The UK Government has just updated their Network and Information Systems (NIS) regulations in order to bring providers of outsourced IT and managed service providers (MSPs) into scope. The regulations were introduced to improve the cyber security companies which provide services to energy, healthcare and transport sectors. Fines of up to £17m will could be issued for non-compliance.
Yaron Kassner, CTO and Cofounder, Silverfort had this commentary:
“The Government’s decision to update these regulations reflects how MSPs present a ripe target for attackers.
“As central points of cybersecurity management for lots of organizations – they provide a jumping-off point for lateral movement inside a large number of environments. As we saw with Operation Cloudhopper – attackers were able to access MSP customers using seemingly legitimate credentials, before moving through the network to exfiltrate data.
“While controls such as MFA on internal resources could technically help address attacks like this, the regulation provides a necessary impetus to ensure MSPs act according to best practice.”
Many clients that I work with use MSPs and they, along with anyone else who uses an MSP should heed this advice.
Like this:
Like Loading...
Related
This entry was posted on November 30, 2022 at 11:58 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
UK Updates Cyber Security Regulations To Include MSPs
The UK Government has just updated their Network and Information Systems (NIS) regulations in order to bring providers of outsourced IT and managed service providers (MSPs) into scope. The regulations were introduced to improve the cyber security companies which provide services to energy, healthcare and transport sectors. Fines of up to £17m will could be issued for non-compliance.
Yaron Kassner, CTO and Cofounder, Silverfort had this commentary:
“The Government’s decision to update these regulations reflects how MSPs present a ripe target for attackers.
“As central points of cybersecurity management for lots of organizations – they provide a jumping-off point for lateral movement inside a large number of environments. As we saw with Operation Cloudhopper – attackers were able to access MSP customers using seemingly legitimate credentials, before moving through the network to exfiltrate data.
“While controls such as MFA on internal resources could technically help address attacks like this, the regulation provides a necessary impetus to ensure MSPs act according to best practice.”
Many clients that I work with use MSPs and they, along with anyone else who uses an MSP should heed this advice.
Share this:
Like this:
Related
This entry was posted on November 30, 2022 at 11:58 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.