Critical Vulnerabilities in Kaseya and McDonald's Chatbot Highlight MSP Security Risks

[00:00:02] It's Monday, July 14th, 2025, and I'm Dave Silva for Things to Know Today. Auvik highlights tool sprawl, burnout, and the IT generalist squeeze pressuring MSPs. Kaseya and McDonalds expose critical vendor vulnerabilities that could ripple across client environments. Right-to-repair laws stall in enforcement, keeping service providers on the hook. And Sonomi launches new tools framing cybersecurity as a business value driver. This is the Business of Tech.

[00:00:32] A recent report by Auvik highlights significant challenges faced by managed service providers and outlines five key takeaways for improvement. The report indicates that 50% of MSPs utilize 10 or more tools to manage client networks, with 44% citing a lack of real-time visibility as a major barrier to effective network monitoring. Furthermore, the report reveals that 60% of IT professionals experience moderate to high levels of burnout,

[00:00:59] and 78% face barriers to upskilling due to stress and workload. The ongoing shortage of skilled workers in the IT sector has led to a growing reliance on IT generalists, who must possess knowledge across a wide range of functions. More data from Auvik highlights that as many as 10,000 baby boomers are expected to retire daily until 2030, exacerbating workload issues and increasing burnout among remaining IT professionals.

[00:01:25] Currently, 42% of baby boomer IT workers report working over 40 hours a week, compared to just 29% of Generation Z professionals. The report emphasizes that with the increasing complexity of technology and tools, IT generalists are in need of specialist advisors to assist with strategic outcomes and enhance productivity. Key areas of interest for IT professionals include cybersecurity planning, cloud computing, and researching new technology to improve user experience.

[00:01:53] More broadly, small business optimism remains steady despite rising tax concerns, according to the National Federation of Independent Businesses' latest Small Business Optimist Index report, which shows a slight dip to 98.6% in June, just above the 51-year average of 98. While small business sentiment is stable, challenges persist, particularly in inventory management and labor market conditions.

[00:02:19] The report highlights that 36% of business owners reported job openings they could not fill, reflecting ongoing difficulties in finding qualified applicants. Additionally, 12% of owners indicated their inventory levels were too high, which can strain cash flow. MFIB Chief Economist Bill Duncanberg emphasized that taxes continue to be the top concern for small business owners impacting strategic decision-making across various industries. Why do we care?

[00:02:50] Those who succeed will aggressively address tool bloat and visibility gaps, invest in automation to counter workforce strain, and pivot from tactical support to strategic advisory services. Providers don't need more tools, but platform consolidation isn't easy. Providers could trade tool sprawl for single-vendor dependency, which carries its own risks.

[00:03:12] For small business clients, the steady optimist creates a window for MSPs to sell efficiency and resilience, not just cost savings. But time is short. The convergence of talent drain and client price sensitivity demands action before these pressures erode trust and margins. This episode is supported by FlexPoint. Managing cash flow can be tough for managed service providers.

[00:03:38] FlexPoint's working capital solution is designed to bridge the gap between invoicing and payment, giving providers access to funds when they need them. With quick approvals and flexible terms, it helps cover expenses, invested growth, maintain financial stability. Keep your operations running smoothly with FlexPoint. Visit getflexpoint.com slash MSP dash radio to learn more. Select Heard It on the Business of Tech or MSP radio.

[00:04:06] You'll get 10% off. Two cyber incidents to discuss. Kaseya's network detective tool has been found to contain two critical vulnerabilities that may endanger managed service providers and their clients. These flaws, identified by the cybersecurity firm Galactic Advisors, involve the insecure storage of administrative passwords in plain text and the use of weak encryption methods, potentially exposing sensitive data across managed environments.

[00:04:35] Cody Kretzinger, a principal security advisory at Galactic Advisors, emphasized the urgency for managed service providers to update their instances of network detective to the latest version and eliminate any logs related to vulnerable versions. Failure to act could allow malicious hackers to exploit these vulnerabilities, gaining unauthorized access to high-level accounts.

[00:04:56] Jim Lippey, Kaseya's chief product officer, acknowledged the partnership with Galactic Advisors in addressing these issues, hiding the importance of collaboration in the ecosystem. A recent cybersecurity incident has revealed that a vulnerability in McDonald's chatbot job application platform exposed the chats of more than 64 million job applications across the U.S.

[00:05:18] Security researchers Ian Carroll and Sam Curry discovered that the platform, known as NickHire, utilized weak default credentials, a password of 123456, allowing unauthorized access to sensitive applicant data. The researchers found that by manipulating a simple parameter in the platform's API, they could access full chat transcripts and personal information of applicants.

[00:05:42] This type of vulnerability, known as insecure direct object reference, highlights serious flaws in the platform's security measures. Following the incident, McDonald's quickly acknowledged the issue and worked with a platform provider, Paradox.ai, to implement necessary fixes. Paradox.ai confirmed that the vulnerability has been mitigated and that they are conducting a systems review to prevent future occurrences. Why do we care?

[00:06:06] Network detective is widely used by providers for network assessments and audit, exactly the kind of tool that requires access to sensitive credentials and client environments. Strong admin passwords in plain text and using weak encryption puts entire client ecosystems at risk if exploited. One should question how this happens. Yet remember, it happens in all sizes. McDonald's 123456 password shows it's not about size.

[00:06:32] Both cases reinforce that MSPs are deeply exposed to upstream vendor security practices. Clients rarely distinguish between vendor and provider when data is compromised. They hold their MSP responsible. Clients may resist discussions about these risks unless tied to a direct business impact, making it hard for providers to justify investing time in vendor due diligence. That said, this is where MSPs need to spend some of their time.

[00:07:00] One of the topics I've been covering on the show for years has been right to repair. Despite the passage of numerous state laws promoting the right to repair, many industries continue to resist meaningful change. A report by U.S. Public Interest Research Group found that among 25 products evaluated across categories such as disc washers, phones, and gaming devices, nearly 40% received a grade of D or F, indicating a lack of accessible repair materials.

[00:07:27] The report highlighted that 48% of the products lacked repair manuals, and 44% did not have spare parts available. While states like Washington have enacted right to repair legislation with broad public support, enforcement remains a significant issue. Most companies have not adjusted their practices, and there have been no notable repercussions for violations undermining the potential impact of these new laws. Now, why do we care?

[00:07:55] The persistence of manufacturer resistance signals that right to repair will remain a long-term structural issue, not a near-term fix. For services firms, the strategic play is to bake repairability considerations into procurement guidance and asset lifecycle management services, helping clients choose vendors who support repairability or negotiating service-level agreements that account for those risks can differentiate.

[00:08:20] On the advocacy front, this is also an opportunity to align with client values around sustainability and cost control. But be realistic. Until enforcement mechanisms gain teeth, service providers should plan for ongoing workarounds and factor the lack of repairability into total cost-of-ownership calculations for client devices. Tsunomi has launched new features for business impact analysis and business continuity planning.

[00:08:48] These are aimed to empower cybersecurity professionals by streamlining risk management, ensuring that security efforts align with mission-critical business processes. The new capabilities allow service providers to develop data-driven continuity plans without relying on traditional spreadsheets, which can often be cumbersome and complex. David Primer, co-founder and CEO of Tsunomi, emphasized that these tools not only enhance security strategies, but also help communicate the business value of cybersecurity to organizational leadership.

[00:09:17] Why do we care? It's a smart move by Tsunomi that aligns perfectly with the IT services industry transition towards offering strategic outcomes. By equipping MSPs and VCSOs with tools to quantify and communicate the business impact of cybersecurity, Tsunomi is helping shift security from a cost center to a valued driver. However, success will depend on whether MSPs can operationalize these features into their service delivery,

[00:09:45] turning them into structured assessments, regular client reporting, and actionable roadmaps. The ones who do will be in a stronger position to win and retain clients looking for partners who understand the business, not just the technology. Are you ready to get your brand in front of the tech leaders shaping the future of managed services? Here at The Business of Tech, we offer flexible sponsorship opportunities to meet your needs,

[00:10:11] whether it's live show sponsorship, podcast advertising, event promotion, or custom webinars. From affordable exposure options to exclusive sponsorships, our offerings are designed to fit businesses and vendors of all sizes looking to make an impact. Prices start at just $500 per month, making our packages a fraction of typical event sponsorship costs. Be a part of the conversation that matters to IT service providers worldwide.

[00:10:41] Join us at MSP Radio and amplify your message where it counts. Visit mspradio.com slash engage today to explore all the ways we can help you grow. Thanks for listening. It's National Mac and Cheese Day. It's National Tate Measure Day, which can't hold up to that one. National Grand Marnier Day might have a shot, but National Mac and Cheese Day. Join me this Wednesday, July 18th for a webinar sponsored by ThreatDown,

[00:11:11] AI's Dark Side, What Every MSP Needs to Know. Visit bit.ly slash ThreatDown to register now. The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines posted at businessof.tech. If you've enjoyed the show, make sure you've subscribed or followed on your favorite platform. It's free and helps directly. Give us a review, too.

[00:11:35] If you want to support the show, visit patreon.com slash MSP Radio and you'll get access to content early. Or buy our Why Do We Care merch at businessof.tech. Have a question you want answered? We take listener questions, send them in, ideally as a voice memo or video to question at MSP Radio.com. I answer listener questions live on our Wednesday live show on YouTube and LinkedIn.

[00:12:02] If you've got a comment or a thought on a story, put it in the comments if you're on YouTube or reach out on LinkedIn if you're listening to the podcast. And if you want to advertise on the show, visit MSP Radio.com slash engage. Once again, thanks for listening and I will talk to you again on our next episode. Part of the MSP Radio Network.