Louisiana Criticizes MSP Industry’s Security Practices; Employs MSSP
Kyle Ardoin, secretary of state, Louisiana
Many MSPs (managed IT services providers) are dropping the ball on cybersecurity, leaving elections open to the threat of cyberattacks, Louisiana Secretary of State Kyle Ardoin warned peer government leaders on January 31.
Ardoin called out MSP security weaknesses multiple times during at a meeting of the National Association of Secretaries of State, according to State Scoop.
Ardoin, the report says, alleged that many MSPs:
- Aren’t properly emphasizing cybersecurity to their government clientele.
- Don’t properly secure their remote monitoring and management (RMM) software tools. He specifically pointed to MSPs that fail to activate 2FA (two-factor authentication).
Amid the alleged MSP industry shortcomings, Ardoin’s statewide office leverages an MSSP (managed security services provider) for prevention and detection services.
Louisiana’s commitment to MSSP engagements is easily explained. The state has suffered multiple ransomware and cybersecurity attacks across numerous municipalities and government agencies.
MSP Industry: Improve or Face New Regulations?
Although the MSP industry has made some progress on the cybersecurity front, more progress is needed, according to Datto CISO Ryan Weeks.
Ryan Weeks, Chief Information Security Officer, Datto, Inc.
Datto is an MSP-focused provider of data protection, networking, IT monitoring and business automation solutions.
If you’re an MSP, you need to “know thyself, know thy battlefield and know thy enemy,” Weeks told MSSP Alert during a PerchyCon 2020 conference last week in Tampa, Florida, organized by Perch Security.
As MSPs work to gain that cybersecurity expertise, they must also work to offer a unified industry front against attackers, Weeks added.
If the MSP industry doesn’t make more progress on the unified security front, the industry could wind up facing new government regulations and compliance requirements, Weeks also warns.
Still, Weeks sees progress from vendors and MSPs alike. For instance, Datto rolled out mandatory 2FA services to MSPs in January 2020, he notes. We’ll share additional thoughts from our time with Weeks soon.
This guy is a CISO and just rolled out 2FA this month, now wants to preach? No thanks.
Hi Reggie: Just to clarify… Datto has offered 2FA capabilities to MSPs for quite some time. But the company shifted to a mandatory approach after giving partners some time to prepare for the mandatory change.
-jp
Yeh it should’ve been mandatory a long time ago for MSPs.
I’m curious to know how many other solutions MSPs use have a mandatory 2FA doctrine. Banking websites don’t even have mandatory 2FA.
I applaud Datto for being one of the first.
ConnectWise also rolled out mandatory 2FA for their Automate platform with the January update.
Ryan Weeks has been committed to the mission of MSP security for quite some time. He went above and beyond for our MSP and Datto during a time financial industry regulations were pressuring our MSP. Datto is committed to the continuous improvement of security and we can attest to that in our MSP. The guy is sharp and I am certain he knows MFA is one component of an ISMP and related controls. Bottom line is that MSP’s in our industry must take full ownership of their obligation to clients to deliver an information security program correctly, even if that means understanding their gaps in skills and delivery and partner with a pure play MSSP. All too often our MSP community takes a hit on reputation. We need to continue to educate our MSP community on the right path to delivering security.
Mike, that’s the problem, we’re behind the crooks in security, obviously. I do know my RMM made 2FA mandatory months ago, not sure the exact date, I was using IP restrictions before that bc honestly I hate 2FA, but that’s just one small piece of the puzzle. Don’t come preaching to us now selling your products after the fact.