The Cybercrime Landscape
The cybercrime industry is thriving. And British industry remains acutely vulnerable to the ever-growing threat, with government figures suggesting that cybercrime on a National level costs around £27 billion annually.
The ways that the UK responds to these threats are myriad. However, government intervention and guidelines can only provide so much for the average organisation looking to secure themselves from cyberattacks. As such, the burden of responsibility often falls on organisations to develop their own policies and measures.
Enter Managed Service Providers
Among these measures is deploying the services of an MSP (Managed Service Provider). This is particularly valuable to organisations that cannot justify the sizable budgets which come with deploying multiple security technologies directly. Using an MSP means smaller organisations can outsource much of their cybersecurity and IT needs. MSPs can provide these services for a fraction of the cost, without an organisation needing to develop their own security infrastructure, and without necessitating multiple costly cybersecurity hires.
As a result, MSPs are a fundamental cog in the cybersecurity ecosystem. They are the middlemen between hundreds of cybersecurity providers and thousands of end-user companies seeking to strengthen their defences. Indeed, 40% of UK businesses use at least one MSP.
However, the expectations of these users have shifted from simply expecting a managed IT provider, to an organisation also responsible for their security. To further complicate matters, as well as being a cornerstone of the wider business supply chain, they have also become an attractive target for cybercriminals.
In March 2022, research by N-Able revealed that 90% of MSPs had suffered a successful cyberattack in the preceding 18 months. To combat these new threats, new regulations have since been introduced, which the following piece will outline.
The new Standards for MSPs to meet
This added threat profile for MSPs brings risks not only to their data from cyberattacks but from subsequent regulatory issues. Incoming NIS regulations have expanded to encompass MSP activity: Active administration and monitoring of IT systems, infrastructure, network and/ or security
Under the new regulations, MSPs will have a responsibility to put into position baseline security requirements, focused on business continuity, crisis management and strong encryption practices to name but a few, in addition to supply-chain security. These measures will also be subject to more stringent auditing practices under incoming legislation.
Section 2: How these standards can be met
As we have learned, MSPs are under increasing expectations from their customers and users to take on elements of a security programme in addition to IT infrastructure or management.
However, the first thing that they need to consider is that to provide this, they need to get their own houses in order. As MSPs have potentially hundreds of customers on their books, they are attractive targets for cybercriminals hoping to target not just one organisation, but multiple. Once MSPs have their security under control, they can effectively offer this service to their customers without risking the embarrassment of a security incident themselves
The mission for MSPS
MSPs need to begin at the beginning, coming back to the three basic pillars of security – people processes and technology
If they can ensure that everyone working for them understands the basics of security and that these basics feed into appropriate processes to ensure that the not insignificant amounts of data they host remain safe.
A good technology provider can help you with both of these things and can ensure that MSPs are held to the same high standards their customers are coming to expect of them. This fits with our concept of ‘complete cyber confidence’: The concept that if you have complete confidence in your own security, then you are in a much stronger position to help clients with their own.