In the wake of several high-profile cyber attacks (Solarwinds, Colonial Pipeline), the government is proposing to shore up Britain’s cyber security by broadening the scope of the Network and Information Systems (NIS) Regulations to include managed service providers (MSPs).
Here’s our take on what this means for MSPs and for our clients.
What are the Network and Information Systems (NIS) Regulations?
The NIS Regulations came into effect in 2018 to improve the cyber security of companies that provide essential services such as water, energy, and healthcare. Under the regulations, these organisations must undertake regular risk assessments, and have sufficient and proportionate cyber security measures in place. They’re also required to report significant cyber security incidents and ensure they are capable of making a quick recovery from an attack. Companies that fail to comply can be fined as much as £17 million.
What are the new proposals?
After a consultation in early 2022, the government has announced plans to further update the NIS regulations to shore up the UK’s cyber defences.
The new plans include:
- bringing managed service providers (MSPs) under the purview of the new regulations to help protect digital supply chains
- improving the process for reporting cyber incidents to regulators
- establishing a cost recovery system for enforcing the NIS regulations
- empowering the government to amend the NIS regulations in the future to ensure they remain applicable
- enabling the Information Commissioner to take a more risk based approach to regulating digital services
The government wants to beef up Britain’s resilience to cyber attacks by expanding the NIS Regulations to include Managed Service Providers (MSPs) like Intersys. With access to their clients’ data, networks and systems, MSPs are obvious targets for cyber criminals; a successful attack against a single MSP could potentially unlock the backdoor to hundreds of organisations. This is not a hypothetical threat. In 2021, a ransomware attack on US-based MSP Kaseya left up to 1500 of their clients with encrypted files.
“Cyber attacks are often made possible because criminals and hostile states cynically exploit vulnerabilities in businesses’ digital supply chains and outsourced IT services that could be fixed or patched,” said Minister of State for Media, Data, and Digital Infrastructure, Julia Lopez back in January 2022.
“The plans we are announcing [...]will help protect essential services and our wider economy from cyber threats. Every UK organisation must take their cyber resilience seriously as we strive to grow, innovate and protect people online. It is not an optional extra.”
Why we welcome the expansion of the NIS Regulations
Cyber crime is not going to disappear and organisations cannot afford to be complacent about their IT security. With more and more companies outsourcing their IT to MSPs, regulation is a welcome step to ensure that no MSP becomes the weakest link in a supply chain.
At Intersys, many of our clients are in highly regulated industries (such as pharmaceuticals, legal and financial), so our Security Operations Centre already meets and exceeds the standards proposed by these guidelines.
“This proposal is something I welcome with open arms,” says Intersys Managing Director Matthew Geyman. “We see far too many companies failing to apply basic and good security practice, with devastating consequences.
“The fact that the government wants this law to apply to companies like Intersys validates our belief in how critical it is for all organisations (not just big utilities companies) to change their approach to information security.”
At Intersys, safety always comes first. For more information on how we can help keep your data and network stay safe and secure from cyber attacks, contact us for an informal, no-obligation chat.
Intersys offers a security operations centre service for organisations of all sizes. Choose from the Silver, Gold and Platinum packages to get rock-solid protection from an industry specialist in IT security. Prices are scalable and cost far less than you might think. Find out more about SOC as a service from Intersys, or get in touch now and tell us about your requirements.