During ConnectWise's IT Nation event in late 2018, then-CEO, Arnie Bellini, framed the security issue to MSPs by saying whether or not they considered themselves security experts, their customers considered them security experts, so they had better start learning.
Not long after that, the company began distributing a 22-page security assessment aimed at determining how the MSP crowd fared, given the threat to every network. The results are in, and according to John Ford, ConnectWise’s chief information security officer, it’s not good.
“If you look at the MSPs on average. They’ve done a great job of making a living by being very efficient,” ConnectWise Chief Information Security Officer John Ford told CRN . “There’s no wasted steps. Taking the time to really understand their customers business. Taking the time to really understand the risks to that business, is not something that they’ve been accustomed to doing. It creates a void.”
The questions are based on the US National Institute of Standards and Technology Security Risk Assessment and the results were measured against NIST Cybersecurity Framework, which is considered a best practice in the security industry.
ConnectWise itself has not been immune to bad actors. In February, cyber criminals exploited ConnectWise partners who had not patched an integration tool with a rival MSP platform to install ransomware on end-users machines. Then in March, 100 Wipro endpoints were seeded ransomware through ConnectWise Control (formerly ScreenConnect), a remote support and remote access tool.
Ford talked to CRN about those incidents and the larger threats MSPs face.
CRN: In hindsight, do you think the company did well in resolving your own security challenges and in its follow-up?
Ford: ConnectWise is not immune to security incidents, nor is any enterprise-sized company. That’s not a statement that will really ever come out of us to say ‘We’re completely immune,’ but let me highlight a couple things there.
We did have a ransomware event that did impact our cloud in the European Union. Had it not been for the ability to detect and respond to that literally in seconds, that would have impacted all of Australia and all of North America as well. Yes. It was an attack, but we were prepared, and we responded well.
When I look at things like the Wipro incident. Anyone who has an RMM tool today is susceptible to that tool being used for nefarious purposes. And when that software lands in the wrong hands, or its an appropriate purchase, but an inappropriate use of a purchase, then you have incidents like that.
We spend a fair amount of time talking to people, particularly when you look at the Wipro scenario, any tool I make and sell on the market can be used inappropriately. That’s what the evidence was in that scenario.
As far as extended out to other items, like plug-ins where you are imploring people to deploy a patch, but you can’t force them, so eventually you susceptible to that, right. The response was appropriate. The dedication at a leadership level was exceptional. I’ve been the CISO of other companies and I can tell you that the level of attention to detail in each of those scenarios was far and above what I’ve been involved with at other companies.
It helps me to sleep at night. I still don’t trust the bad guys, but I do trust the leadership.
CRN: Regarding the misuse of your tool, how much responsibility does the maker of the tool bear when it is misused?
Ford: That’s really a tough question to answer. I think our responsibility lies in developing products that enable our customers to perform their functions and grow their business and to make sure those products are built and configured securely.
The social dilemma of being able to accept responsibility when people misuse tools of any sort is a tough one to answer, and one that quite frankly is out of most people’s control, so without going into specifics, I can name a couple other items out there that could be akin to the same thing. So it’s a tough call.
I can tell you for a fact Jason McGee our CEO is very concerned and wants to ensure that our products are being used in an appropriate fashion, but to the extent that we can do all we can to ensure that they do not get into the hands of bad actors we will, but we do understand that its something that is out of our control, or anyone else’s control.
PowerShell was being used inappropriately. You think about that, many other IT products are being used in an inappropriate fashion. The goal for us is to make sure we’re delivering products that can be used in a proper manner and they’re delivered securely. And you know unfortunately we do not have a shortage of bad actors out there. It’s a challenge.
CRN: What did you hope to accomplish with the security assessments?
Ford: We wanted to create a vehicle that aligned the risk conversation between the MSP and their customers. MSPs customers think they do everything for them including security. The MSP looks at the customer and says ‘I do some security for you bit not everything,’ and many of those conversations are not going well.
In creating this assessment and aligning it to the framework, what it allows the MSP to do is to sit down with the customer, and have a conversation that aligned to the framework and the list, not about ‘Hey I thought you were doing this’ and the MSP trying to defend why they are not.
Additionally, it was geared towards educating the MSP and the customers that in this new threat environment, regardless of what it is they are doing, it was not enough. So, that gets highlighted in that conversation.
CRN: The assessment found that more than half of respondents did not have a plan for dealing with a cyber attack. Is a plan important?
Ford: It’s insanely important. I’ve been in this business 22 years and the time to create an incident response plan is not during an incident, because you need to be able to react to something that you built when you were level headed and calm. When you look at how an incident escalates through an environment, you can do a tremendous amount of harm to both you and your customer if you start panicking and acting irrational because you don’t know what to do.
There’s a systematic process to incident response, and MSPs really need to take the time before there’s an incident to really work through and craft a plan for them and their customers.
If you look at the security market today, the better money is being spend on detection and response, not on protection. Which isn’t to say we’re not spending money on protection, but the industry has adopted the mindset that ‘I cannot prevent everything. So I need to be able to detect them quickly and respond to them quickly.’ So it is kind of shocking when you see that high of a number of folks who do not have a plan.”
CRN: As a security professional, what did you take a way from the results?
Ford: What we’re trying to do is eliminate this whack-a-mole, and educate people along the way, and get them thinking in a model where we can measure risk, and out of that risk create valuable plans to reduce the risk so the bad actors don’t win all the time.
Just like if your shoulder hurts you go to a doctor, you don’t go to a surgeon. We access the environment first, do the triage, then figure out what do to next. ConnectWise is committed to bring to bear the products and service that will enable these MSPs, now and in the future, to support themselves and their customers along that security journey. If anything we’re creating a foundation.
We want to make it available, not to scare people, but so that we can help them understand and help them remediate the risk that we’re seeing out there