However , in November and December of 2022 , LastPass revealed that a threat actor used information from the August breach to access a third-party cloud service and steal customer data , including password vaults , names , IP and billing addresses , and phone numbers . LastPass faced legal action and customer backlash .
Cybersecurity expert Bruce McCully , CEO of Galactic Advisors , said , “ A breach alone will test the trust you have in a vendor — it just will ,” McCully said . “ Rebuilding trust starts right away . Smart clients will understand the immense pressure companies face to stop breaches . It is the companies that communicate clearly , make every effort to make amends , and institute changes to stop it from happening again that will make it through .”
Look Toward Cyber Insurance As A Preventative Measure
Given that it ’ s highly likely a vendor will be breached , or that you as an MSP will suffer an attack despite your best efforts , it ’ s obvious that MSPs must carry some type of cyber insurance to cover the legal fees and costs associated with a breach .
Rusty Goodwin , executive consultant at the Mid- State Group and expert on cyber insurance and compliance , says the cyber insurance market continues to change thanks to the volume of breaches . And unfortunately , this may lead to many MSPs having sticker shock when they see the current insurance rates , especially when compared to just a few years ago .
Goodwin says that the price of cyber insurance was already rising before the Kaseya breach , which would add fuel to the fire . For a time , insurers were losing money due to the increased number of claims . After events like the Kaseya breach , many insurance vendors will not even offer policies to organizations in high-risk sectors .
Even with the increase in expense for insurance and the probability of it dipping back down being extremely low since the risks will continue to rise , the benefits far outweigh the cost . MSPs today simply cannot afford to not have coverage , especially what vendor attacks are becoming more common .
The Road Forward For MSPs
Clearly , MSPs need to be prepared . A serious breach could be a business-ending event , destroying reputations and relationships that took years to build , not to mention the costs of making clients whole .
Here Are 7 Easy Steps That Bruce Would Recommend :
1 . Make sure you are using a consistent process . Don ’ t evaluate one vendor differently than you ’ d evaluate the next . The next steps should be part of your process .
2 . Before you start , identify the overall outcome and features you know you are interested in . Make this list before you start looking at any marketing materials or talk to any salespeople . Creating the list first helps you have clarity on what you will be purchasing . If you have a client with a specific need , add that to your list .
3 . Identify the products that fit your need . Sometimes this is easy as you will be comparing products that are interchangeable . Other times it will be more difficult . You may be looking at products that are in completely different categories that could be substitutions .
4 . Document your process . The easy way here is Excel . Consider having different rows for each feature you are looking for and a column for each product you are evaluating .
5 . Don ’ t just take the salesperson ’ s word for it . Test the product . Contact their support . Talk to other MSPs using the product or that have made the same decisions . How is their experience ? Has this vendor been a partner ? Do they work with you ? How do they communicate ?
6 . Consider the implications to your MSP ’ s security . What types of requirements does this product have ? Are those in alignment with current security best practices ? For example , does the product require you to create a domain administrator account in order for it to work properly ? That does not align with Microsoft Security best practices , so you should ask more and proceed with caution . ( If you have a compliance consideration , make sure to include this .)
7 . Consider the vendor ’ s reputation : Are they new to the MSP community ? Have they had a security event ? How did they handle it ?
“ As you can imagine , MSPs ask me to evaluate vendors all the time ,” says McCully .
As an MSP operator , you need to be incredibly diligent about the vendors you choose , ensuring they are reputable and have sufficient resources to handle a breach . But most important , you need to find vendors that will immediately and aggressively notify you of any vulnerabilities or breaches , not cover it up or downplay it .
While we all want to avoid breaches , often the cover-up is worse than the crime .
MSPSUCCESSMAGAZINE . COM | 19