Jakub Jirsák - stock.adobe.com

Government looks into strengthening MSP security

Consultation opens to gather views of managed service providers as DCMS focuses on tightening supply chain security

Managed service providers (MSPs) are being asked to share their views on government plans to tighten up digital security in supply chains.

With criminals targeting MSPs and the channel at risk of being seen as the weak link, the Department for Digital, Culture, Media and Sport (DCMS) is consulting on the issue.

MSPs will be able to comment on measures that would increase the security of digital supply chains and how protection could be improved for those in the channel providing services including data processing and infrastructure management.

The consultation period runs until 11 July, with MSPs getting the chance to share their thoughts. The DCMS is keen to hear about best practices and examples of good supplier risk management.

DCMS research has exposed a potential problem with only 12% of firms reviewing the risk coming from their immediate suppliers.

One of the ideas is that it could become mandatory for MSPs to meet the current Cyber Assessment Framework (see box below) and adhere to the 14 principles that encourage higher levels of security.

“There is a long history of outsourcing of critical services,” said digital infrastructure minister Matt Warman. “We have seen attacks such as ‘CloudHopper’, where organisations were compromised through their managed service provider. It is essential that organisations take steps to secure their mission-critical supply chains – and remember they cannot outsource risk.”

As well as the CloudHopper attacks that first started to cause headaches a few years ago, MSPs have also been targeted by ransomware attacks as criminals look to access customers via that link in the supply chain.

“Firms should follow free government advice on offer,” said Warman. “They must take steps to protect themselves against vulnerabilities and we need to ensure third-party kit and services are as secure as possible. We are seeking views from firms that both procure and provide digital services, as a first step in considering whether we need updated guidance or strengthened rules.”

The government has been providing support for MSPs through the National Cyber Security Centre with the Cyber Assessment Framework, as well as Supply Chain Security and Supplier Assurance guidance. There has also been £500,000 of funding for those serving the healthcare sector.

Framework requirements

One of the potential consequences of the consultation is that the DCMS will conclude that MSPs should follow the Cyber Assessment Framework. The 14-point framework includes measures that should improve security and provide reassurance to customers, including:

  • Having policies to protect devices and prevent unauthorised access.
  • Ensuring data is protected at rest and in transit.
  • Keeping secure and accessible backups of data.
  • Training staff and pursuing a positive cyber security culture. 

Read more on Data Protection Services