In 2021, the threat of ransomware to Managed Security Service Providers (MSSPs) and their clients changed dramatically. The Kaseya hack exploited a flaw in the popular Virtual System Administrator (VSA) remote management software to spread ransomware to an estimated 1,500 small-to-medium-sized businesses (SMBs) around the world via managed service providers (MSSPs). In 2022, the Cybersecurity and Infrastructure Security Agency (CISA) predicts more of the same.

To set expectations, ensure threat lifecycle coverage, and improve client satisfaction, this article discusses mutual ransomware responsibilities.

MSSP Mitigation Responsibilities Against Ransomware

Clients are aware of the growing threat of ransomware and are understandably concerned. Are you clearly stating where your responsibilities begin and end for both you and your clients as an MSP? Miscommunication about ransomware and cybersecurity roles and responsibilities can lead to finger pointing, inaction during a security incident, and even dissatisfaction with the business relationship.

MSP clients have every right to expect their service providers to do everything possible to protect them from ransomware and common vulnerabilities like Log4j. Multi-layered security should be approached from both a strategic and tactical standpoint by service providers.

MSPs should also be prepared to show that they adhere to basic cyber hygiene principles on their own systems, such as network traffic encryption and effective patch management. You must be proactive in patching and keeping up to date on remote monitoring and management tools used to access client systems, in particular. MSPs are being actively targeted by cyber criminals as a stepping stone to targeted client accounts and other supply-chain partners.

Other mitigations and hardening within MSP control that clients expect, include:

  • Implementing robust network monitoring
  • Closing all remote access ports no longer needed for providing services
  • Applying the principle of least privilege to client environments to limit access to client systems
  • Preserving, aggregating, and correlating log data
  • Preventing lateral movement within the MSP and client environments
  • Managing client data backups as part of your services, and keeping backups offsite
  • Ensuring that cloud services and cloud storage are properly configured

The Precedent for Shared Cybersecurity Responsibility

Simultaneously, MSPs can expect their clients to take responsibility for the cybersecurity elements under their control — with joint responsibilities clearly defined in writing if possible.

There is precedent for cloud providers sharing security responsibilities. For example, this Microsoft matrix makes it clear that the client is always in charge of information and data, end user devices, and accounts and identities. Physical hosts, the physical network, and the physical data center are always Microsoft’s responsibility. The client and Microsoft may share responsibility for the layers in the middle, such as the operating system, network controls, applications, and identity and directory infrastructure, depending on the type of cloud service.

Clients Can Retain or Delegate their Responsibilities

If they are not part of a managed security service offering, MSP clients should expect to perform basic security practices such as patching their own operating systems and applications. Endpoint protection, vulnerability management, account privilege policy management, security awareness training for employees, virtual private networks (VPNs) for internet access and remote work, and Multi-factor Authentication (MFA) for network and application access are all examples of client security responsibilities, unless otherwise stated.

Key Takeaways

What is important for MSPs and their clients is clarity about who is responsible for what aspects of cybersecurity management. MSPs, especially those serving SMBs that have limited in-house IT or security expertise, should use plain language in outlining ransomware and cybersecurity roles and responsibilities so there can be no misunderstandings.

A Solution That Makes It Easier for MSPs and Their Clients

Use these four steps to predict, prevent, detect, and respond to escalating ransomware:

  • Predict attacks by scanning your endpoints for vulnerabilities that may be exploited by ransomware. Continually prioritize, patch, and remediate these before they become an attack vector or path of lateral movement.
  • Prevent as many ransomware attacks as possible by blocking known ransomware strains like WastedLocker, Maze, Ragnar, Snake, Ryuk, and REvil based on known signatures.
  • Detect ransomware immediately before it does real harm. If ransomware successfully eludes prevention measures, it will generate encryption keys, communicate with Command and Control (C2) servers, and begin encrypting files.
  • Respond to ransomware immediately and effectively once all malware, lateral movement, and variants have been detected.

CYB3R-X approach to managed threat protection ensures transparency and allows you to set client expectations regarding cybersecurity responsibilities and deliverables.