LONDON — Last year’s report on cybersecurity from the U.K. government suggested the pandemic has substantially increased the risk of cyberattacks on most organizations. However, fewer businesses are taking recommended cybersecurity measures. Only 12% of organizations review the cybersecurity risks from their immediate suppliers, and only one in 20 firms (5%) addresses the vulnerabilities in their wider supply chain.
Now, the U.K. government is testing the suitability of a proposed cybersecurity framework for Managed Services Providers (MSPs). The proposals could require MSPs to adhere to 14 cybersecurity principles called the Cyber Assessment Framework.
Instead of being another weak link, MSPs need to step in to help their customers evaluate their cybersecurity protocols and preparedness for potential data breaches. Some customers even require their MSP to adhere to their own data security agreements.
SE Labs is one company helping channel partners understand the evolving cybersecurity risks.
At the recent Channel Evolution Europe conference, we had the opportunity to talk to SE Labs founder and CEO Simon Edwards. He is currently the chairman of the board of the Anti-Malware Testing Standards Organization (AMTSO), a community of more than 60 member organizations comprising security vendors and expert test labs from around the world.
The following is a transcript of our conversation with Simon Edwards, edited for clarity.
PV: Simon, thank you so much for the opportunity to talk to you today. In the view of many people, including the U.K. government, the pandemic has increased the risks of cyberattacks, ransomware, and other security threats. Remote work, and the new hybrid approach in many organizations, also poses significant risks that many companies are now beginning to face.
In your opinion, what are the main challenges for companies adjusting to the new normal, if we can call it that?
Simon Edwards: Well, I think it’s a weasel-word answer, but it depends. So there will be some companies where it doesn’t make any difference in technical terms whether they’re working from home or the office. You get cultural issues, of course. But sales teams, software developers, [and similar types of employees] can work anywhere, and often do.
Some of these large companies don’t even have headquarters anymore. But if you’re working with personal information, you might have some serious issues with [regulations such as] GDPR. Maybe data has to stay in the same place. Perhaps the people’s workstations are locked down on a physical desk and can’t leave the building. In that situation, there are solutions.
Remote desktopping is one of them, but it’s not as straightforward. And if you work in certain security roles, for example, you would not be allowed to transmit that information out of the building, let alone to another country.
So, some companies allow having someone work in Iceland for six months of the year and not notice that they’re not in the office next to you. But if you’re working in a nuclear facility, in defense, or maybe even an investment company, you would have to be restricted to physical locations.
The days when our physical PCs, our tower PCs that sit under our desk, are in a building behind a firewall haven’t been the case for a long time. Sometimes the device is no longer in the building. It may not even belong to the organization that the user works for.
Remote desktopping is probably the future. When you look at how Windows is going, it won’t be too long before you have a low-powered computer, and you’ll be remotely accessing your Windows desktop on a server somewhere.
PV: One of the things that I remember many years ago when this trend of bringing your own devices, BYOD, started is that a lot of people started talking about “Shadow IT,” which is basically bringing your own app. People were so frustrated not being able to do their work effectively that they started to use their apps.
Simon Edwards: The thing is that people are very resourceful, and actually, they want to do a good job. You’ve got employees who want to do their job so much that they’re prepared to go to all this effort to get new software and install weird bits of hardware to get the job done.
They’re not doing it to steal things, in most cases. They’re doing it to do the best job they can. So the responsibility falls on the directors to ensure your staff has the tools to do what they need.
PV: When looking at the channel, one of the things is you have all the MSPs that work primarily with big vendors, and they try to sell their solutions and maybe add some things on top. What are the challenges to discussing security and offering solutions and expertise?
Simon Edwards: There are a couple of obvious challenges that we can identify, and one is ‘which product are they selling?’
The market is full of security software and other services, and they’re not as capable as each other. Some can be very capable if they’re set up correctly. Some are just horrible to begin with and can never be made good.
The challenge that the channel has is, first of all, to offer the customers the best available products. And it’s hard to judge because when you talk to a vendor about their product, they will say it’s the best and better than anybody else’s.
What I would say is, when an MSP is offering you a service, look for the reviews. Not just in magazines but in security-testing organizations such as mine. And then don’t just trust my word. If I test product X and it comes out well, and the other testers also say it’s good, then probably, maybe, it is good. It’s like a basic hygiene thing.
But if no one’s tested it, or if one company’s tested it and it looks good, and another one’s tested it and it looks bad, then some red flags start to appear, and you think, what’s the relationship between the tester and the company? Are they being paid to give a good result?
The MSPs can do this too. When choosing the products to offer, they can look at which products have the best reputation, and then they can be reasonably confident that what they’re selling to their customers will do the job.
Also, the MSPs can provide help. Almost none of these security products can be just turned on and be 100% effective. But the MSPs can help configure the product correctly.
PV: During the pandemic, we forgot about many basic security protocols because of the emergency of the situation. Some organizations had to scramble to continue working with a remote workforce. What do you think the channel can do to convince people that they have to think about security as one of their top investments right now?
Simon Edwards: Well, in a perverse way, ransomware has been helpful to get this message across because there’s a clear price tag.
People get fixated on ransomware because there’s a clear attack. You know you’ve been attacked because it tells you you have been and need to pay a ransom. But actually, ransomware is not an attack in itself. It’s a payload. It’s something that happens at the end of an attack.
Attacks largely follow the same playbook. It begins with reconnaissance. It goes through to committing some exploitation and maybe establishing persistence or doing other things. And at that endpoint, the attacker might run their ransomware at that last stage of the attack. Suppose companies take security seriously and follow correct hygiene processes, which often aren’t very interesting and exciting, like updates and the basics. In that case, all of these stages of the attacks get mitigated in some way. Not always 100%, but the more you create these layers of security, patch, firewall, antivirus, and do all of this, the chances of any attack coming through, including ransomware, are reduced.
PV: Simon, thank you again for your time. It has been a pleasure to meet you in person and learn about the current situation of cybersecurity.