Lewis Pope, N-able: “SMEs suffer from overconfidence in cybersecurity posture and don’t think they’re a primary target”

The ever-changing nature of the IT landscape means that more organizations are relying on independent experts to manage their operations.

Many in-house IT teams are struggling to keep their business’s systems running, up-to-date, and secure. To mitigate that, they invite external experts in the form of Managed Service Providers (MSPs) to help bridge this gap.

As businesses face an ever greater threat from cybercriminals, MSPs are best placed to share expertise on how businesses can best protect their clients’ data and back-up their assets.

To find out more about the MSP landscape and how it fits into the wider security puzzle, we spoke to Lewis Pope, Head Security Nerd at N-able – a provider of complete IT management and automation solutions.

N-able has been in the industry for over two decades. How has the company changed and evolved throughout time?

Obviously, the pandemic made a big impact on the MSP market around cybersecurity. The demands on MSPs to better secure their own operations, as well as their clients, took on new importance as the modern hybrid working environment introduced new business challenges and brought the conversation around risk management to the forefront in a way it never had before.

I’ve had the opportunity to see this development happen first-hand over the past three years at an accelerated pace. I’ve also had the pleasure of helping guide some of our partners through this journey as they matured from break-fix operations to MSP and others from MSP onto MSSP. The biggest seismic change for N-able, however, happened when it spun out in July last year.

The spin-out from SolarWinds enabled us as a business to double down our focus on the MSP community with a strategy that encourages us to go forward together. As a channel partner, we’re much closer and more in tune with the issues affecting the community ecosystem than we’ve ever been, and we now have the capability to tailor our channel programs to help the community in more ways than before. This includes identifying new areas of opportunity and making sure that MSPs have the tools they need to benefit from these opportunities.

Can you tell us a little bit about what you do? What are the main challenges you help solve?

I took a path that might be familiar to some who didn’t arrive in IT straight out of college. I began my career in IT doing freelance PC repair on the side while working restaurant jobs. I was the “IT person” for many dishwashers and chefs over the years. From there, my first real IT job was with a small break-fix PC repair shop. I spent six years helping grow into an MSP using N-able’s RMM.

Now as N-able’s Head Security Nerd I leverage those hard-won experiences when offering advice and guidance to MSPs who are on the same journey of maturing their cybersecurity practices and operational efficiencies I once was on, helping them find a path forward when they encounter a challenge they need a helping hand with.

Developing a comprehensive cybersecurity posture is already complicated, and an MSP that must manage the IT environments and daily challenges for multiple businesses makes the job evermore complex. In my role, I like to think of myself as a sympathetic voice to the MSP community who has been in their shoes, and they can come to me with any questions to help them better navigate the cybersecurity demands of their environments.

This could include anything from speaking to MSP engineers about implementing NIST 800-171 security controls, guidance on what security patches to prioritize, or creating automation policies for partners that have skills gaps in their security teams.

Like the other N-able Nerds, I also run a series of boot camps and office hours that are designed to help MSPs keep up to date on the latest security best practices in the ever-changing cybersecurity landscape.

Did the COVID-19 pandemic present any new challenges in your field of work?

The pandemic impacted the MSP community in both positive and negative ways. MSPs who support small businesses saw the biggest impact simply because those small businesses were suffering the most from early pandemic lockdowns, with many of those clients evaporating over the first few months.

On the positive side, many new opportunities were appearing for MSPs to keep the business world functioning by working around the clock to make sure that laptops were connected to secure VPNs, new collaboration tools were implemented and enabled, and employees were equipped with the right hardware so that they could continue to do their jobs.

As a result, this led to more devices connected to the business network, creating millions of potentially insecure entry points for bad actors. This was then exacerbated by companies who elected to go with bringing your own device (BYOD) policies as a cost and resource-saving measure. Even moving infrastructure into the cloud was happening at a break-neck speed. The result of this is that MSPs now need to expand the scope of their operations to ensure they have good visibility of the entire IT network, from endpoint to cloud, to make sure any device or service connected to their networks is secure.

With companies now comfortably working in a hybrid model, it goes to show how MSPs have emerged as the unsung heroes of the pandemic. Even today, they’re still battling with the ever-changing digital landscape as more companies adapt to the new working climate and trial different cloud technologies.

Why do you think certain business owners are unaware of the dangers hiding in their own networks?

Reflecting on the NotPetya cyberattack, Adam Banks, chief technology and information officer at Maersk, talked about how the business was not unusually weak against hackers – like so many other companies, they suffered from overconfidence and didn’t think they’d be a target. Even now, after so many businesses have fallen victim to ransomware over the past year, SMEs suffer from overconfidence in their own cybersecurity posture and don’t think they’re a primary target.

With the commoditization of hacker tools into services like Ransomware as a Service (RaaS) from groups like DarkSide and REvil, the barrier for entry into cybercrime can be as low as agreeing to share profits with the RaaS operators and buying a set of valid RDP credentials off the dark web for the cost of a cup of coffee. Amateur hackers and script kiddies now have the resources to conduct sweeping attacks against any number of organizations and make away with a quick buck or just cause general havoc.

SMEs are sought after just as much as any large organization when you can canvass targets with cheap ransomware. While the individual payout is not as big as with the blue-chip business, hackers know that SMEs are more likely to pay up and won’t attract unwanted attention from the media or the government.

Even low complexity attacks are being seen used with unsettling, if not impressive results. The recent exploits of the Lapsus$ group and their tactic of pestering end-users with repeated MFA push notifications until the user clicks okay shows how a security control can be quickly turned against you and illustrates why good cybersecurity awareness and hygiene training is just as important as technical and physical security controls. Today, everyone and everything is a potential target.

What do you think the future of IT is going to look like?

Like most businesses, IT is suffering from a labor shortage. In almost all businesses, they’re finding that it’s a candidate’s market, meaning that many enterprise IT teams are struggling to get the support staff they need. This has led to larger enterprises having to augment their teams with external MSPs leading to a co-managed IT service model, which gives greater opportunities to MSPs that may only be used to working with SMEs.

The MSP labor shortage is no different, the massive spike in demand for their services will force MSPs to adapt their processes and adopt more automation in the workplace to keep up with the workload and avoid staff burnout.

I think there is also an opportunity for boutique MSPs on the horizon as support and cybersecurity services are going to be needed by a new generation of entrepreneurs and small businesses that are being minted because of the pandemic and the great resignation. Once upon a time, all you needed to run a business was a receipt book.

Now small business operations are built on XaaS. Today’s savvy entrepreneurs and business owners realize the need and benefit of protecting their digital estate in a way their predecessors never did, and they’ll need MSPs to help them on their journey.

In your opinion, what are some of the worst cybersecurity mistakes organizations tend to make?

Being complacent about security and not following an established cybersecurity framework are the top two issue that springs to mind. Many organizations are not well versed in cybersecurity best practices so they put the onus on the MSP or cybersecurity provider to keep them secure and stop thinking about it from there. Rightly or wrongly, the expectation and assumption of many organizations are that “the IT people have it under control,” and some MSPs do poorly manage those expectations. As an MSP, the conversation with clients needs to include an honest one about the risk the client’s business is exposed to and how to mitigate those risks, not just the justification of line items on a managed services agreement.

Over the last 12 months, we’ve seen the devastation supply chain attacks have had, with research identifying that many attacks directed their focus towards MSPs to enable them access to a wider scope of businesses. This has helped fuel an awakening in channel security, and that’s that we’re all in this together - If one member of our ecosystem gets hacked, then we’re all potentially compromised. As a result, there’s a deeper conversation being had around risk and security, with much more thought put into layered security approaches.

What new challenges do you think companies should be ready to tackle in 2022? What tools should they have in place?

The most dangerous trend in the hacking industry is the professionalization of hacking services. For threat researchers, it’s becoming more difficult to tell the difference between nation-state hackers and amateurs because of how commodified sophisticated tools have become. As a result, identifying your adversary and assigning the proper level of risk is much more complicated.

As hacking services have grown, this has given a much bigger pool of people the necessary resources to carry out sophisticated ransomware attacks against any industry. No longer are the days when financial institutions and blue-chip businesses were the main targets, now every business is the target, so it’s not a case of if but when your business will be hacked.

This has made backup tools a must-have for your IT stack. If you have a backup you’re removing a potential piece of leverage a ransomware attacker has against you, you can still get your data back. But having backup copies on a network share alone isn’t enough, it needs to be the right backup strategy. Traditionally, backups have worked on the principles of the 3-2-1 rule, with local backups being created first and then moving those backups to secure storage in the cloud, on a segmented network, ‘air gapped’ network or good old sneakernet.

While this puts data behind a set of locked doors to strengthen customers’ protection against hackers, there are more efficient ways of handling it. If you’re still using the same backup solution from 5 years ago, it’s time to evaluate your stack with products currently on the market that can handle client-side deduplication and other modern optimizations to allow you to push hourly backups into the cloud as a primary backup method without saturating your network bandwidth.

As for individual users, what personal cybersecurity tools do you think everyone should implement?

Educating individual users about proper cyber hygiene is key. We work in a digital age where everyone has access to a computer in their pocket that would make an Apollo engineer faint from excitement. Everyone human, every computer, every mobile device, and every IoT device represents an entry point into a company’s network. Even if their access is limited, they represent a foot in the door that can be further exploited by a social engineer or piece of malware.

If a business wants peace of mind, they need to invest in regular discussions with their internal employees about how they keep their own data safe and how to report on any potential breaches or breach attempts. Businesses can invest in the most expensive cybersecurity software in the world, but ultimately, if their employees follow the instructions contained in a malicious email, the whole house of cards can fall.

All that cyber hygiene training is only going to go so far, though, if you do not help facilitate the good practices that training was trying to instill. Providing a secure password management solution is one way to assist end-users with not using weak passwords or password reuse.

Share with us, what’s next for N-able?

One of our main focuses, as we head deeper into 2022, will be homing in on cloud-first solutions and as-a-service models, specifically from the perspective of data protection.

Customers are looking for simpler ways to scale their backups to get the desired level of security, a cloud-first-as-a-service model is a direction where most companies want to land, and that’s a relatively new thing for backup specifically.

According to IDC, the data protection-as-a-service market is expected to grow to $18.4 billion by 2025, and we want to be there to help MSPs make the most out of this opportunity.

Leave a Reply

Your email address will not be published. Required fields are markedmarked