Thank you for shining a light on this systemic vulnerability. I don't think organizations realize that, in many ways, they inherit the security of their service providers. As another commenter noted, the RMM is overdue for radical reinvention. Security-minded MSPs may need to think about delegated access to customer environments, privileged access workstations, or other methods for remotely administering customer environments without that big fat one-to-many target that RMM represents. I think the MSP tooling ecosystem is general is problematic - MSPs design for scale and efficiency (making them an economical option for customers as opposed to hiring internally), but do I really want my password manager integrated into my RMM? Maybe not... There's a lot of market share out there waiting for MSPs that can develop real cybersecurity maturity.
As a Managed IT Services Provider, we offer 24/7 business IT support and services to customers with global presence from our Nottingham, Sheffield and London offices. We are an award winning, rising star in the mid-market Managed Service Provider (… VoIP, Hosted Exchange, Email Security, Data Storage, DaaS, Cybersecurity ... Veeam, Cisco Premier, Datto, HPE, Meraki, Microsoft Gold ... Steve Robinson
Helixstorm updates a core network infrastructure for an apparel company, replacing wireless infrastructure, implementing disaster recovery solution, and performing an active directory migration. They also provide 24/7 system management. The team skillfully implemented modern solutions and transformed the network. They were organized and accommodated their partner’s needs.
Managed service providers tend to be Web hosting or application service providers that allow users to outsource their network and application resource procedures under a delivery agreement. In most cases, MSPs own the entire physical back-end infrastructure and provide resources to end users remotely over the Internet on a self-service, on-demand basis.
The evolution of MSP started in the 1990s with the emergence of application service providers (ASPs) who helped pave the way for remote support for IT infrastructure. From the initial focus of remote monitoring and management of servers and networks, the scope of an MSP's services expanded to include mobile device management, managed security, remote firewall administration and security-as-a-service, and managed print services. Around 2005, Karl W. Palachuk, Amy Luby (Founder of Managed Service Provider Services Network acquired by High Street Technology Ventures), and Erick Simpson (Managed Services Provider University) were the first advocates and the pioneers of the managed services business model.
Similar to a data breach, downtime can do more harm to your company’s reputation and trust with the public than you may think. Consider the possible scenario of being hit by a DDoS attack that leaves your network down worldwide at 2 am local time. If you’re operating on a skeleton crew of in-house employees, it may take 24 hours to get your network up and running again whereas an MSP could have you back in action well before the lunch bell rings.
Chris Loehr — executive vice president of Solis Security, an incident response firm — has personally dealt with many of these MSP breaches. Speaking of GandCrab, Loehr says, "They certainly hit some MSPs in 2018, but the ransoms were relatively small: $10,000 to $25,000. In 2019, MSPs became more of a target, with increasing ransom demands and the threat actors leveraging MSP tools with greater efficiency to affect clients. GandCrab never required the MSP to pay up. It wasn't until GandCrab evolved into Sodinokibi in mid-2019 threat actors began to say: 'We ONLY want the MSP to pay. You can pay for ALL the customers or you get NOTHING at all.'"
Managed services is the practice of outsourcing the responsibility for maintaining, and anticipating need for, a range of processes and functions in order to improve operations and cut expenses. It is an alternative to the break/fix or on-demand outsourcing model where the service provider performs on-demand services and bills the customer only for the work done.
Managed IT services allow businesses to delegate their IT operations to an expert third-party organization that specializes in handling these responsibilities. These third-party organizations, known as Managed Service Providers (MSPs), are responsible for the entirety or portions of a business’ IT systems, as agreed upon in a Service Level Agreement (SLA). IT equipment is typically procured by the client, and depending on the SLA, Managed Service Providers may provide round-the-clock monitoring, issue resolution and reporting, and more.