Vulnerability Management, Incident Response, MSSP

ConnectWise ScreenConnect Crisis: View from the CISO Chair

Developer programmer using laptop with warning triangle sign for alert found error and maintenance concept

How do you handle crisis communications during an incident? What best practices do CISOs have in place to ensure processes run smoothly?

MSSP Alert caught up with ConnectWise CISO Patrick Beggs during the company’s IT Nation Secure event in Orlando this week to get the inside story. We asked Beggs about what went on behind the scenes at ConnectWise during the ScreenConnect crisis earlier this year, whether the company discovered any gaps and what best practice recommendations he had to offer to other CISOs, MSPs and MSSPs.

Inside ConnectWise During the ScreenConnect Crisis

It started when a researcher reached out to ConnectWise in relation to its responsible disclosure program. Beggs said that every software company has or should have a bug bounties or vulnerability disclosure program, and ConnectWise has one that’s posted on its main website.

After first contact, the company simply followed its process.

“We have playbooks and we have processes and we have internal SLAs that we adhere to,” Beggs said. “We have implemented and executed on the reporting structure for this scenario.”

Work was handed off to the product team to create a patch and test it and validate it, just as they would do for a feature upgrade.

“It was very smooth. I was very proud of the team because folks did not lose focus,” Beggs said. “We implemented our communications playbook to the letter.”

Beggs said that the heavy lift of the whole process was in external education and awareness.

ConnectWise offered a free upgrade to the product, even to MSPs that were no longer under maintenance with ConnectWise and would have otherwise been ineligible for the patch.

“That’s just being responsible,” Beggs said.

Lessons Learned, Changes Made

Beggs said that the incident response team and product team and operations team came together and collaborated smoothly from a technical standpoint. But the company has since refined how it looks for unpatched instances.

“We’ve discovered some really great processes for identifying unpatched instances,” he said. “We actually tested our full incident response plan a month before, so it was good timing. We had some good lessons learned already. Gaps were filled that helped when the actual crisis hit."

Beggs said he runs full scale tabletops every year and management and technical ones on a quarterly rolling basis. This year he will run the full-scale tabletop sooner rather than later to test it closer to when the event happened.

The Most Difficult Part of the ScreenConnect Crisis

Making sure the right information was out was the most difficult part of the process, Beggs said. And when you are in the midst of a crisis, you need to put that information out on a regular cadence, so people know when to expect it.

“If you’re not putting out information, people make up their own,” he said. “Even if you don’t have anything substantial to say, let them know that you are thinking about it and that you are going to get something to them.”

That’s true for external communications, sure, but it’s even more important for communicating with internal stakeholders, including the CEO.

“I feed people information internally at specific times because if you don’t feed them internally, they get hungry.”

CISO Best Practices for Crisis Communications

We asked Beggs what his top best practices were for crisis communications. Here’s what he said:

  • Communicate early and often with an established cadence of when you are pushing information out.
  • Think about how long it’s going to take you to prepare that information you are going to share. You have technical teams putting together data points and talking points. You have to give yourself the time to get those and put the report together and get a final signoff. Plan for the time you need to prepare the report.
Jessica C. Davis

Jessica C. Davis is editorial director of CyberRisk Alliance’s channel brands, MSSP Alert, MSSP Alert Live, and ChannelE2E. She has spent a career as a journalist and editor covering the intersection of business and technology including chips, software, the cloud, AI, and cybersecurity. She previously served as editor in chief of Channel Insider and later of MSP Mentor where she was one of the original editors running the MSP 501.