New laws are being proposed by the UK government to drive security standards in outsourced IT services used by almost all UK businesses. This comes after recent high profile cyber attacks targeting SolarWinds and Microsoft Exchange Servers, which highlighted vulnerabilities in third-party products and services which can be exploited by cybercriminals, writes Mike Foster, Channel Manager, at the anti-virus product company VIPRE.
Trusted advisor
Since 2018, Network and Information Systems (NIS) Regulations have been in force to improve the cyber security of companies which provide essential services, such as water, energy, transport, healthcare and digital infrastructure. These regulations require such businesses to undertake risk assessments, put in place reasonable security measures to protect their network, and report any significant incidents whilst having plans in place to recover if an attack occurs. Those who fail to put in place effective cyber security measures can be fined as much as £17m. However, the Government now wants to widen the list of companies that comply with such measures to include Managed Service Providers (MSPs).
With more businesses undergoing digital transformations and shifting to the cloud, which was accelerated over the pandemic as a means to survive, there has been an increase in dependence on MSPs to act as a business’ trusted advisor to assist them on their digital journey. These IT partners are also crucial in boosting the growth of the country’s £150.6 billion digital sector, and therefore play a monumental role in the economy.
Outsourced IT services should create a solid cyber security strategy for the businesses who choose them. Security standards, therefore, should be high – especially to battle the ever-developing and innovative cybersecurity market, with new methodology and tactics constantly evolving from hackers. As highlighted in the Government’s recent announcement: “Every UK organisation must take their cyber resilience seriously as we strive to grow, innovate and protect people online.” Additionally, outsourced IT providers have the knowledge, skills and solutions for businesses to benefit from and leverage to keep their data, networks and users safe.
By partnering with an established MSP who can act as an external security partner to help businesses achieve cyber resilience, the pressure and responsibility of defending the business against cyber threats will lay with the expert. This creates a unique opportunity for MSPs to guide customers on their cybersecurity journey and ensure they are receiving relevant education and have the right technology and tools in place to protect their businesses. By identifying the gaps in their cyber needs, or allowing an MSP to make these judgments, a strong infrastructure can be built upon the business’ existing setup.
Reporting incidents
Other published proposals include improving the way organisations report cyber security incidents and reforming legislation so that it is more flexible and can react to the speed of technological change. This is specifically timely due to the increase in ransomware attacks, particularly during the peak of COVID-19, which saw twice as many ransomware attacks occur – taking advantage of remote workers being away from the help of IT teams, and of the businesses that pay the ransom fee, such as in the Colonial Pipeline attack, where the cyber-criminal group DarkSide were paid nearly $5m (£3.6m) in ransom.
If a ransomware attack were to take place, it is important that the organisation works with local authorities to try to rectify the issue and follow their guidance. Often, many ransomware attacks go unreported – and this is where a lot of criminal power lies. Prevention is always better than cure, and damage limitation and containment are important right from the outset. Most organisations should have a detailed disaster recovery plan in place and if they don’t, they should rectify this immediately. The key to every disaster recovery plan is backups. Once the breach has been contained, businesses can get back up and running quickly and relatively easily, allowing for maximum business continuity.
As soon as the main threat has passed, it is recommended that all organisations conduct a full retrospective audit, ideally without blame or scapegoats, and share their findings and steps taken with the world. Full disclosure is helpful – not only for customer, client or patient reassurances, but also for other organisations to understand how they can prevent an attack of this type being successful again.
Equipping businesses
The UK Cyber Security Council, which regulates the cyber security profession, also needs powers to raise the bar and create a set of agreed qualifications and certifications so those working in cyber security can prove they are properly equipped to protect businesses online.
With security breaches showing no signs of slowing down, MSPs must be constantly vigilant and develop cyber resilience approaches that go beyond deploying security solutions. This means having not only the market-leading technology available, but also the technical expertise to support business security plans and growth. MSPs must take a proactive role in understanding the current state of a customer’s ability to protect against, prevent and respond to modern cyber threats when recommending the best approaches to true cyber resilience. Have they engaged in phishing penetration testing? Is sending an email to the wrong person an embarrassing mistake or a data breach? Are they using a layered and dedicated security approach or settling for security as part of a broader ‘cloud services’ package? These are just some of the key questions MSPs should be asking when they look to fulfil their trusted advisor role.
Conclusion
MSPs have privileged access to their client’s networks and systems, potentially enabling attackers to attack a wide range of organisations through a single breach. This is why it’s of the utmost importance for all outsourced IT providers to understand the role they play in keeping business data secure, while also educating their customers on how to become more cyber resilient. Combining MSP knowledge and expertise with government-backed credentials should surely be a winning formula for the IT security industry and enable MSPs to prove to their clients they have what it takes to keep their businesses secure.
