'Many years too late' - Cybersecurity experts react to government crackdown on MSPs

MSPs could be fined up to £17m if they fail to comply with cybersecurity regulations under NIS regulations

'Many years too late' - Cybersecurity experts react to government crackdown on MSPs

Government proposals to crackdown on MSPs with inadequate cybersecurity measures in place has come "many years too late" according to cybersecurity experts that spoke to CRN.

UK MSPs could be fined up to £17m under new proposals published a few weeks ago if they are found to have failed to put in place effective security measures.

It comes amid a surge in supply chain attacks over recent years. The European Unions Agency for Cybersecurity (ENISA) found last year that supply chain attacks are expected see a four-fold increase in 2021 compared to the previous year.

Supply chain attacks can come from an "ecosystem of resources" a customer uses to run its business, ranging from hardware, software, storage and distribution.

These types of attacks made headline news in 2020 after separate incidents involving SolarWinds and FireEye led to thousands of businesses and the US Justice Department being compromised.

In the wake of this rising threat, the UK government suggests expanding its existing Network and Information Systems (NIS) regulation - which covers companies that provide essential services such as water, energy, transport, healthcare and digital infrastructure - to now include managed services providers.

This means that MSPs will now fall under the NIS regulation and will have to comply to its cybersecurity standards or else risk being handed a fine that could be as high as £17m.

MSPs that spoke to CRN welcomed the news but said that the introduction of a financial penalty has come "many years too late".

ITHQ founder Scott Nursten said that the regulation will help weed out the companies that are failing to put in place adequate cybersecurity measures.

"We just helped a client whose MSP completely shirked their responsibility for security and has actually written into their terms and conditions that it's not their responsibility, even though they've been selling security services to the client. Their T&Cs basically said that they don't stand by their own security services and that nothing they sold them could be construed as advice."

"I think it means that there's actually some legal recourse, so they can't just rely on their terms and conditions now. That's going to help at least, because I do think that we've still got quite a few cowboys in our industry I'm afraid."

Has GDPR proven the case for regulation?

How seriously MSPs take the threat of a hefty fine will hinge on how effectively the authorities move to enforce the regulation.

MSPs might be waiting to see if, and when, the first fines are issued before taking action to improve their own cybersecurity standards.

And, with the UK being home to thousands of MSPs, there are questions of whether it's even possible to regulate such a vast market.

But GDPR has shown us that the ICO is not afraid to stand up to organisations that misbehave. The authority handed out fines totalling £42m for data breaches in 2020, including British Airways for £20m, Marriot for £18.4m and to Ticketmaster for £1.25m.

"With legislation like GDPR we found that it certainly had teeth," said David Ellis, VP security and mobility solutions at Tech Data.

"And because of that, organisations have had to follow it. So we don't expect this to be too different. If you're a service provider, you will want to market yourself as a business that adheres to these standards and the quality of service you provide."

Are we likely to see the maximum £17m fine? Probably not, according to Flow Communications CEO Etienne Greeff - but the ICO's track record with GDPR shows that regulators will not hesitate to crack down on MSPs if they need to.

"Not a lot of companies will be fined to that level, but the fact of the matter is that there needs to be some fines and people need to be made accountable, because at the moment a lot of MSPs aren't accountable and they don't take as much care of customers' information as they should," he said.

Nursten added that even a fine that's a fraction of the size of the maximum penalty will have a substantial impact on most MSPs.

"As a growing business like ITHQ, if we even got a £100,000 fine it would change my numbers for the year quite significantly and it would for anyone. I think it has teeth.

"It's unfortunate that we have to be in this situation, because I'm not a big fan of endless regulation. I think the UK is over regulated if I'm being honest. But at the same time, because you come across cowboys in this industry all the time and you've got unscrupulous business owners, then you're going to have to regulate, right?

"If people can't be trusted then you have to use regulation. So, am I a fan of endless regulation? No. Do I think it's necessary? Absolutely."

Understanding the scale of the problem

While supply chain attacks have been identified as a serious issue, it has historically been difficult to determine the sheer scale of supply chain attacks coming through MSPs, as most go unreported.

That could change with this new regulation, Greeff believes. Germany records 10 times the number of breaches than the UK each year, he said.

That's not because cybercriminals are more active in Germany, or that German businesses are ignoring cybersecurity, it simply shows that more incidents are actually being reported.

"Now that MSPs have to start reporting breaches, we will realise that actually there's a lot more happening than we realise," he said. "Overwhelmingly that's a positive thing."