The MSP market has been growing for years, the simple truth is that it is more cost effective to outsource IT support to a company that focuses on delivering professional support to businesses, leaving businesses to focus on what they are best at.
As a result, MSPs and the toolsets they use to support their end users have been targets for attackers for a while, but with a few high-profile incidents recently, such as the Kaseya attack last year, it has brought the issue into focus for many governments around the world.
From an attacker’s perspective, it is a hugely attractive target: get access to one of the MSP tools, such as an RMM tool, and you get access to millions of devices around the world. The attraction is that RMM tools include scripting functionality and are also seen as authorized by endpoint security solutions, giving attackers the ability to run a variety of malicious scripts.
For governments, the issue is quite clear. We have over five million registered businesses in the UK, and considering a huge portion of those are small businesses that rely on MSPs for IT support and security, it was only a matter of time before our government took action to regulate the MSP industry.
The Network and Information Systems Regulation has been in place since 2018, but it has recently been updated to require controls are in place for “operators of essential services” and while this does not directly impact most MSPs, it is surely a matter of time before they are expanded further to include any MSP delivering or managing IT security services on behalf of their customers.
At present, “operators of essential services” covers areas such as:
• Electricity supply
• Oil & Gas supply
• Air Transport
• Shipping
• Rail
• Road
• Healthcare
• Water supply
• Digital infrastructure
MSPs might not currently be servicing clients in these sectors or indeed if they are, with clients that are big enough to be considered “operators of essential services”, but surely it’s only a matter of time before we see further regulations? Think of the essential services you deliver for your customers and in turn how critical their business is (however small) to a whole host of different businesses and private individuals.
From what we can see, this regulation does not explicitly state what security solutions are in place, which means it is down to MSPs to do the due diligence on all the tools they use to ensure their customers are as secure as possible. Clearly though the Government and in turn NCSC are heavily pushing the importance of Cyber Essentials and one thought is that this may become mandated for all MSPs before being rolled out further to SMBs at large. It’s clear that this is a continuously developing landscape: for MSPs to stay on top of what is available and what the best is no mean feat.
This is where Brigantia comes in and can do a lot of the heavy lifting for you. Brigantia commits to continue to select non-competing vendors on the solidity of their security and compliance offerings to ensure that partners have the best tools available to support their clients most effectively, with the peace of mind that all vendors Brigantia promotes have been thoroughly tested.
MSP regulations are coming, so Brigantia’s advice is to get ahead of the game and protect your business today. At the very least, PLEASE get Cyber Essentials to demonstrate that you practice what you preach!
