Are managed services in need of government intervention? MSPs react to proposals for new cybersecurity measures
UK government say measures could require MSPs to meet the Cyber Assessment Framework
Managed service providers (MSPs) have reacted with mixed views to the government's proposals for increased cybersecurity measures on their businesses, though largely support the idea for greater security.
The UK government has asked MSPs and firms procuring digital services for feedback on plans for increased measures and views on the existing guidance for supply chain cyber risk management.
It is also testing the suitability of a proposed security framework for firms which manage organisations and say the proposals could require MSPs to meet the current Cyber Assessment Framework (CAF) - a set of 14 cybersecurity principles.
The CAF includes a number of tests designed for organisations to carry out themselves, or by an independent body such as a regulator, and was originally introduced in 2018 to support the UK's implementation of the EU's NIS Directive.
CRN spoke to several MSPs to get their reaction to the proposals for increased security and what they would, and would not, like to see introduced.
And while the idea of trying to improve cybersecurity was seen as a positive, views on the level of regulation needed was met with differing responses.
Is more regulation needed?
The government's proposal for more cybersecurity measures, including making them follow the CAF, was mostly seen as a positive for the industry despite some concerns over whether it goes far enough, and that existing accreditations for MSPs already go beyond what it suggests.
Pravesh Kara, security and networks products director at Content+Cloud, has signed up to be a part of the consultation process and has already taken part in a "private roundtable", which he said was "encouraging".
He said that several options were being considered as to how far the government should go, with the consensus being that the process should be "done at an international level" due to organisations operating across different countries.
"I'm absolutely for it but it's got to be done with full consultation with the MSPs not just at the beginning, but throughout the entire process to come out with what the approach looks like," he said.
Cyber attacks were "going up", said Kara, and becoming "more targeted at MSPs". Some smaller MSPs might not have the revenue to secure themselves more effectively nor be able to go for big certifications like 27001, the international standard for information management which Kara he said Content+Cloud is accredited by.
Scott Nursten, founder of ITHQ, has also responded to the call for views put out by the government and said he does not think current cybersecurity measures go "nearly far enough", stating that he would like to see "something focused on cyber resilience come into law for all businesses".
"Health and safety is taken so seriously in this country.. but companies don't think twice about letting your staff go on to the internet completely unprotected, with no view as to what they're doing," he said.
"And most of the time, they're actually looking after someone else's data.
"The level of criminal activity in the marketplace, the fact that businesses aren't protecting themselves, that there are so many charlatans out there selling silver bullets that aren't silver bullets, I guess it does have to have government intervention at this point."
But Andy Simpson, who previously worked in cybersecurity at the Ministry of Defence but is now Marathon Managed Services' head of information security practise, questioned the need for MSPs to be strictly regulated because of the accreditations already in place.
"You can't do your business without signing up to a standard these days. We would not have the contracts we have if we were not ISO270001 accredited," he said.
"I don't think we need to be regulated because, by virtue of what we do, any strong MSP will be regulating themselves, because people and organisations will only trust you with their data if you can prove that you're already at that standard."
He added that the ISO270001 already goes beyond the CAF, though claimed there were positives to MSPs and businesses having to follow the framework such as its "modular approach" and that it will "drive leadership engagement", especially for non-profit and smaller businesses who do not have as much resource.
Etienne Greef, CEO of Flow Communications, said he "absolutely" supports increased cybersecurity measures, stating that it is important for MSPs to "effectively practice what they preach", adding that some were "not making the investment that's required".
"MSPs do hold the keys to the kingdom for a lot of customers and so making sure that that an MSP is compliant to a minimum level of standards is important," he said.
"There is an argument to be made that our industry should be a regulated industry."
What do they want to see?
The measures that MSPs did want to see introduced focused on both greater enforcement and making things simpler for organisations.
ITHQ's Nursten called for far-reaching measures on MSPs to clamp down on what he called the "charlatans and liars" operating in the industry, arguing that there is currently "no enforcement".
"My view has been that, while the guidance from the National Cyber Security Centre is actually very good, it's been very functional, very specific, well targeted, well thought out, but it is just that - it's advice and guidance," he said.
"And it's not necessarily about penalties. I'm not sure that works either. How about incentivising? And how about going the other way around? How about encouraging businesses, say they could save some corporation tax or some VAT or get some government investment to get these things done?
"They should set a standard for businesses to attain. They could engage an external body or someone to create a framework, a requirement for businesses like mine to adhere to. We're having to kind of prove our credibility through independent certs and third parties."
Like Nursten, Greef also stressed the need for greater enforcement of any measures put in place but said the CAF addresses the basics of cybersecurity, which he believes are "often neglected".
"I think it's important that we don't just have regulation, but we also have a framework where the regulations are enforced," he said.
"I'd much rather be in an industry where the barrier to entry is the same for everybody. We all have to comply to the same regulations, we all have to be at the same standard, as opposed to people just doing it because it's good."
Kara is also in favour of the CAF principles because of the framework being "closely aligned" with other schemes like the ISO270001 and also called for "more consistency" in the approach to cybersecurity to make it easier for MSPs.
"Right now, I think every organisation doing supplier assurance tends to come up with their own way of doing it," he explained.
"I think what would really help is if there was some consistency in approach, where suppliers and MSPs were only able to enter this information once and it would be available in some way shape or form for all other buyers.
"That would save effort for MSPs and, equally, the buyer has one trusted resource that they can go to all the time, they don't have to create their own custom internal supplier assurance programme as well."
Potential issues and how regulations could fail
Several concerns around the effectiveness of the CAF were raised, however, while the MSPs also highlighted what should be avoided when it came to new cybersecurity measures.
Simpson said the CAF was a "vanilla guideline" and believes certain industries will need "higher standards", while also arguing that it needs to mature and become specific to each industry.
He also believes the framework does not provide a single "measurement of quality" and could come across as a "tick box exercise" for organisations.
This was a concern echoed by Nursten, who said the government needs to get away from "box ticking" while also raising concerns about the effectiveness of MSPs certifying themselves which he said "would not fix any problem" because it allows companies to be dishonest.
"It just all seems to be very slow and quite late to the party, and then it happens in a strange direction like this, like focusing on supply chain or managed service provision, where I think it goes well beyond that," Nursten also said.
Kara stressed the need to avoid a "one size fits all" approach and said MSPs should not be put in a position where they are responsible for "the rest of the supply chain", which he said would "increase overheads on MSPs" and "drive up the cost of services".
The government's call for views is open until 11 July.