UK Updates Cyber Security Regulations To Include MSPs

The UK Government has just updated their Network and Information Systems (NIS) regulations in order to bring providers of outsourced IT and managed service providers (MSPs) into scope. The regulations were introduced to improve the cyber security companies which provide services to energy, healthcare and transport sectors. Fines of up to £17m will could be issued for non-compliance.

Yaron Kassner, CTO and Cofounder, Silverfort had this commentary:

“The Government’s decision to update these regulations reflects how MSPs present a ripe target for attackers.

“As central points of cybersecurity management for lots of organizations – they provide a jumping-off point for lateral movement inside a large number of environments. As we saw with Operation Cloudhopper – attackers were able to access MSP customers using seemingly legitimate credentials, before moving through the network to exfiltrate data.

“While controls such as MFA on internal resources could technically help address attacks like this, the regulation provides a necessary impetus to ensure MSPs act according to best practice.”

Many clients that I work with use MSPs and they, along with anyone else who uses an MSP should heed this advice.

Leave a Reply

%d bloggers like this: