Early and Quick Thoughts on Kaseya Lessons Learned

From the perspective of MSPs and their SMB clients, the Kaseya compromise was not about cyber security hygiene.  Even companies with a good security program, including up-to-date patching, could have been compromised.  That’s why so many in the industry recommend a “breach mentality”.  The “breach mentality” poses the question,

“What will you do WHEN you are compromised?”.  Notice it’s WHEN, not IF.

When we assume compromise, then the importance of “respond” and “recover” become paramount.  The simply reality is some threats are unavoidable.  We need to anticipate this possibility and be ready to respond.

We need an incident response (IR) plan that covers all aspects of our business.  Not just how we’ll address the IT/cyber incident itself, but who is on the response team?  How do we communicate with our clients, investigators, the press, our employees? 

Do we know how to decide whether to pay the ransom?  Did we test our data recovery plan?  And so many other issues.  Notice a key element of the above questions…. It’s about so much more than IT.  It’s HR.  It’s PR. It’s legal.  It’s leadership.  It’s about people and process, more than technology.

Many will criticize Kaseya, perhaps some deserved. But one thing is clear from observing their response to this incident.  They clearly had an incident response plan.  Their response has been deliberate with pre-planning and significant communication.  This very likely reduced the impact dramatically by helping some MSPs take immediate action before they were breached. 

A second lesson is more fundamental.  Every company needs a deliberate understanding of their specific business and data risks.  This is not one-size-fits-all. Some businesses will prioritize availability, while others confidentiality, or integrity. We need to prioritize to address the highest impact threats.  We need to make deliberate decisions on the capabilities and software in our “stack”, as each one has implications for our attack surface and our vulnerabilities.  In short, if you haven’t done a risk assessment, you need to do one now.  We can help with our “Essential Risk Assessment” for SMBs.

A sophisticated attack like the Kaseya breach garners lots of attention.  We see that even the most prepared and diligent companies can be affected.  Let’s hope the many MSPs and SMBs who haven’t done basic cyber security hygiene are watching and motivated to act.