My advice as a security professional and former MSP.<\/p>\n
The economic market as we know it looks to be taking a downturn after a long period of bullishness. When markets go down, cybersecurity can take a hit as transformative projects are some of the first things to be removed from the budget. With a bear market upon us, I believe we\u2019re at a great turning point in our discipline. I want to share my thoughts with you on how our industry is going to be changing and how you can make sure that your company is protected from the threats that could rear their ugly heads, especially if internal spending appears to be in danger.<\/p>\n
Something that I have been asked is if cyberattacks increase in a down market \u2014 either due to more desperation or knowledge of a company\u2019s downturn in spending. They don\u2019t. In my opinion, cyberattacks are already in a space with so much growth and capability, that the increase would only be a tiny blip on the background of wide-scale attacks. For example, if you take a look over at doubleextortion.com<\/a>, you\u2019ll notice that events really blew up in 2019, a time of great economic prosperity, and have been rising ever since.<\/p>\n The craft of creating cyberthreats is well-honed and distributed, and threat actors come from many different directions \u2014 ranging from small garage band-style hackers to large groups backed by powerful nation-states.<\/p>\n In short, the coming economic downturn will be the first where we already have a lot of these threats out there, and we don\u2019t really know what\u2019s going to happen. What I can say is that there will certainly be vulnerabilities out there.<\/p>\n We just recently had news of a new Microsoft Exchange vulnerability that threw some of the cybersecurity community into a fit, but if you read the articles and look closely, the vulnerability only exists if an organization hasn\u2019t covered ProxyShell and ProxyLogon, which was from 2021. Companies still don\u2019t have their bases covered, and it\u2019s going to lead to loss, especially when facing highly advanced threat actors.<\/p>\n This level of vulnerability is only going to get worse in an economic downturn, as companies are more likely to drop cybersecurity spending or drop projects on their plan of action and milestones (POAM). When those are dropped, even more things in their network become vulnerable, and the cuts in cybersecurity spending end up being the stick they get whacked with.<\/p>\n Don\u2019t get me wrong, having standards for cybersecurity is a good thing, and companies being compliant with those laws and standards is also good, but it isn\u2019t enough. When companies blindly follow regulatory compliance standards, they are putting themselves in a system of haves and have-nots. Just meeting government regulations firmly puts organizations in the have-nots camp.<\/p>\n There is a major difference between what you write on paper that sounds amazing and actual, functional security. As an example, let\u2019s say I write a security policy for my home that states when I go to bed, I lock my door and turn on my security alarm. That sounds super simple, and like it would be reasonably effective. However, what I didn\u2019t cover were stipulations that my alarm has to cover all zones. I didn\u2019t even write that my lock has to work \u2014 or that the door functions as an effective barrier at all.<\/p>\n At the end of the day, security is operations \u2014 nothing more, nothing less. By just checking the box of security and leaving it as is, organizations are putting themselves at real risk. The danger of looking at compliance as the end-all, be-all of cybersecurity means that organizations stop trying to iterate and improve. This can happen in a down market because doing the legal bare minimum is a tempting way to save costs. But the lack of consistent operations and betterment can lead to some incredibly negative outcomes.<\/p>\n Something that I find really hopeful, and a trend that is quickly emerging in the cybersecurity space, is a sense of professionalism and standardized frameworks for what good security is. We\u2019re finally abandoning our “wild west phase” and developing bodies of knowledge that point to great practices at every level of business. No longer is cybersecurity just about being a smart guy in a room advocating for stronger practices \u2014 organizations everywhere, especially SMBs, are starting to embrace frameworks like NIST, CSF, and CIS. It\u2019s these bodies of knowledge that help cybersecurity professionals point to established best practices and be able to sell to their organizations while iterating and improving upon them.<\/p>\n For MSPs educating their clients, we\u2019re starting to see them use these frameworks as referential objects instead of using things they made themselves. Now they\u2019re able to look their clients in the eye and say we\u2019re going down this path because these are known and proven tactics that reduce cyber risk more than anything else. Following a body of knowledge shows that we\u2019re really starting to see increased professionalism in our world.<\/p>\n We can look at the transition to a more professional cybersecurity environment by drawing parallels to American medicine from the 1700s up to the modern day. At the start, doctors knew how to attach leeches and amputate limbs without an anesthetic. But as the system grew, doctors started to understand what certain herbs did, and eventually we got the American Medical Association. Suddenly there was a shared body of knowledge, and standards and procedures that were proven to lead to better outcomes. On top of that, certification boards were created, apprenticeship models ironed out, and academic models were created to produce top-quality medical professionals. This is where cybersecurity is headed. The way things are right now, all you need to do to be a cybersecurity person is to say you are and grab a few certifications. That\u2019s it. Luckily, the industry is changing for the better.<\/p>\n There are steps that companies can take right now to protect themselves. Companies need to start deeply adopting identity centrism, and many of the SaaS products out there from lines of business solutions like Salesforce, and those from other major providers like Microsoft and AWS can help. Ideally, what organizations should be doing is purchasing security products that are closer to what a startup would have.<\/p>\n If you started a company tomorrow, is there any chance you\u2019d buy a server, or even a server in Azure? Unless there\u2019s a highly specialized reason for your business, there\u2019s no point. Especially as an MSP, SaaS models allow you to set up your systems so that every client is only one script difference away. It allows you to turn your offering into a scalable and easily deployable infrastructure to help you mitigate risk.<\/p>\n There are a couple more major risks in the cybersecurity market looming for industry professionals, and among them is one that could turn organizations completely on their heads. There is going to be a change in cybersecurity insurance that will be a factor in this downturn economy. Most insurance companies work on actuarial data, which is a proven data and knowledge set for when things will break, and when things will die. When it comes to cybersecurity, however, they didn\u2019t know what they were doing. Insurance companies had been making bets for several years at a very high level because they didn\u2019t have the data, and they\u2019ve been losing their shorts. There was a very famous case with Merck and AIG where there was a fight over who should pay for the damages done by the NotPetya<\/a> attacks. AIG lost that case for $1.4 billion.<\/p>\n Insurance companies took notice of this and started to immediately tighten their policies. Now, for organizations, a downturn in cybersecurity spending could lead to a subrogation risk. If you as an MSP write down you have MFA and you\u2019ve met certain standards, it could lead to risk. If the project you claim to have done for your client isn\u2019t implemented well, wasn\u2019t done, or the project was in transformation, it could lead to your client suing your organization to pay for their claim.<\/p>\n As we talked about before, there’s a major difference between just checking the boxes and ensuring that your security works. The more you do just the bare minimum, the higher risk there is for you. If the reality of what you\u2019re doing isn\u2019t the same as what you say you\u2019re doing, there’s bound to be trouble.\u202fIn other words, you need to talk the talk and walk the walk.<\/p>\n If you think that insurance companies are bad enough, MSPs will have to start worrying about the US Department of Justice (DOJ) coming after them. The DOJ has come out recently with the news that they\u2019re going to start suing companies for not upholding their contracts based on the False Claims Act<\/a>. What the DOJ is looking for is organizations that haven\u2019t done what they said they would do. Let\u2019s take patching, for example, and suing those companies for breach of contract. These lawsuits financially incentivize internal whistleblowers to expose breaches of contract.<\/p>\n Let\u2019s say I work for an organization that isn\u2019t following through on its patching for a major client. I could call the DOJ and say they\u2019re lying about their contract, and I have irrefutable proof of it. My role is done \u2014 the DOJ takes over from an investigative and prosecutorial standpoint. If they find the company guilty of wrongdoing, I would earn 15% of what they made from suing that company. If you\u2019re in any kind of market where your client might not have the maturity to know exactly what they\u2019re buying, the DOJ is essentially keeping tabs on you by incentivizing your employees to blow the whistle. This is why MSPs in particular must keep up with their cybersecurity spend in a down market.<\/p>\n When you\u2019re in a down market, cybersecurity measures, especially new projects, could be some of the first things to get cut. It\u2019s critical to be able to convince your C-Suite and key stakeholders that the investment is worth it, which can be a major challenge. To do that, you\u2019re going to need to articulate the business cases better on two sides: reward and risk.<\/p>\n On the reward side, you can talk about how adopting newer technologies, such as cloud models and shared responsibility models, can lead to a faster business capacity and better scalability. At the same time, you have to be able to communicate the opposite \u2014 talk to them about the risks and what is changing in terms of regulatory landmarks. You can talk about how the US Congress recently defined what an MSP is and how the DOJ is going after companies for breaches. If you want to convince them, you have to make them aware that there is both a carrot and a stick.<\/p>\n The landscape of cybersecurity is changing, both due to trends that were happening before this potential economic downturn, and because of the downturn itself. At the end of the day, now is not the time to be dropping cybersecurity spending. Instead, it\u2019s time to start developing a system of consistent iteration and improvement.<\/p>\n Advance your cybersecurity knowledge with instructor-led courses at Pax8 Academy.<\/p>\nCybersecurity is going to take more than just meeting compliance standards<\/h2>\n
Professionalism is the trend for a down market<\/h2>\n
Organizations can take steps right now to protect and improve themselves<\/h2>\n
There\u2019s a good reason for ensuring that you\u2019re as secure as you say you are<\/h2>\n
How MSP cybersecurity professionals can ensure projects don\u2019t get cut<\/h2>\n