MSPs Blasted for Bad Cybersecurity Practices

Louisiana has been besieged with ransomware attacks and a top state official blames MSPs for not providing enough protection to their government clients.

At a recent meeting of the National Association of Secretaries of State, Louisiana Secretary of State Kyle Ardoin said too many MSPs are using outdated techniques, exposing themselves and their clients to dangerous ransomware attacks from bad actors.

Louisiana Secretary of State Kyle Ardoin

“If MSPs aren’t protecting themselves, how can they protect their clients?” he asked. “MSPs must be more up front with their clients. Too often, MSPs are worried about asking for a client to invest more for their security, which is more difficult to protect in the age of sophisticated attacks.”

Ardoin outlined ransomware attacks last summer on multiple Louisiana school districts. And last November, a ransomware impacted many clients of an MSP, including seven clerks of court offices.

“The MSP was compromised by an attacker, who then pushed ransomware out to many of the MSP’s clients,” he said. “By the time this event occurred, we learned from past events and other ongoing events that it is not necessary to ‘pull the plug’ as a first resort. We have learned to trust our layered defense mechanisms that are in place and stay in contact with our MSSP to help monitor the situation. While our MSSP was monitoring the situation, we were constantly reviewing logs to verify that no unusual behavior was occurring on our network. We also were in contact with affected offices and incident responders to keep up with the incident as it played out.”

A larger ransomware attack last November impacted numerous state agencies, Ardoin said. The state’s Office of Technology Services shut down network traffic and was able to prevent a larger spread, he said. The attackers infiltrated 200 of the state’s 5,000 servers and about 2,000 computers were damaged.

“Due to the November attack occurring the day after the general election, conspiracy theories, misinformation and disinformation became a more serious problem,” he said. “Our office had to directly respond to numerous inquiries and social media posts purporting to tie the cyberattack to the general election results. Cyberattacks are a prime opportunity for some to cast doubt on our elections. Election officials must be ready to respond to citizens and media outlets that tie cybersecurity news to election infrastructure, even when no tie exists. Luckily, we were able to quickly provide accurate information to our partners in the media who helped broadcast the truth about the cyberattack and undervote, thus maintaining voter confidence in the election.”

In the past, firewalls, system patching and antivirus software were sufficient, Ardoin said. However, in recent years, attacks have become much more sophisticated yet many MSPs, mostly “mom and pops” with very limited experience, are still operating under what worked several years ago, he said.

“As attacks grew more sophisticated, many MSPs have not been upfront with their clients about the need to invest more into their security,” he said. “This leads to serious problems for their clients and the MSPs themselves.”

Local officials should consider using MSSPs, Ardoin said. While MSPs attempt to protect systems on a “very basic level” to ensure operability, MSSPs are focused on keeping those same systems safe and secure by preventing and detecting, rather than simply responding to, attacks, he said.

Dave Sobel, longtime channel veteran and host of the news and commentary podcast “Business of Tech” and co-host of the “Killing IT” podcast on MSP Radio, said MSPs should take Ardoin’s speech “incredibly seriously.”

“This is the voice of the customer,” he said. “If I asked most MSPs if they would …