With the ever increasing the number of cyber attacks resulting from vulnerabilities within the supply chain, the UK Government are planning to widen the scope of the NIS Regulations to include Managed Service Providers (MSPs). This blog takes a look at the specifics and what this all means for MSPs in the UK.
What are the current NIS Regulations?
The UK Network and Information Systems (NIS) Regulations 2018 derive from EU law and were enacted into law in May 2018. They aim to set a high level of cyber security for providers of critical infrastructure and essential services, and they provide a legal framework on which service providers can be held liable for not complying - up to £17M depending on the severity of the impact or potential impact.
This means that companies that provide services essential to the UK’s security have to ensure their systems are adequately protected and resilient to cyber threats that could compromise the data they store and process, which makes a lot of sense when you consider breaches like the 2017 WannaCry ransomware attacks that hit the NHS so badly.
Currently the 2018 NIS Regulations apply to:
- Operators of Essential Services (OESs) covering
- drinking water
- digital infrastructure (e.g. DNS providers and TLD registries).
- Relevant Digital Service Providers (RDSPs) being grouped into
- online search engines
- online marketplaces
- cloud computing.
It is important to note that the regulations do not currently apply to micro or small enterprises, defined by the EU Commission as having fewer than 50 employees or less than EUR 10M turnover.
You can read the full details in The Network and Information Systems Regulations 2018 legislation PDF.
How are the NIS Regulations changing?
The frequency and severity of cyber breaches continue to be a major concern, and the UK Government is taking steps to strengthen the existing regulations. Early in 2022, the Government launched a public consultation on its plans to expand and enhance the NIS Regulations.
The European Union has already updated its own cybersecurity regulations with the NIS2 Directive which extends the scope to cover more sectors, has stricter reporting requirements, and interestingly aligns the fines with those imposed for GDPR. It requires Member States to implement these by October 2024.
The UK Government is taking its own path with its NIS changes, wanting to ensure they are in line with its vision for the UK to become a global cyber power. The timeframe for changes is less clear, but they are expected sometime in 2024.
Common to both NIS2 and the UK’s proposed changes is an expanded scope that includes Managed Service Providers (MSPs). This recognises the fact that managed services have become essential to their customers’ operational and business continuity, and the use of managed services has increased significantly in recent years. MSPs are now being viewed as essential service providers by the UK Government.
The Supply Chain risk
MSPs are a particularly attractive target for cybercriminals due to the privileged access that MSPs have to their customers’ networks. A breach of an MSP offers an easy route to compromising a wide number of companies. More broadly these types of attacks are known as Supply Chain Attacks, and there have been many notable examples in recent years.
In 2020 a major supply chain attack was discovered that targeted SolarWinds’ Orion software which provides IT monitoring and management capabilities. The attackers compromised SolarWinds’ software updates, allowing them to distribute a backdoor known as Sunburst to thousands of SolarWinds’ customers. This breach affected many high-profile targets, including several US federal agencies.
In 2021 Kaseya, a major software vendor for MSPs, was hit by a zero-day exploit in their Virtual Administrator (VSA) product, which is used for remote-monitoring and management or IT networks and endpoints. The attackers were able to deliver ransomware attacks to MSP clients, affecting thousands of organizations globally, including schools, small businesses, and local governments.
In January 2022, Jetpack security researchers discovered suspicious code in a popular WordPress plugin by AccessPress Themes. Further investigation revealed that AccessPress Themes’ website had been breached in September 2021, with 40 themes and 53 plugins injected with a backdoor, giving threat actors full access to websites that used the compromised software - estimated at around 360,000 websites.
The prevalence of news about supply chain attacks will be filtering into the consciousnesses of CISOs and board members, and it can be expected that companies will be taking a closer look at their suppliers and in particular their IT service providers.
Business opportunities for MSPs
MSPs provide essential services to millions of businesses across the UK. According to the UK Government’s Cyber Security Breaches Survey 2022 around 40% of businesses used at a MSP, with this rises to 65% for medium sizes firms and 72% of large businesses. As businesses increasingly rely on technology to operate, the use of MSPs is likely to continue to grow in the UK and globally.
Given the increase in ransomware and security breaches, SMEs need security expertise more than ever, but since they are often unable to support an in-house cyber security capability, they are increasingly turning to their MSP for a managed security service.
The Managed Service Provider (MSP) market is highly competitive, with low profit margins being a common feature. Therefore, managed security services can offer significant business opportunities for MSPs seeking to differentiate themselves and secure customer loyalty. By providing robust and effective cybersecurity solutions, MSPs can increase revenue from existing customers and attract new ones. With businesses increasingly prioritizing cybersecurity, offering managed security services is becoming an increasingly important strategy for MSPs to remain competitive in the market.
With the inclusion of MSPs in the scope of the NIS regulations, and the prevalence of supply chain attacks the spotlight is increasingly being shone on MSPs. They need to have appropriate cybersecurity measures in place to protect their own networks and the networks of their customers. However, with this increased expectation from customers, there are also significant businesses opportunities for MSPs.