MSSP Advisory: How to Help Your Clients Respond to CISA’s “Shields Up” Warning

Russia’s invasion of Ukraine holds the potential for far-reaching economic and business impacts, including cybersecurity. The threat is serious enough that the United States Cybersecurity and Infrastructure Security Agency (CISA) has released the “Shields Up” memorandum warning companies to beef up their security and continuity measures.

Key CISA Advisory Steps for Organizations and Leadership Teams

The Shield Up memo recommends the following steps for all organizations:

• “Reduce the likelihood of a damaging intrusion.”   Shore up defenses by:
  • Validating that network, privileged and administrative access is protected with multifactor authentication (MFA)
  • Ensuring that software is up to date and vulnerabilities are patched
  • Implementing strong controls on cloud services
  • Signing up for CISA’s free cyber hygiene services
• “Take steps to quickly detect a potential intrusion.”  Enhance security by:
  • Focusing cybersecurity and IT personnel on investigating and mitigating unusual network behavior
  • Ensuring that the organization’s antivirus and antimalware solutions are deployed and current
  • Paying extra attention to detection, isolation and remediation if the organization works with Ukrainian organizations
• “Ensure that the organization is prepared to respond if an intrusion occurs.”  Prepare in advance to respond to threats by:
  • Forming a crisis response team, plan and assignments, with a focus on disaster recovery and business continuity
  • Ensuring adequate personnel are available, including surge support if an incident occurs
  • Conducting “tabletop” exercises that ensure all parties know their roles
• “Maximize the organization’s resilience to a destructive cyber incident.”   Assess mitigation and recovery measures by:
  • Testing backup and restoration
  • Testing manual control of industrial systems, if appropriate, to ensure systems remain functional if systems and networks are compromised or unavailable

In addition, CISA offers the following guidance for the C-Suite:

• Empower Chief Information Security Officers (CISO)s by including them in decision-making on matters of business and operational risk
• Lower Reporting Thresholds well below typical thresholds for reporting suspicious incidents to CISA and the Federal Bureau of Investigation (FBI)
• Participate in Response Plan Tests to ensure that all executives – not just IT and security personnel – know how to respond to incidents
• Focus on Continuity to ensure that critical business functions remain intact when cyberattacks are successful
• Plan for the Worst so the organization can take critical infrastructure offline if necessary

How MSSPs Can Help

CISA’s guidelines are spot-on. No security or resilience expert will dispute the soundness of this guidance. However, most organizations—certainly, the vast majority of SMBs—lack the talent and technical resources to take all of these steps.

MSSPs can help their customers close those gaps. Here are some guidelines for discussions with prospects and customers about the CISA warning and the steps they can take to protect their companies:

• Dramatically underprotected organizations: Most of these organizations’ decision-makers are overwhelmed by the complexities of cybersecurity and the challenges of funding, finding and retaining security personnel. Open discussions with your clients and prospects about the power of managed security solutions and Secure Operations Center (SOC)-as-a-Service to deliver affordable, enterprise-level protection. Demonstrate their ability to source a full suite of cutting-edge solutions without managing all those services in-house.
• Moderately protected organizations: Many organizations have taken at least some steps toward cybersecurity and resilience. This often includes some mix of antimalware, backup services, and perhaps security awareness training (SAT) or some flavor of detection and response. Discussions with these organizations should focus on filling holes remaining in their defenses.
• Protected organizations lacking continuity: Some organizations have taken the full plunge into the security side of the cyber resilience equation but have not developed adequate continuity. In these cases, discussions should focus on the ability to either keep operations running during an attack or quickly recover from one. The ideal level of resilience is to withstand an incident without harming net production (or service delivery). Focus on such areas as the difference between data backups and data replication, the importance of SaaS backup and recovery, and endpoint backup and recovery.

 Despite the dire warnings, you may face resistance. Here are some tips for dealing with highly resistant personalities:

• Aim for at least “some” level of added protection. Point out that threats are increasing all the time, with the Ukraine crisis being just the latest in a long line of events that are expanding both the reach and severity of the threatscape. Added security and resilience isn’t just appropriate; it’s necessary.
• Focus on human vulnerabilities and ransomware mitigation. Sometimes you have to talk with prospects about what keeps them awake at night. Every business leader with a pulse worries about phishing-based attacks and the incredible proliferation of ransomware.
• Get sales support from your vendor partner. If your provider has a dedicated channel team, leverage that expertise for solutions engineering and closing assistance.

Need help? We’re here for you.

If you’re an Overwatch partner, our channel team is ready to assist you. We have turnkey emails you can use to open discussions with your clients about the CISA warning and a channel team ready to help you plan for your customers, close new deals, and keep your clients safe.

Contact Your High Wire Channel Manager or email us at overwatchsales@highwirenetworks.com.