in security and managed IT services I hate getting emails like this. Primarily, because they are 99.99% avoidable.

Managed IT service providers have known if for a long time: all of their customers need to be on multifactor (MFA, sometimes called two-factor) authentication. To this customer’s credit, they were already in the process of implementing MFA, but Jim hadn’t been set up yet.

Research from both Google and Microsoft shows that MFA stops over 99% of password based hacks. Our standard operating procedure is to recommend it to all of our customers. Beginning in 2020, we will require our manged customers to opt-out of it if they don’t want it, it is so important.

MFA is simply adding another layer of security to your account. In its simplest and most effective form you get a push notification on your phone requesting that you approve a login. Other forms may email or text you a code that you have to put into a website.

How do I do it?