Managed Service Providers are a significant and attractive target, for both cyber criminals and also state sponsored attacks.
In the UK, the high-profile attack on the National Health Service via its MSP, Advanced, prompted the government to hold multiple emergency meetings due to its widespread impact and threat to patient safety. In response to this, and the wider growth of the cyber threat landscape, British lawmakers have unveiled new and significant reporting requirements.
In simple terms, the new cyber resilience legislation aims to set minimum security standards and compels MSPs to disclose cyber incidents, with failure to comply potentially leading to fines of up to £17 million. Essential services such as energy, health and transport are already subject to similar incident reporting requirements through the Network and Information Systems (NIS) Regulations. By extending this to MSPs, the government is seeking to drastically increase the UK’s broader resilience to cyber threats.
The repercussions of NIS for MSPs in 2023
So, what does this regulation mean for MSPs operating in the UK today?
Today, it is a global industry. Each year, it is estimated that £1.2 trillion of profit is generated through organised cybercrime, activity which is predicted will cost the world $10.5 trillion on an annual basis by 2025 – a more than threefold increase in the space of a decade. The risk of a breach isn’t going anywhere, and MSPs and all businesses really do need to understand that.
It makes perfect sense to impose regulatory compliance on MSPs around managing risk. There are vast numbers of MSP’s out there, both large and small who are too lax when it comes to managing information security – truly. It’s disturbing, but many won’t even realise where their holes are, we see it day in day out when onboarding clients from other MSPs. Many just don’t get it, and very few actively run an Information Security Management System (ISMS), such as ISO27001 effectively.
It takes a significant overhead to actively manage and control risk. The technologies to do it properly are of course expensive, but you also need skilled and dedicated resource, such as a CISO – beyond the reach of smaller MSPs and often seen as too expensive by many in the mid-market.
Having external regulators with teeth is a good thing. It’s protecting everyone, even the MSPs themselves.
How MSPs can prepare for the changes
MSPs, as with any other business simply need to understand that they are going to need to manage risk properly, rather than simply looking at technology, or getting Cyber Essentials Plus certified, which I’ll add for the record isn’t an adequate standard for an MSP. They need to start actively running an ISMS, truly investing time and resources to ensure they are doing the right things by their organisations and their clients.
Generally, ISO 27001 is a good place to start. It’s a decent and comprehensive standard which is recognised internationally. If implemented and run correctly MSP leadership can sleep easier at night. I state run correctly as many implementations of ISO 27001 are done just to get the badge, and are not run with true focus.
It’s also important that MSPs know how to handle a breach within their own businesses. It’s common for them to believe they know the tech and they have the experience to recover their own environment quickly. It’s however really important that the MSP has a clear plan on how to undertake an incident response in their own environment, they need the process mapped out in advance – just like a business continuity plan. In fact, as with a business continuity plan they need to test their response, at least annually. It can be hard to remember process and detail when your whole world is falling apart.
Of course technical controls play their part, and beyond the basics most MSPs will be, or should be managing the vulnerabilities in their own environments through an effective and continuous vulnerability management program. They also need controls at the gate and internally, should their environments get breached, i.e. stopping lateral movement and enabling tracking of an attack. Generally all MSPs must have effective XDR, delivered by themselves or a third party, including log monitoring, network monitoring and effective next generation endpoint protection solutions.
MSPs should also take the necessary steps to ensure that their employees are fully trained on security policies and equipped with the relevant resources to comply with reporting standards. The educational piece is essential, not least because 95% of all cybersecurity issues worldwide can be traced to some form of human error. It’s easy for an MSP to overlook those staff in the business who aren’t technical yet have privileged access to systems and also those of clients.
The impact on clients
For small and midsized businesses – the typical customers of MSPs – the growing cyber threat is a big cause for concern.
Many such firms will feel as if they have a target on their backs because they are, generally speaking, lower hanging fruit for cybercriminals when compared with blue chip enterprises with large security resources.
And with cybercrime activity on the increase and attacks becoming more frequent, it will be even more imperative for MSPs to strengthen their security postures, not only to protect clients but also to avert the risk of being fined and ultimately shamed. Additionally, customers of MSPs will need reassuring that their assets are fully protected. This will require close and frequent dialogue, as well as full transparency in the event of any incidents occurring.
With new regulations on the horizon, the ability for MSPs to report on cybercrime has never been more relevant or necessary. With the volume of attacks continuing to rise, these firms must implement appropriate security measures and controls, plus be happy to be audited by external parties. It’s a good thing to work to controlled standards, and unfortunately now necessary and unavoidable – even if the NIS changes fail to come to pass.
About the Author
Robert Rutherford is CEO at QuoStar. QuoStar is your full-service IT provider. We have been helping mid-market and growth businesses to achieve ambitious goals since 2005 through specialist IT support, consultancy, cloud and security services. Our team of IT industry experts help businesses become more effective, productive and secure by using proven processes and appropriate technologies. We endeavour to be your trusted partner, working with you to deliver your operational and strategic objectives.
Featured image: peach_adobe
