Do they want regulation? The MSPs we’ve talked to explain it if it helps prevent disaster.
The UK government is reflecting on a new cybersecurity framework for MSPs to prevent third-party attacks.
MSPs have become an increasingly common target for cybercriminals. This is because hackers are increasingly using MSPs as a single point of access to their customers ’sensitive data.
In 2020, the US,. The Secret Service warned of an increase in these attacks. He noted that criminals take advantage of committed MSPs to carry out various attacks. These include point-of-sale intrusions, corporate email engagement (BEC), and ransomware attacks.
Elsewhere, ConnectWise’s Perch Security recently predicted “the first moves by government and insurance providers to regulate the MSP industry.” The company warned that MSPs were targeting an increase in “Buffalo Jumps.” This is a new tactic that cybercriminals use to rescue both a service provider and many of their customers.
The UK government is now testing the suitability of a proposed cybersecurity framework for MSPs.
The proposals could require MSPs to adhere to a set of 14 cybersecurity principles called the Cyber Assessment Framework. The framework sets out measures that organizations must take, such as having policies to protect devices and prevent unauthorized access. It would also require them to ensure that data is protected at rest and in traffic. In addition, it advocates for maintaining safe and accessible data backups and training staff and pursuing a positive cybersecurity culture.
MSPs welcome the movement
UK MSPs have welcomed the proposed cybersecurity framework.
Rick Gray is the Sales Director of MSSP Cyberfit. The company acts as an MSP advisor who have no security experience. This involves putting security protection on any offer that MSP hosts for its end customers.
Gray strongly believes that the government should implement the new framework, as “too many of these MSPs are doing the bare minimum. They believe that offering antivirus is enough: it’s just a checkbox exercise. They say it’s safe when not it is.
“We had a customer who hosted an exchange service for one of their clients and who wasn’t doing the right patch level. So the customer got the attack from the recent Exchange attacks. It’s a fantastic thing that the government is bringing these parameters to the MSPs. There is too much to get out of it, “he said.
Joanne Ballard, Maintel’s director of customer experience, believes that central regulation will benefit both suppliers and customers. He said it would provide “peace of mind to the end user working with a trusted provider.”
Reinventing the wheel?
Mark Herridge, CISO of Calligo, states that the cyber assessment framework “is clearly a step in the right direction.”
However, he points out that “there is little, if there is anything new … that is not already covered by the established certifications.
“They are well recognized not only by the industry, but also by end-user organizations. We see a growing number of potential customers openly favoring MSPs with these credentials. “
He also said some customers even require their MSP to comply with their own data security agreements. This is usually based on the principles of ISO, SOC and others.
Instead of reinventing the wheel, Herridge said it is better for the government to take another route. It could do so “simply by stipulating that MSPs must obtain and maintain these globally recognized certifications. If you were a potential customer, you would not hire [an MSP] which did not have ISO 27001 at least “.
Claudio Stahnke is a senior research analyst, European Security at IDC. He said the UK was “definitely moving in the right direction”. He noted that the recent Colonial Pipeline hack has shown how vulnerable supply chains can be in the face of cybersecurity violations.
Stahnke said the rapid growth of computer security means that MSPs often provide cybersecurity even if they are not specialists. Still, he said “creating a framework that IT vendors will have to follow will certainly help improve and level the field.”
He said this is necessary “in a world where the race between hackers and defenders continues to rise.”