Have your clients asked for help with a data security addendum or questionnaire?

Question 1 from our recent article “5 Cyber Security Questions MSPs Should Ask Their Clients”. 1. MSP to Client: “Have your prospects or clients started requiring a data security addendum, a security questionnaire or included security as an RFP requirement?”

Cascading compliance requirements are among the biggest drivers of rigorous cyber security planning. More companies are focusing on vendor risk management. They want to ensure their suppliers don’t put them at risk. (Hint: The recent SolarWinds supply chain attack will play big in this area.)
Information security compliance regulations are coming your way, sooner or later.

Asking for help with a data security addendum is an indication the companies and their clients are concerned about cyber security.

What other information security compliance questions should clients and MSPs discuss?

Small and medium businesses are quickly ramping into the information security compliance pool. Publicity around security breaches captures the attention of both their enterprise clients and regulators. As a result, a data security addendum becomes a routine part of evaluating potential suppliers. Typically, a company’s first response is to ask their Managed Service Provider (MSP) or IT team for help. This is an opportunity for the MSP to open a broader security discussion. And a security discussion leads to more business for the MSP.

A good security conversation is more about business issues than products or services. There are major implications of a security breach or responding poorly to security questions. These have a direct impact on the company’s brand, reputation and revenue. Helping your clients can help them win the deal. When the underlying IT security products and services tie directly to business issues, the Return-on-Investment (ROI) is clear.

Find out more security questions to ask clients and start the discussion.

“I’m too small to be a cyber security target….”

We hear this all the time.  Consider, why would hackers target a small or medium-sized business (SMB)? 

#1.  Because They Can

Like many crimes, cyber attacks are often a crime of opportunity.  SMB’s are often a “soft target”, having employed less preventative and restorative controls than their enterprise counterparts.  Bad actors often cast a wide net, looking for the easy target; a company that has not patched their software, changed default configurations, or trained their employees to counter social engineering attacks. If you haven’t identified your cyber vulnerabilities and taken action to remediate them, you might get caught in the net.   Once the attacker identifies and exploits a vulnerability, it’s just a question of whether it’s worth their time to hold you for ransom, defraud you, or simply vandalize you.

#2.  Because Your Customers Are a Target, and YOU May be THIER Vulnerability

In more sophisticated attacks, the criminals look for a path to penetrate larger players… and you may be it.  We see examples of supply chain attacks often, where a supplier is either deliberately or opportunistically targeted as a path to the larger target.  And if we put testimonials or client case studies in the public domain, we may even help the bad guys identify our connection to the ultimate target.

Though few of us fit into the scale of the SolarWinds attack, it’s a real-time example of a supply chain attack using a vendor to penetrate the ultimate target. In the SolarWinds case, the target being the US Government and 18,000 other (likely enterprise-level) clients.

How Real Is The Threat? 

That’s an important question and one that we always evaluate in a formal risk assessment. Here’s just a couple stats from late 2019.  It’s not gotten better in 2020.

  • Forty-three percent of cyberattacks are aimed at small businesses, but only 14% are prepared to defend themselves, according to Accenture.
  • Cyber security incidents cost businesses of all sizes $200,000 on average, according to insurance carrier Hiscox.
  • Sixty percent of these companies go out of business within six months of being victimized.
  • More than half of all small businesses suffered a breach within the last year.

What can you do?

Start with the basics.  Ask your IT team or Managed Service Provider (MSP) about your security vulnerabilities and what is currently in place on your behalf.  Here’s a great set of questions to start with. https://cisomag-eccouncil-org.cdn.ampproject.org/c/s/cisomag.eccouncil.org/21-questions-managed-service-providers/amp/

Don’t forget to take a look at the “low hanging fruit” you can do yourself.  You can find our “5 cyber security tips for small businesses” on the Arizona Commerce Authority website. https://www.azcommerce.com/small-business-boot-camp/week-24/top-5-cybersecurity-practices-for-small-businesses/

What Else Should SMBs be Considering?

First, anticipate that more cyber security regulation is heading your way.  It may be private regulation, as your larger clients implement their own Vender Vulnerability Management plans to ensure you don’t put them at risk.  Have you seen cyber security questionnaires coming your way in RFPs or in the sales process?   You will.

Second, if you do business with the government, watch for the regulation to come faster and more formally.  The best current example, beyond the familiar HIPAA regulations for healthcare, is the Cybersecurity Maturity Model Certification (CMMC) for defense contractors.  This Department of Defense (DoD) security regulation is rolling out now to all DoD prime and subcontractors.  With the recent successful breaches on federal agencies, such as the Treasury and Energy Department, regulations are likely to expand quickly beyond the DoD.  States will not be far behind. Our best guess is CMMC will be a key part of these broader regulations.

Finally, consider a third-party security assessment from a company such as ourselves, Cosant.  The scale could be anything from a vulnerability scan to a full Risk Management and Business Continuity Plan.  In addition to the tactical vulnerabilities, we’ll help you identify what regulations are headed your way and when, and build you a roadmap.  We can also share how to ensure security questionnaires don’t slow your sales process down with our executive report, “Data Security Requirements for Winning RFPs, https://cosant.com/top-5-data-security-requirements-for-winning-rfps/.

Stay safe out there.

MSPs as a Cyber Security Risk

Is your MSP a security risk? If your an MSP, do you have cyber security vulnerabilities that put your clients at risk?

It seems like a strange question, right?   We think of the Managed Service Provider (MSP) as part of our cyber security solution, not part of the problem.  And, indeed MSPs are part of your security solution.  But that doesn’t mean we can ignore the cyber security risks of these service providers.  In fact, your MSP may be among the most important suppliers to analyze risk and ensure they are not a vulnerability.  They manage your network.  They have unique IT privileges and access.  If they have a cyber security incident, how does that translate into your cyber security?  

This is increasingly important, as bad actors know that breaching an MSP may be a path into dozens of their clients. Strike once, ransom many. To keep you and your data safe, MSPs need to employ the same or more cyber security plans as you.

A key part of a cyber security plan is the vendor risk management program.  In this program, we assess the vulnerability of our key suppliers to minimize the risk of them being the source of a cyber security breach.  Just as we increasingly see security questionnaires as part of our RFPs, it’s time we apply the same rigor to our MSP.  

Here’s an interesting article that advances 21 questions you should be asking your MSP. Below is the summary questions, though the full article goes into more detail on each.

  1. Is the security program based on a publicly vetted framework?

2. Is an internal Information Security Officer designated?

3. Request a copy of the information security plan (under NDA).

4. How are clients’ compliance requirements supported?

5. Is work subcontracted?  How are contractors bound?

6. What background checks are conducted?

7. If you have export control requirements, are all staff US Persons?

8. Do employees have cybersecurity credentials such as CISSP or CISM?

9. What security technologies are employed on internal systems and infrastructure?

10. How is risk assessed and managed?

11. Where is client data stored – examine network diagrams, configurations, and knowledge base articles.

12. Are regular vulnerability scans of its environment done?

13. How are configuration changes managed?

14. How do they manage access to your environment?

Review infrastructure, location, responsibilities, vendor relationships, access controls and data segmentation among clients.

15. What are practices for managing privileged account credentials, private keys, and other secrets?

16. Are access logs of remote connections to their clients’ networks retained?

17. Is a security operations center (SOC) maintained or sub-contracted?

18. What are the backup and recovery strategies, not just for your business, but for THIERs?

19. Are security controls routinely tested (e.g., penetration testing, red teaming, security controls validation)?

20. Are they prepared to respond to security incidents with a deliberate, written and tested plan? Request details of the incident response plan.

21. Are third-party services retained to respond to a breach of its own systems or client systems?

Manufacturing equipment cyber attacks

Why is manufacturing equipment particularly vulnerable to cyber attacks?

The CISA (Cyber Security & Infrastructure Security Agency) issued an ICS Alert November 17th, calling out a particular vulnerability in critical manufacturing equipment.  Industrial Control Systems (ICS) are a too-often overlooked cyber security vulnerability in manufacturing.  You can see the alert here for the technical details.

Our immediate interest is in highlighting the broad-based tendency for increased security vulnerability in manufacturing equipment.  For those industries directly involved in critical infrastructure, cyber security is a given.  However, the vulnerability spans much wider than critical infrastructure, such as power plants or transportation.  Common manufacturing equipment, such a CNC machines, are increasingly targets of cyber attacks.  That’s because they are unusually vulnerable. 

Manufacturing equipment often has a lifespan significantly longer than the underlying computing equipment that controls it.  We hear too often about manufacturing equipment running on outdated Windows XP computers.  And therein lies the problem.  Old operating systems are not updated (patched) to keep pace with current cyber threats.  This could be due to expensive software licenses tied to the manufacturing equipment, or simple oversight of this vulnerability.  This, coupled with the tendency to connect everything to the network and/or Internet creates the unique vulnerability for manufacturers.

What does this mean for manufacturers and their IT partners? 

You and your IT team (internal or your Managed Service Provider (MSP)) need to pay particular attention to these vulnerabilities.  If your operating systems are outdated, or other hardware has vulnerabilities, this can not only be a threat to the availability of the manufacturing equipment (denial of service attacks), but can also expose a path into your broader network and associated data. 

Ideally, your manufacturing equipment is patched and updated on a similar cadence as your computing equipment.  However, if you can’t achieve that for expense or other reasons, you can plan other remediation, such as isolating the equipment from the network and particularly from the Internet. 

For more information on manufacturing vulnerabilities, including evolving CMMC requirements, we invite you to reach out for a discussion.  Contact us here.

What CMMC means for you

Whether you’re a defense contractor, or a supplier to defense contractors, the Cybersecurity Maturity Model Certification (CMMC) is likely to have a direct impact on you…. And soon.  Similarly, Managed Service Providers (MSPs) supporting sub-contractors are already seeing interest in CMMC skyrocket.

The NIST 800-171 cyber security standard is already a requirement for Department of Defense (DoD) contractors (DFARs).  CMMC extends NIST 800-171 to include certification.  There are three important CMMC recent developments:


1) Prime contractors are starting to enforce NIST 800-171 compliance, even in advance of CMMC.

While the Defense Federal Acquisition Regulation Supplement (DFARS) has required NIST 800-171 for at least five years.  Enforcement has been lax.  Many subcontractors simply put together a Plan of Action and Milestones (POAM), and left implementation behind.  Now primes are starting to enforce compliance themselves, asking for completed security questionnaires and validation.

If you have a DoD subcontract, you’ll likely start to see compliance terms in your RFPs and contracts, along with auditing rights.

2) The DoD is phasing in a self-reported score on each NIST 800-171 control. Self-reported compliance is getting teeth, but still selectively.

Similar to the prime contractors enforcing NIST 800-171 compliance, the DoD itself is tightening the reigns.  A CMMC Interim Rule was recently issued and will take effect on November 30, 2020.  This rule requires defense contractors to self-report their NIST 800-171 compliance for select contracts, using a specified scoring methodology. 

You will want to check your RFPs to see if “DFARS 252.204-7012” is included.  If so, and if you want a chance to win, you will have to self-report a compliance score. Contract awards that include this clause will be subject to previews of the reported scores, and perhaps audits.

If you have a DoD contract, CMMC may be coming sooner than you might think.  Fortunately, some funding for compliance may be available or refundable through the contracts.

3) It appears CMMC will expand beyond the DoD, to all federal contracts.

Already the General Services Administration (GSA) has started advising their suppliers to prepare for CMMC.  Similarly, the Department of Homeland Security appears to be heading towards adopting CMMC.  As more federal contracts head in this direction, look for states to follow suit.  While a few states may choose to develop their own standards, most will be oriented to use what’s already developed and gaining momentum.

The CMMC buzz has accelerated around CMMC as suppliers and their IT partners prepare for this major cyber security requirement.  Many MSPs are readily capable of implementing the technical controls associated with CMMC.  However, few are prepared to support that implementation with the over-arching security programs and administrative controls that include governance (policies) and compliance audits for compliance.  If CMMC is entering your world, feel free to reach out for a consultation.