The Department of Education announced over 60 US colleges and universities have been hacked through a vulnerability in a popular enterprise resource planning (ERP) system, Banner by Ellucian. They’re a major player in the higher education space. According to their website, over 1,400 different universities and colleges across North America use their product to manage student grades, staff payrolls, course schedules, admissions, and student financial aid.
When you look at the details of this story, it’s a script that we’ve heard again and again:
- In May, a Banner vulnerability is discovered and NIST publishes a public disclosure.
- Ellucian quickly releases a patch to solve the vulnerability.
- It’s July and suddenly, schools are affected.
How is it that schools are still affected by an exploit that was fixed months ago? It’s simple: they couldn’t implement the patch in time.
This is a symptom of something we see all the time in our daily practice as a managed service provider (MSP): an under-resourced IT staff.
It seems like every higher-ed institution we speak with has an IT team doing more with less. It’s always about reducing the number of people and increasing the number of services. This lack of resources causes critical pain points while these organizations struggle to stay ahead. New threats appear, and local IT teams are somehow expected to have the bandwidth and capability to respond.
An alternative to having your local IT team handle everything
This is where partnering with a well-matched managed service provider can make a huge difference to under-resourced teams.
Now, every IT team has a certain amount of technologies that are critical to the business and should stay in-house — those aren’t what I’m talking about. For a lot of our higher ed customers like DePaul and NEIU, the ERP is so critical that it isn’t practical to move to a SaaS solution. They have an ecosystem built around that core application that they have to maintain and control.
However, there are many supporting technologies that take away cycles from your team but provide no unique value to your organization. The right MSP provides the ability to shift away a great deal of that multi-disciplinary heavy lifting that plagues local IT teams. That way, they can focus on the technologies that are core to who they are.
It’s surprising how many of these organizations don’t see the risk in having an infrastructure team that is expected to do it all.
If you have a small infrastructure team, maybe one person is responsible for storage and hypervisors (and networking when the networking person is on vacation). Say a new vulnerability in storage is discovered. Well, he or she then has to stop the projects they’re working on, shift their mental headspace into one of the multiple storage platforms you have, do the testing and analysis, make a decision, and schedule it. All of that takes time and is complicated, especially if you’re juggling many priorities.
You put that same problem in front of a managed service provider, and it’s a much smoother trajectory. MSPs are scaled and tooled properly for these problems. In our organization, we have people dedicated to each type of technology — teams. And these teams get these warnings and vulnerabilities all day long. It’s in their normal course of action, their normal day-to-day role to evaluate these threats, make decisions, and deploy solutions. It happens so often and so fast that staying up to date isn’t even a question.
Last year alone, AWS released over 2,000 updates, features and services. Deft had to analyze and decide how and if to deploy all of them. That’s more than one a day. We’re constantly looking at and implementing what’s on the horizon (and that’s across just one specific technology partner). Vulnerabilities like this are nothing new for us, and it’s something that any managed service provider of scale is tooled up to handle. A small team cannot keep up, nor should they be expected to.
By shifting the stuff that’s not critical to your business to an MSP, your IT team can actually focus on handling its core, critical technologies and tasks. (Like its ERP, or maintaining security while migrating to the cloud.)
It’s okay to offload the technologies that you can’t operate your business without, but that you don’t provide any unique value by operating them yourself. The only way to prevent becoming a victim of this script that keeps happening is through shifting as much responsibility as is reasonable to a group that is scaled to handle it.