ConnectWise Finds Woeful Cybersecurity At SMBs, Including MSP Partners

‘I’m surprised by the number of people out there that are not doing it. The first line of defense and the last line of defense is always the human. Its shows either a real lack of understanding or it demonstrates a component where they simply believe they’re not a target, but they are,’ says ConnectWise CISO John Ford.

Nearly half of SMBs don’t have a plan for what to do following a cyberattack and most haven’t even identified threats to their systems, according to a new risk assessment from MSP platform provider ConnectWise.

The firm’s assessment of 1,000 SMBs – half of them MSPs -- found that 48 percent were unprepared for a cyberattack, and 70 percent haven’t identified potential threats..

“If you look at the MSPs, on average, they’ve done a great job of making a living by being very efficient,” ConnectWise Chief Information Security Officer John Ford told CRN. “There’s no wasted steps. Taking the time to really understand their customer’s business. Taking the time to really understand the risks to that business is not something that they’ve been accustom to doing. It creates a void.”

ConnectWise began distributing the survey to partners last fall, as part of a free risk assessment provided by Sienna Group, which was then acquired by ConnectWise in December.

The 22-page assessment is meant to gauge a small business’ cyber security posture against a wide variety of threats. The questions are based on the National Institute of Standards and Technology Security Risk Assessment and the results were measured against NIST Cybersecurity Framework, which is considered a best practice in the security industry.

Ford said the fact that, according to one data point, 48 percent of the MSPs and their SMB customers have not identified targets on their networks is distressing.

“This is probably one that’s most troubling for me. I’m surprised by the number of people out there that are not doing it,” Ford said. “The first line of defense and the last line of defense is always the human. Its shows either a real lack of understanding or it demonstrates a component where they simply believe they’re not a target, but they are.”

But just as damning is the lack of planning around what to do when their network is hit. Ford said it is “insanely important” to plan next steps ahead of an attack, at a time when decision makers are “level headed and calm.”

“When you look at how an incident escalates through an environment, you can do a tremendous amount of harm to both you and your customer if you start panicking and acting irrational because you don’t know what to do,” Ford said. “There’s a systematic process to incident response and MSPs really need to take the time before there’s an incident to work thorough, and craft a plan for them and their customers.”

He said this approach aligns with the consensus on cyber security today which is focused less on building impenetrable systems and more on rooting out untoward behavior on a network and having a method for dealing with it once it is spotted.

“If you look at the security market today, the better money is being spend on detection and response, not on protection,” he said. “Which isn’t to say we’re not spending money on protection, but the industry has adopted the mindset that I cannot prevent everything. So I need to be able to detect them quickly and respond to them quickly. So it is kind of shocking when you see that high of a number of folks who do not have a plan.”

Among the survey’s other findings were an alarming 69 percent of SMBs have not identified and documented cybersecurity threats, while 66 percent have not identified and documented cybersecurity vulnerabilities, and two-fifths do not have a recovery plan for a cybersecurity incident.

These initial results were gathered from the ConnectWise Identify product, and more are being added daily. There are more than 1,500 responses so far. Ford hopes this is becomes an ongoing evaluation of the SMB cyber security environment.

“What we’re trying to do is eliminate this whack-a-mole and educate people along the way, and get them thinking in a model where we can measure risk, and out of that risk create valuable plans to reduce the risk so the bad actors don’t win all the time,” Ford said. “Just like if your shoulder hurts you go to a doctor, you don’t go to a surgeon. We access the environment first, do the triage then figure out what do to next.”