Kaseya and the Problem with Managed Service Providers

We have really in front of us, a critical warning. We’re trying to figure out what should we do or to stop people from attacking us. That’s a problem. What should we do? Many of us have gone out to managed services providers, and now they have let us down.  Did you hear about the Kaseya hack?

It has had a huge impact on people. It’s absolutely crazy. Or you heard about a thousand companies that got together and they have hired a negotiator in order to negotiate the ransom with the bad guys that have ransom there. It is huge. It’s huge. But let’s talk about why this happened, because I think there are many things that you and I have overlooked here over the years, this ransomware God guy, gang called REvil, R E V I L has targeted cause say, or customers through.

[00:01:04] Say, but it isn’t just kissy customers. It’s really cause say, is customers for the most part. Now your head might be spinning a little bit, but here’s, what’s happening. I’m a business owner. You guys know that right now. Let’s say that I don’t do cybersecurity for businesses. That’s what I do.

[00:01:24] But let’s say I make widget. I as a widget maker, do not have enough knowledge about computers to, to really do it myself. So let’s say I’ve grown and I’ve got 20 employees. The odds are very good that my office manager is the one in charge of the computer. The office manager probably orders.

[00:01:49] Computers probably tries to figure out what’s going wrong. By the time of it at 50 computers or 50 employees, I’ve probably got a full-time it person who goes around and tries to take care of things. But before I’ve got that, full-time it person I’m probably going to outsource it. And by the way, a lot of companies, it’s more like a hundred to 200 employees before they get someone who’s really dedicated to it.

[00:02:18] So then that awkward teenage stage between where the office managers trying to do it. And finally the office manager can try and hire an it professional. Is where they go and outsource it. You talk to various types of companies. What are in the industry called break, fix shops. That’s usually the first stop which is calling them up saying I’ve got a broken computer.

[00:02:44] Can you fix it? And maybe they can, maybe they can’t. And then a lot of break fix shops have tried to level out their income so that they have predictable monthly income so that they can hire the right number of people for the number of customers that they have. Although I’ve got to say most of them are badly overbooked.

[00:03:04]Now that they’ve hired those people, they this outsource break fix shop. They come in and say, okay here’s what we can do for X amount per month per computer or employee, we will take care of those computers for you. One of the things that they’ll promise to do is that they will take care of your cybersecurity for you.

[00:03:25] Now, cybersecurity is frankly, a specialty. It is not something that everybody can do. Even if you’re using some of the best stuff in the world, like what we do, we have Cisco hardware, we have Cisco software that we run advanced malware protection. So that’s the best of the top of the line.

[00:03:45] Most smaller businesses aren’t going to want to pay for it, even though they might be able to afford it. Push those people out right now, because we’re talking about, you were talking about a smaller business. So what does that outsourced it provider do for you? They might change their name and call themselves a managed services provider.

[00:04:06] And that’s all well and good, but they need help as well. So I’m making widgets. I have this break fix shop that came in and fixed my computers a few times. And now they’re handling my cyber security. Isn’t that wall well, and goods was wonderful. So now they’re handling, supposedly my cybersecurity. But they know they can’t do it themselves and it would be too expensive to do it because they went cheap.

[00:04:33]You bought the least expensive option or, close to the least expensive option. So wait, and by the way, cheap in this case means that it’s under $150 per. Person slash workstation per month. That’s what it costs to get this stuff done. So you might be paying 25 or maybe even $50. They can’t do it for that.

[00:04:57] So what do they do? They go to a company like. Now they also have some others. They have what are called arm AMS that keep track of some basic stuff for you, but they go to Garcia and say, okay, Casia we want you to monitor the computers, keep them up to date, et cetera for. Now did I, the widget manufacturer go ahead and hire  to take care of stuff.

[00:05:23] Did Kasiah even do it themselves or did they outsource it? Do I even know the Kaseya exists because it’s really Kaseya that is managing my computers doing. We have, there has a software that doing the upgrade on my computers. This is a real problem because the widget maker, Nope, I didn’t hire KSA. I didn’t even know they existed.

[00:05:49] I trusted my local. Your local guy is not taking care of your cybersecurity. Almost completely guaranteed. There’s very few companies like mine out there that we actually do it ourselves because we have looked at Kaseya. We’ve looked at all of these platforms. Every last one of them has had major problems.

[00:06:12] So here comes Casia with over a hundred thousand customers that gets hacked and distributes the hack to all of its customers that are running some of these on-premise devices that are trying to manage the networks for not Cassias clients, but for KSA as clients, client. Okay. Do you see how this is the level of indirection?

[00:06:35] You see how this is going to affect? This is a huge problem. And Casia not only have we warned some of these companies, like Kaseya about major design flaws in their software, but cause say his own engineers apparently about three years ago, warned Cacia about major design flaws in the software that they were using.

[00:07:01] So they knew about this. They were warned months, if not years in advance about it. So what does it say you do? They’re concerned about profit and features, so they just keep adding features as alleged by their former employees instead of fixing the security problems. Cause it would be too hard to fix, take too long cost too much, and it isn’t going to increase our revenue.

[00:07:26] Are you sitting down? Can you believe this is one of the major operators out there, major operators that is, is behind your manager services provider and your break fix shop that’s who’s doing it out there. So there are probably far more than that this thousand Kaseya clients that have gathered together to try and negotiate the ranch.

[00:07:57] And I got to say, I, I would be extremely disappointed if Kaseya customers didn’t gather together and Sue them in a very big way. Curly sins, people claiming to be former Cacia employees are saying they warned the company about major flaws in their software. And that is what hit all of Cassias customers.

[00:08:24] Customers. This is incredible here. This is a much different style of relationship that companies have typically, right? Yeah. Okay. Law firms they’ll outsource stuff, right? So let’s say there’s some maritime law. They’ll go to a maritime law firm. They’ll outsource it. So yeah, there are some models where this is done, but this is done routinely.

[00:08:49] In the cybersecurity space. It’s not something we do. We stuck our toe toes into that pond and we didn’t like it. We didn’t want our customers to be hurt by this sort of thing. But anyway, there you have it. Okay. There, you have it all about profit and not about you. And by the way, it’s also about how much you’re willing to pay.

Listen to this episode