In this week’s bulletin, Charlie looks at the role of MSPs in a cyber incident and gives an insight into how they can work with organisations to be prepared for a potential incident.
In a couple of weeks, I am doing a presentation at a ScotlandIS event in Glasgow which will be attended by MSPs, so I thought I would share with you some lessons I have learned from my research in preparing for the presentation. I remember hearing a while ago about the case of an MSP – CTS – which provided services to lawyers, had a cyber attack, and it became a major news item, so I thought I would research the incident and put together some lessons I identified in preparation for my presentation.
In doing my research I wasn’t really sure what an MSP was. I know they provide services to other companies and MSP stands for Managed Service Provider, but I wasn’t really sure beyond this. According to TechTarget, an MSP is a “third-party company that remotely manages a customer’s information technology (IT) infrastructure and end-user systems”. What is important to know is that they might manage all of an organisation’s IT assets and applications, or they might provide specialist services such as helpdesks, email management, backup and recovery services, security management and monitoring, and infrastructure services. They might also provide a service to a particular industry sector. Depending on the type of contract, organisations may be totally dependent on their MSP for all IT services, including communications, and they may also hold or process their clients’ data. I am not sure what the statistics are, but most organisations will outsource at least an element of their IT requirements.
MSPs are attractive targets for cybercriminals in that, if they can get into the MSP, it might give them access to multiple other organisations. The government has described MSPs as “an attractive and high-value target for malicious threat actors, and can be used as staging points through which threat actors can compromise the clients of those managed services”. Some of the biggest cyber attacks are attributed to MSPs, such as the SolarWinds and Kaseya attacks, and the attack on the NHS supplier, Advanced, had a major impact on NHS and care home services in England.
CTS was an IT MSP which provided IT management services and case management services to a number of legal firms. On the 22nd of November 2023, they had a major cyber attack which affected approximately 80 of their 200 customers. Some of their customers immediately lost access to their IT systems and telephony, while others lost access to their case management system. On 24th November, they put out their first communication which didn’t explicitly mention a cyber attack and didn’t give any timeframes for recovery. After the initial communications, public communication was sporadic. On 2 January, they announced that all systems had been restored roughly five weeks after the attack. In early 2024, they went into insolvency and their MSP part of the company was sold in April 2024.
The reason why this event became national news was that several of the lawyers affected were unable to complete house sales, which had a major impact on the lawyers’ customers who were trying to sell their houses or move into rented accommodation. This led to a lot of customer anger and comments like this being posted on social media: “I am genuinely getting fed up with this and especially the firms affected. The management of the firms affected seem to have gone into hiding. No statements, no public show of support for everyone affected, no policy, nothing. Their poor staff clearly don’t know what to say or do. It’s a disgrace and the lack of support from the SRA (Solicitors Regulation Authority) is appalling.”. This issue was also compounded by happening just before Christmas, as people wanted to get the move sorted and done before the Christmas holiday period.
There are a number of learning points for MSPs from this incident. The obvious one is don’t have a cyber incident, as it brings a world of pain with it, but we all know that there is no such thing as 100% security, so avoiding a cyber event is not always possible.
MSPs need to understand what data they hold on behalf of their clients, the sensitivity of that data if lost, and the impact on their clients’ customers. A cyber attack on CTS would always be a major incident for the 80 lawyers and their clients, but it only became a national incident because it affected members of the public. If the impact was on companies, then I suspect they would not be so vocal. Moving house is a huge upheaval for most people and a stressful time, and being left in limbo by a cyber attack, it is not surprising they were angry and very vocal about this. Lawyers are not a loved section of society and so they would get a lot less sympathy than if the event had affected the NHS.
We have talked a number of times in this bulletin about organisations doing a data risk assessment to understand the data they hold and the impact on those whose data could be lost. If you know that data you hold will have a major impact on members of the public, especially if it stops them from carrying out a time-bound action, then the MSP knows that the impact will be severe and vocal. The impact on lawyers was that conveyancing and completions were taking 10 times longer than normal if they could happen at all. In a Capita hack on the 22nd March 2023, they lost personal information, which exposed those whose data they held to possible identity fraud. It didn’t have an immediate effect on people, so they were less vocal about the attack. So, lesson one, MSPs need to understand the data they hold and the impact if it is lost or unavailable.
MSPs are in a difficult position when carrying out crisis communication on an incident. Those affected, members of the public, are not their customers but their customers’ customers. If they are named and in the forefront of the media storm, all they can do is apologise, but they cannot act to alleviate the issue until they have got back the lost data. Lesson number two is to perhaps discuss how an incident would be managed with their customer and agree in advance a joint communications strategy, but also being aware there is little they can do to immediately deal with those affected.
CTS’s customer data took five weeks in total to restore all the data encrypted in the cyber attack. At the beginning of the attack on the 26th November, CTS put out the following information as part of their statement: “Whilst we are confident that we will be able to restore services, we are unable to give a precise timeline for full restoration”. Saying you have no idea when you will get back your customers’ data does not fill them with confidence in your ability to recover, and they are unable to communicate a timetable to their customers. Although every cyber attack is different, I think organisations should have carried out research into their recovery timetable so they can give a realistic worst-case for recovery. Better still, this calculation is made, documented, and rehearsed before an event, rather than being carried out on the day of an incident under pressure and with limited resources. Lesson three is to have a recovery plan which is documented, tested, and with realistic timelines.
CTS lost several of their customers due to the cyber attack and eventually went into insolvency. I think it had financial issues prior to the cyber attack and so the attack was enough to push them into a financial crisis. I think lesson four for all MSPs is to understand the impact of a cyber attack on their business model and, whether one occurs or not, if it is easy for customers to take their business elsewhere as the service you provide is commoditised, or if you provide a very specialised service which is not available elsewhere, or if it is difficult to move from the service you provide.
Lesson five, if an event happens around holiday time, emotions are going to be heightened and it will be more difficult to manage as people and organisations may not be available or happy to work during holidays.
A number of organisations, on hearing of the cyber attack, cut off dataflow APIs to CTS and their customers. This increased the impact of the incident as automatic workflows were no longer completed. I have seen this happen in other cyber incidents, and so it should be anticipated, and the impact of this occurring should be known to the organisation’s crisis management team. Lesson number six.
In conclusion, cybercriminals have been targeting MSPs because they may be used to access other organisations. This should include their level of preparation for a cyber attack, and they should heed and work on the six lessons from the CTS incident.
I will give the last word to an angry customer: “So the affected firms are still not back on track. One firm, who shall remain nameless, is proving infuriating. Inaccurate updates, lack of communication, inconsistent ways to proceed and only willing to exchange one working day before completion. At Christmas, how on earth is that good for any clients or other conveyancers who are trying to do a good honest job? I’m at my wits end and on the verge of saying to these firms if you are incapable or unwilling, send the case to another firm who can.”.