What MSPs Should Change After Ticketmaster and United Healthcare Cyberattacks

The recent Ticketmaster cyberattack reportedly breached 500 million customers, including me and probably you, too, because we all have bought a ticket for some type of entertainment.

The UnitedHealth Group cyberattack is reported to have made victims of one-third of the U.S. population.

What appears to be common in both breaches is the inexcusable failure to secure online systems with multifactor authentication (MFA), which I assume may soon become a criminal offense if all the frustrated federal and state lawmakers have anything to say about it.

Attacks on third-party platforms are becoming more common. Ticketmaster had its data stored at Snowflake, a cloud storage provider that has denied responsibility for the attack. Ticketmaster has been sued for negligence considering they lost 500 million records that were not protected by MFA. Since the U.S. population is 333 million people, expect regulators from around the world to also go after Ticketmaster.

It’s obvious that these huge organizations don’t work with MSPs, but there are lessons you can learn from these incidents—and opportunities you can capitalize on.

Hot Water Gets Hotter

Ticketmaster is already in hot water with the federal government. The Justic Department sued its parent company, Liberty Media, for antitrust allegations because it owns both Ticketmaster, which has a large share of the ticketing business, and LiveNation, which owns arenas and represents entertainers. By having a lock on the acts, the arenas, and the ticketing systems and prices, Liberty Media is charged with eliminating competition.

Liberty Media also owns Formula One racing and is being investigated by the U.S. Congress for its anti-competitive behavior by denying Andretti Global entry into Formula One Racing. Its 2023 revenue was $49.4 billion.

Change Healthcare is the nation’s largest healthcare financial clearinghouse, processing over 15 billion transactions per year to transfer money from health plans to medical providers. UnitedHealth Group, which had $372 billion in 2023 revenue, owns Change Healthcare.

After the breach, which brought their systems down for six weeks, the CEO of UnitedHealth testified in front of a U.S. Senate committee that they had not implemented MFA on their externally facing Citrix servers, even though they had a policy requiring it.

Time To Look At What You’re NOT Managing For Your MSP Customers

I am old enough to remember when everything that touched a computer had to be touched by my MSP company. I also served as the chief information officer for a hospital and a K-12 school district back when my IT departments touched every device and software program.

When cloud-based software-as-a-service (SaaS) tools came along, suddenly department-level managers and individuals went online, purchased new tools, and managed them from within their departments. These included payroll and HR management systems; electronic health record systems; law firm case management systems; file sharing systems like Dropbox, Box, and MOVEit; customer relationship management (CRM) systems; and other types of cloud services that stored some of the organizations’ most sensitive and regulated data. The IT professionals responsible for cybersecurity—in-house staff and MSPs—lost visibility into those systems, how they were configured, and who had access to them.

Most MSPs I know say they are responsible for their clients’ cybersecurity, but when I ask about their clients’ payroll system, Salesforce, file sharing tools, and line-of-business software delivered through the cloud, they admit they are only responsible for the local network, end-user devices, and Microsoft 365.

Capitalize On Breach Headlines Now To Add More Cybersecurity Services

The large breaches in the news are your opportunities—while everyone is paying attention—to broaden your services (and charge more) for evaluating the cybersecurity of your clients’ cloud-based services that you don’t manage.

You can assess these systems to see if:

  1. MFA is installed
  2. Users are uniquely identified, a requirement both for cybersecurity and compliance.
  3. The user list includes only current personnel authorized to access the sensitive data (when was the last time anyone looked at that list?)
  4. Activity logs to ensure activity is being tracked and that logs are being retained as required by regulations
  5. They meet the requirements in the client’s cyber insurance policy for MFA, encryption, and access management

You can analyze network traffic to see if unauthorized cloud services, like Dropbox or personal Gmail, are being used by malicious insiders to steal company data or by well-intentioned users who don’t understand the security risks.

Helping business owners and executives by expanding your services brings them value far beyond your current scope to secure the local network. Assessing and securing department-level SaaS tools allows you to charge your existing clients more by helping them secure all their data—wherever it is.

This can protect your clients against regulatory penalties and lawsuit settlements that can cost millions of dollars, far more than your increased fees.

Mike Semel, “The Complianceologist,” is president of Semel Consulting. He is a CMMC Certified Assessor, CMMC Certified Professional, CMMC Registered Practitioner, Certified Security Compliance Specialist, Certified HIPAA Security Professional, Certified Business Continuity Professional, and a Certified Cyber Resilience Professional. semelconsulting.com



Upcoming Events

Stay Up To Date

Thousands Of MSPs Trust
MSP Success Magazine
For The Best Industry News, Trends and Business Growth Strategies

Never Miss An Update