In the wake of several high-profile cyber attacks (Solarwinds, Colonial Pipeline), the government is proposing to shore up Britain’s cyber security by broadening the scope of the Network and Information Systems (NIS) Regulations to include managed service providers (MSPs).
Here’s our take on what this means for MSPs and for our clients.
What are the Network and Information Systems (NIS) Regulations?
The NIS Regulations came into effect in 2018 to improve the cyber security of companies that provide essential services such as water, energy, and healthcare. Under the regulations, these organisations must undertake regular risk assessments, and have sufficient and proportionate cyber security measures in place. They’re also required to report significant cyber security incidents and ensure they are capable of making a quick recovery from an attack. Companies that fail to comply can be fined as much as £17 million.
What are the new proposals?
The government wants to beef up Britain’s resilience to cyber attacks by expanding the NIS Regulations to include Managed Service Providers (MSPs) like Intersys. With access to their clients’ data, networks and systems, MSPs are obvious targets for cyber criminals; a successful attack against a single MSP could potentially unlock the backdoor to hundreds of organisations. This is not a hypothetical threat. Just last year, a ransomware attack on US-based MSP Kaseya left up to 1500 of their clients with encrypted files.
“Cyber attacks are often made possible because criminals and hostile states cynically exploit vulnerabilities in businesses’ digital supply chains and outsourced IT services that could be fixed or patched,” said Minister of State for Media, Data, and Digital Infrastructure, Julia Lopez in January.
“The plans we are announcing today will help protect essential services and our wider economy from cyber threats. Every UK organisation must take their cyber resilience seriously as we strive to grow, innovate and protect people online. It is not an optional extra.”
Why we welcome the expansion of the NIS Regulations
Cyber crime is not going to disappear and organisations cannot afford to be complacent about their IT security. With more and more companies outsourcing their IT to MSPs, regulation is a welcome step to ensure that no MSP becomes the weakest link in a supply chain.
At Intersys, many of our clients are in highly regulated industries (such as pharmaceuticals, legal and financial), so our Security Operations Centre already meets and exceeds the standards proposed by these guidelines.
“This proposal is something I welcome with open arms,” says Intersys Managing Director Matthew Geyman. “We see far too many companies failing to apply basic and good security practice, with devastating consequences.
“The fact that the government wants this law to apply to companies like Intersys validates our belief in how critical it is for all organisations (not just big utilities companies) to change their approach to information security.”
Intersys offers a security operations centre service for organisations of all sizes. Choose from the Silver, Gold and Platinum packages to get rock-solid protection from an industry specialist in IT security. Prices are scalable and cost far less than you might think. Find out more about SOC as a service from Intersys, or get in touch now and tell us about your requirements.