The field of cybersecurity is often considered a blend of highly technical engineering and a sort of dark magic. Collectively, we defend organizations in a largely unseen but not-so-hypothetical war that is waged by both state-sponsored actors and criminal entities alike. Going to battle not with physical weapons but detective, preventative, and compensating controls; a perpetually evolving set of practices and technical configurations backed by rapid-response containment teams. These are the front-line soldiers vigilantly standing ready to intervene when those measures fail to arrest an attack. While that characterization of the modern reality of cybersecurity is accurate, it fails to account for the behavioral axioms used by our adversaries. One such axiom is the supply-demand nature of many opportunistic and industry-targeted attacks. This is simply described through cybercriminals choosing to take the path of least resistance to achieve their malicious objectives. As defenders improve the detection and arresting capabilities of their cyber-defense arsenal, the adversaries shift to less known and defended methods of attack. Nowhere is this more evident than in organizations with fewer dedicated cybersecurity resources or those that are slow to adapt to rapidly changing attack patterns. Organizations that meet these criteria are victimized at a population-adjusted rate greater than their peers with more mature cybersecurity programs.
Cyber-risk in Smaller Organizations
Small and Midsize Businesses (SMBs), organizations with fewer than 500Full Time Equivalent (FTE) employees, have consistently represented the organizational demographic with some of the fewest cybersecurity resources. SMBs represent roughly 98% of all employers in the United States and provide greater than 47% of all U.S. jobs, according to the U.S. Census Bureau and Small Business Administration1. These organizations are some of the most vulnerable to cyber-attack. According to the Cyber Readiness Institute2(CRI), in 2020 less than 40% of SMBs had a formal Cybersecurity policy with fewer than 33% providing access to any formal cybersecurity education or training available to their staff. These same organizations face some of the greatest operational risks from cyber-attack, with approximately 15% ceasing operation within 12 months following an attack3. Combining the near-existential threat that cyber-related attacks pose to this business demographic with the alarming increase in sophisticated attacks against these organizations reveals a pair of trends that are going the wrong direction.
Closely following SMBs in both terms of cyber-attack trends and scarcity of resources are State, Local, Tribal, and Territorial (SLTT) Government organizations. This parallel may not seem immediately apparent, however further evaluation reveals key similarities in their cyber-risk profiles to SMBs. SLTTs often have a low ratio of full time IT staff to FTEs, with the majority having no dedicated professional cybersecurity personnel. These factors combined with an increased rate of cyber-attacks have resulted in significant financial and operational impacts to SLTTs. These attacks ultimately have caused substantial impacts to the communities served by victim organizations, causing their failure to be able to deliver on their mission due to successful exploitation by cybercriminals.
Managed Services Providers to the rescue?
The market for Managed IT Services Providers (MSPs) has exploded in the decade between 2011-2021 with nearly 8% Compound Annual Growth Rate (CAGR) being reported globally. With the skills gap for skilled IT and Cybersecurity professionals widening each of the last 8 years, MSPs play a key role for most SMB and SLTT organizations. In 2020, over 84% of SMBs reported relying on the services of an IT MSP according to EM360 and CompTIA4, both IT Industry research organizations. A similar number of SLTTs reported relying on the service of MSPs, according to the Multi-State Information Sharing and Analysis Center (MS-ISAC)5, who is responsible for cybersecurity threat intelligence sharing between state and local governments. In both SMB and SLTT organizations, MSPs are often responsible for everything from end-user support to the operation and security posture of IT systems. Their clients closely rely on their ability to economically fill the functions of the Chief Information Officer (CIO), Chief Information Security Officer (CISO), IT Director, and technical support roles. The importance of MSPs in the IT ecosystem has not gone unnoticed by cyber criminals. Attacks against these organizations has increased in both sophistication and frequency. Successful exploitation of a single MSP yields the attacker nearly unfettered access to their SMB and SLTT clients, with each U.S. MSP averaging roughly 120 clients6.
The commonalities between SMB and SLTT
Through a series of cyber-risk assessments Corporate Information Technologies (CIT), a Cybersecurity Services Provider, conducted against SMB organizations across a wide range of non-regulated industries and SLTT government organizations using the standard of the Center for Internet Security (CIS) security controls framework, “CIS Controls”, a number of areas of common exposure and vulnerability were identified. The CIS Controls, version 7, characterize the implementation of known-effective security controls across twenty control areas. CIT’s evaluation focused only on organizations which were assessed at Implementation Group 2 (“IG2”) of the CIS Controls. This eliminated the smallest and largest organizations from the scope of evaluation. In 88% of the in-scope organizations that utilized the services of a(n) MSP, the senior-most business executive responsible for information risk placed reliance on the MSP to manage and administer appropriate cybersecurity controls within the organization. Within this same group, 72% reported receiving little-to-no cybersecurity-specific reporting from MSP(s) apart from what was self-collected.
Collectively SMB and SLTT in-scope organizationsdemonstrated lower implementation scoresin control areas 1, 5, 9, 11, and 14. In mostof the in-scope SMB organizations, these lower implementation scores were typified by unknown devices present within the corporate environment with access to systems which contained sensitive information. In SLTT organizations, broad and uncontrolled access by user accounts, both active and dormant, to information and systems more closely typified their implementation scores. The uncharacteristic alignment of lower implementation scores between two very different organizational demographic populations has historically been atypical in CIT’s experience. Further evaluation of these populations identified commonalities in recent cybersecurity spending trends. In the majority of both SMB and SLTT organizations, cybersecurity spending was largely influenced or directed by a(n) MSP.
Table 1: Common Areas of Exposure between SMB and SLTT organizations
Control 1: Inventory and Control of Hardware Assets
Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Control 9: Limitation and Control of Network Ports/Protocols/Services
Control 11: Secure Configuration for Network Devices
Control 14: Controlled Access based on the Need to Know
A glimpse into the future, perhaps?
Considering the cybersecurity behavioral axioms of supply-demand nature of the mechanisms by which cybercriminals choose to wage attacks discussed earlier, these common areas of exposure may provide a roadmap for future attacks. The attack surface area of organizations like those in-scope of CIT’s assessment contains a population of over 32 million unique organizations. Ongoing reconnaissance by cybercriminals in related areas as reported by various threat intelligence agencies7support this conclusion. One question that remains is the role that MSPs play to further secure their clients. Perhaps they fill the gaps? Using the aforementioned common areas of exposure, CIT approached many well-established MSPs that serve the SMB and SLTT industries with strict confidentiality and solicited their responses to a similarself-reported cybersecurity risk assessment using the same criteria as in-scope organizations (CIS Controls v7, IG2). The conclusion that these responses provided indicated that most MSPs represented an exacerbation of exposure in many of the same areas. This commonality to SMB and SLTT organizations only amplified the existing blind spots across the entire information-risk ecosystem.
The conclusion of CIT’s assessment of SMB, SLTT, and MSP organizations within Implementation Group 2 of the CIS Controls provided a roadmap that attackers may follow to identify areas potentially more vulnerable to attack. Organizations can take several steps to gain an advantage over potential attackers.
- Start Now – Using the offense-informs-defense framework of the CIS Controls, identify your organization’s areas of greatest and most impactful vulnerability.https://www.corp-infotech.com/ciscontrols/
- Ecosystems of trust – the National Cybersecurity Center of Excellence (NCCoE) completed one of the most comprehensive and objective studies of the security posture of Managed Services Providers. Use the resources and guides provided there to evaluate Managed Services Provider(s) that are operating within your organization. Ensure they are proactively taking steps to improve their security posture within the areas identified by NCCoE. https://www.nccoe.nist.gov/projects/building-blocks/managed-service-providers
- CISA has published numerous free cybersecurity guides for SMBs to build and develop a highly effective cybersecurity program. Beginning with the Cyber Essentials toolkit, https://www.cisa.gov/cyber-essentials, these guides build upon the proven resources of NIST.
- Education & Culture Matter – NIST has created a thoroughly researched and well-executed workforce development initiative, the NICE Framework, that provides a highly relevant and approachable mechanism to communicate and educate cybersecurity-relevant topics across the entire organization. https://www.nist.gov/cybersecurity-awareness-training-education-and-workforce-development
- Additional resources have been compiled and available at: https://www.corp-infotech.com/grcoutlookinfo/
1: SBA.gov: https://rsac2021.tiny.us/SBAStats