In a joint advisory released by cybersecurity agencies across the United States, the UK, Australia, Canada and New Zealand, managed security service providers (MSSPs) have been warned of a sharp increase in cyber-attacks targeting their systems. The agencies have identified MSSPs as a particularly lucrative target for malicious actors seeking to escalate their attacks, and are urging the industry to take immediate action to address the threat. Stephen Osler, Co-Founder and Business Development Director at Nclose, warns that the cybersecurity industry must shed its naive mindset around the potential impact of supply chain attacks to effectively combat this growing trend.
“The way of thinking around security providers has evolved. In the past, these providers were primarily known as infrastructure providers, with a focus on providing IT services rather than security services,” he explains. “As a result, they weren’t that worried about making sure their security Ts and Is were crossed and dotted.” However, with the increasing number of cyber-attacks targeting security providers, the industry has realised the need to prioritise security. These attacks have trickled down into their clients’ ecosystems and infrastructure, making it crucial for providers to ensure they are secure.
When an MSSP is vulnerable, every one of their clients is vulnerable and this is a real threat. As the saying goes: the plumber’s house always leaks. This cannot apply to cybersecurity. It is vitally important that cybersecurity service providers focus inwards to ensure that every one of their doors is bolted, says Osler.
“Three years ago, Nclose embarked on a journey to become ISO 27001 certified. This is the world’s best-known standard for information security management systems (ISMS). We realised that we can’t give clients advice on how to secure their environments if we were not certified ourselves,” says Osler. He likens this to “eating your own dog food” – meaning that cybersecurity companies must invest in themselves, particularly as supply chain attacks are becoming more prevalent.
MSSPs need to establish in-house teams solely dedicated to ensuring their own security is top-notch, in the same way that they safeguard their clients’ systems. This means implementing the same rigorous controls, ensuring that all compliance expectations are met and that the organisation constantly undertakes penetration testing on themselves.
“The more the MSSP undertakes pen testing, vulnerability scanning, phishing tests and training, the more it will refine and polish its own security maturity,” says Osler. “Security companies have to ask themselves the same questions they would ask their clients and challenge their own internal employees and systems on a continuous basis. All testing should be done by a third party as they will be far less forgiving and be far more committed to finding the gaps.”
Wrapping security around every aspect of the business not only ensures that the MSSP is equipped to handle the challenging cybersecurity landscape more effectively, but that teams are quick to catch potential issues before they become gaping security chasms. This can make all the difference between an unexpected backdoor making a huge dent in a company’s reputation and future, or having teams ready to shut the door the moment it swings open.
“It is as important for cybersecurity providers to be responsible and protect our own information as it is to protect our clients,” concludes Osler. “We have to evolve with the threats and that means more than just knowing what’s out there, it means knowing what’s inside the business and having all the right systems in place to ensure security is as comprehensive as possible.”