Forbes- Brian Grayek on SMB Security

Brian Grayek quoted in Forbes from the Acronis Annual Summit in Miami, Florida. Here’s the quote and the full article, Managed IT Services: The Small Business’ Security Savior, in Forbes.

“If companies just [implemented multi-factor authentication], they would be exponentially more secure,” says Brian Grayek, Virtual Chief Information Security Officer at Cosant Cyber Security, speaking to the importance of even relatively simple security measures. “So why don’t [they]? A) They don’t know. B) They think it’s high-cost and it’s too hard to do. Well, it’s neither. It’s not high-cost, and it’s not hard to do.”

Case Study- The Impact of a Ransomware Attack: The Good, Bad and Ugly

Mark Kirstein, CISSP, VP Customer Success

A real-world example:

This case study is about the same ransomware security incident, impacting the supplier and the client.

  • Company 1: “Midco
  • A mature information security program
  • Contracted “SupplierCo’s” software
  • Managed the security incident nearly flawlessly

  • Company 2: “SupplierCo
  • Software vendor, with virtually no information security program
  • 20 year old company was forced to cease operations 3 days post-incident

Our visibility into a recent cyber security incident serves as an ideal case study exposing the consequences of having a robust security program, or having none at all.  Both were revealed in the same cyber security incident:  a ransomware attack.

Let’s start off with Cosant’s client.  We’ll call our client “MidCo”, for this case study.  The details are obscured for anonymity.  MidCo is a mid-sized business, with a robust, yet still maturing information security program.  Here’s a quick look at MidCo:

  • Several hundred million dollars of annual revenue
  • Many large, enterprise clients
  • Vast volumes of both Personally Identifiable Information (PII) and sensitive financial data.
  • MidCo’s services are vital to the daily operations of their clients
  • The security program has all the requisite requirements, including documented policies, plans, processes and standards, as well as robust technical controls.  All of these are operationalized, not just shelfware.
  • Many industry-specific security compliance requirements implemented, including PCI, SOC 2, and FISMA.

Of principle interest for this case study, MidCo has a comprehensive 3rd-party vendor management plan.  Among the standard processes for 3rd-party vendor management is a security screening for each new supplier.  The screening identifies the level and category of risk associated with the supplier.  If the supplier can’t qualify for a minimum level of security, they’ll be disqualified.  If they qualify, but demonstrate high risk, then we apply additional compensating controls for the supplier.

Enter the second company involved in our case study:  a supplier of specific software services for our client.  Here’s what our software supplier, we’ll call them “SupplierCo”, looks like:

  • A small software business, providing data services & monitoring
  • Approaching 20 years in business
  • Approximately 50 employees

During the supplier selection process, MidCo reviewed SupplierCo’s security position, per MidCo’s 3rd-party vendor management plan.  SupplierCo’s security position was identified as “high risk”.  The principal risk associated with SupplierCo was availability.

Despite the risk, MidCo decided to utilize SupplierCo’s software.  As directed by the 3rd-party vendor management plan, additional controls and monitoring of SupplierCo’s software and operations were put into place. Fast forward six months.  Over a recent weekend, SupplierCo was the victim of a ransomware attack which brought the company’s operations and software to a screeching halt.  The compromise was identified quickly by MidCo, and MidCo’s Incident Response Plan was triggered into action.  MidCo stepped through its incident response meticulously, and quickly contained the impacts of the breach.  Once contained, MidCo identified actions to restore availability of an alternative solution.   As a result of a mature and tested incident response program, coupled with a 3rd -party vendor management program, MidCo’s operations barely missed a beat.  It was truly a testament to a well prepared and operational information security program. 

In the context of the NIST Cyber Security Framework, MidCo accomplished the following:

  • Identify the risks and threats in advance
  • Took proactive steps to Protect themselves with proactive compensating controls and Detect a breach
  • Upon Detecting the breach, follow previously developed plans and processes to Respond and contain the breach
  • Recover effectively, to sustain operations, minimizing impact on availability for MidCo and their clients

While this breach incident proved to be a win for MidCo, SupplierCo didn’t fare so well.  Many clients of SupplierCo appear to have taken similar steps as MidCo to isolate themselves from SupplierCo’s breach and move to alternative vendors.  By the Tuesday following the weekend of the breach, SupplierCo was out of business.  Their 50-staff team was no longer employed by SupplierCo.  20 years of hard work, growth and on-going operations was destroyed within days.

The implications of this case study are self-evident.  The risks from a cyber security incident to a small business are potentially catastrophic.  The investment in a comprehensive information security program can make the difference between an inconvenience, a significant customer incident, or even business viability.  As a business community, we can no longer sustain the “I’m too small to be a cyber security target”, or “It won’t happen to me” mindset.

For MidCo, the incident represented “the good” outcome of an assume breach scenario.  For SupplierCo, it was not just “bad”, but “ugly”.


Brian Grayek discusses Multi-Factor Authentication on CRNTV, from the Acronis Annual Summit in Miami, Florida.

Early and Quick Thoughts on Kaseya Lessons Learned

From the perspective of MSPs and their SMB clients, the Kaseya compromise was not about cyber security hygiene.  Even companies with a good security program, including up-to-date patching, could have been compromised.  That’s why so many in the industry recommend a “breach mentality”.  The “breach mentality” poses the question,

“What will you do WHEN you are compromised?”.  Notice it’s WHEN, not IF.

When we assume compromise, then the importance of “respond” and “recover” become paramount.  The simply reality is some threats are unavoidable.  We need to anticipate this possibility and be ready to respond.

We need an incident response (IR) plan that covers all aspects of our business.  Not just how we’ll address the IT/cyber incident itself, but who is on the response team?  How do we communicate with our clients, investigators, the press, our employees? 

Do we know how to decide whether to pay the ransom?  Did we test our data recovery plan?  And so many other issues.  Notice a key element of the above questions…. It’s about so much more than IT.  It’s HR.  It’s PR. It’s legal.  It’s leadership.  It’s about people and process, more than technology.

Many will criticize Kaseya, perhaps some deserved. But one thing is clear from observing their response to this incident.  They clearly had an incident response plan.  Their response has been deliberate with pre-planning and significant communication.  This very likely reduced the impact dramatically by helping some MSPs take immediate action before they were breached. 

A second lesson is more fundamental.  Every company needs a deliberate understanding of their specific business and data risks.  This is not one-size-fits-all. Some businesses will prioritize availability, while others confidentiality, or integrity. We need to prioritize to address the highest impact threats.  We need to make deliberate decisions on the capabilities and software in our “stack”, as each one has implications for our attack surface and our vulnerabilities.  In short, if you haven’t done a risk assessment, you need to do one now.  We can help with our “Essential Risk Assessment” for SMBs.

A sophisticated attack like the Kaseya breach garners lots of attention.  We see that even the most prepared and diligent companies can be affected.  Let’s hope the many MSPs and SMBs who haven’t done basic cyber security hygiene are watching and motivated to act.

Have your clients asked for help with a data security addendum or questionnaire?

Question 1 from our recent article “5 Cyber Security Questions MSPs Should Ask Their Clients”. 1. MSP to Client: “Have your prospects or clients started requiring a data security addendum, a security questionnaire or included security as an RFP requirement?”

Cascading compliance requirements are among the biggest drivers of rigorous cyber security planning. More companies are focusing on vendor risk management. They want to ensure their suppliers don’t put them at risk. (Hint: The recent SolarWinds supply chain attack will play big in this area.)
Information security compliance regulations are coming your way, sooner or later.

Asking for help with a data security addendum is an indication the companies and their clients are concerned about cyber security.

What other information security compliance questions should clients and MSPs discuss?

Small and medium businesses are quickly ramping into the information security compliance pool. Publicity around security breaches captures the attention of both their enterprise clients and regulators. As a result, a data security addendum becomes a routine part of evaluating potential suppliers. Typically, a company’s first response is to ask their Managed Service Provider (MSP) or IT team for help. This is an opportunity for the MSP to open a broader security discussion. And a security discussion leads to more business for the MSP.

A good security conversation is more about business issues than products or services. There are major implications of a security breach or responding poorly to security questions. These have a direct impact on the company’s brand, reputation and revenue. Helping your clients can help them win the deal. When the underlying IT security products and services tie directly to business issues, the Return-on-Investment (ROI) is clear.

Find out more security questions to ask clients and start the discussion.