Back in July 2024, the UK government announced its plans to bring a Cyber Security and Resilience Bill before parliament. The bill is designed to tackle the growing threat to the UK’s critical national infrastructure (CNI), such as water, power and healthcare.

Things have been pretty quiet ever since, beyond some theorising about what the bill might include by industry blogs and panel discussions. But, as of early April, we have movement! The Department of Science, Innovation and Technology (DSIT) has released its Cyber Security and Resilience Policy Statement, setting out legislative proposals.

Here’s everything we know about the upcoming Cyber Security and Resilience Bill and what it could mean for your business.

What are the legislative proposals?

Of course, there’s no guarantee that all of the measures in the following list will be enacted or that, if they are, they’ll have the same scope. We’ve got months of amendments in both the Commons and the Lords before we see the final bill early next year. However, this what has been sketched out.

1. Broader regulatory scope

The bill aims to broaden the scope of the 2018 NIS Regulations to include more organisations and suppliers. This would place stronger obligations on those deemed “critical” suppliers, like Managed Service Providers (MSPs) and those part of public sector or national infrastructure supply chains.

2. More power for regulators

Regulators would have greater powers to improve cybersecurity and resilience in the sectors they oversee. These powers could include:

• Technical standards: Establish clearer cybersecurity standards and requirements based on the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework.
  
• Incident reporting improvements: Expanded criteria, faster (24-hour initial notification, 72-hour detailed report), streamlined reporting to regulators and the NCSC, and new transparency requirements, such as informing customers directly of significant incidents.
  
• ICO powers: Improved proactive information gathering powers for the ICO to better manage risks within digital services.
  
• Cost recovery: Regulators could recover the costs of oversight through fees, reducing the taxpayer’s burden.

3. A more flexible cyber framework

The proposals would give the government greater flexibility to update cybersecurity frameworks, as and when needed, without primary legislation.

This is a sensible approach, allowing regulators to become a little more agile in responding to new threats and trends. For example, this would allow the government to extend the framework to cover new sectors. In fact, we think it’s highly likely this will happen as the UK’s cyber infrastructure further matures.

4. Greater executive powers

The bill also seeks to grant the government much stronger executive powers to respond to cyber threats when necessary for national security. Essentially,  this means that if an organisation subject to regulation isn’t addressing a cyber threat that could impact national security adequately, say, a supply chain attack involving critical infrastructure, the government could step in and force them to act.

What’s still under consideration?

As with any bill at this stage of the legislative process, some areas are still under consideration. The exact scope of the powers the Secretary of State could be granted is a live debate, due to obvious concerns about executive overreach. And, there are two other proposals still being ironed out.

Data centres regulation

The government is considering regulating data centres. This is due to their newly designated (and overdue) status as critical national infrastructure. 

Any data centre with 1 megawatt capacity or more would likely be within scope of the regulations, unless they’re an enterprise data centre, in which case the threshold would be significantly higher (10 megawatt).

According to Raconteur, there are 224 such data centres, run by 68 operators, across the UK. The government expects 182 of them to fall in scope. So, if data centres are included, it’d be a major legislative change.

Statement of strategic priorities

The bill could also enshrine in law a commitment to publish a regular “statement of strategic priorities for regulators”. The thinking behind this is to create a unified and consistent approach to cybersecurity among UK regulators and ensure everyone is pulling in the same direction.

How will the Cyber Security and Resilience Bill affect MSPs?

If you run an MSP, the bill’s effect on your business will largely depend on its size and who it works with. 

According to the government’s 2024 figures, there are 11,492 MSPs active in the UK. Of these, we estimate that between 1,500 and 1,700 MSPs are potentially within scope of the NIS regulations. However, up to 600 may already be captured under existing cloud provision to their customers.

That leaves around 900 to 1,100 large and medium-sized MSPs that may need to consider the impact of regulatory compliance with NIS.

Due to their size the 3,200 small MSPs and 6,600 micro MSPs operating in the UK are likely to be exempt from regulation. But if you lead a smaller MSP, that doesn’t necessarily mean the rules won’t impact you at all. You could still feel the effects due to standards embedded by larger competitors, or if you’re with a critically important sub-sector, such as defence.

What does the industry think of the proposals?

The industry has generally welcomed the announcement. Few within the cybersecurity sector disagree that our critical national infrastructure needs stronger defences. Or that any attempt to tackle the threat has to include the thousands of businesses that make up CNI supply chains.

Last year alone saw a ransomware attack on NHS pathology provider Synnovis that led to permanent damage to patients’ health, a data breach of payroll information at the Ministry of Defence, not to mention the revelations about Thames Water’s poor security.

Meanwhile, the NCSC  reported  2024 was a record-breaking year for attacks on CNI. And, according to the 2024 Thales Data Threat Report, 93% of CNI organisations saw a rise in cyber-attacks over the last year, with  42% of those suffering a data breach. 

Against this backdrop, despite the extra obligations it places on businesses, it only be seen as welcome and long overdue.

Did you know 59% of SMEs provide no mobile cybersecurity training to staff? Find out why this is a problem and what to do about it in our SME Mobile Threat Report.

We’re delighted to announce the launch of CyberSmart Learn, our new cybersecurity awareness training and learning management system.

At CyberSmart, we view security training for staff as one of the key pillars of Complete Cyber Confidence. So, we’ve launched CyberSmart Learn to build on our existing offering and provide your people with skills and knowledge to defend themselves (and your business). Here’s what you need to know.

What is CyberSmart Learn?

CyberSmart Learn is our new and improved cybersecurity awareness training and learning management system.

What makes CyberSmart Learn different?

CyberSmart Learn builds on our existing cybersecurity training offering. While CyberSmart Academy was a bolt-on for Active Protect, Learn is a dedicated LMS and a separate product in its own right.

Plus, it comes with a whole host of features that we couldn’t offer in CyberSmart Academy, these include:

Totally customisable

CyberSmart Learn is completely customisable to your needs. Choose what training employees receive and when, upload your own custom training, and white label it to match your brand. 

Advanced reporting

CyberSmart Learn offers advanced real-time reporting, allowing you to track training progress and cyber awareness across your business or network. 

New and improved content

All of our cybersecurity training content has been given a radical refresh with over 70 new modules, an enhanced user experience and a new look interface. 

Broadened scope

CyberSmart Learn isn’t solely dedicated to cybersecurity. Within it, you’ll also find HR and data protection modules. And, you can even add training from other providers. All you need to upload any training your business requires is a SCORM file of the content. 

Scalability

Whether you’re a 5-person business, 500-person enterprise, or a managed service provider with a network of thousands of customers, CyberSmart Learn scales with your organisation.

Why this matters

It’s estimated that human error is the cause of between 88% and 95% of all cybersecurity breaches. In other words, if we could eliminate the little security mistakes all of us make from time to time, many breaches simply wouldn’t happen. 

Yet, employee training is often overlooked as a key component of cybersecurity. In our recent SME Mobile Threat Report, we discovered that 59% of SMEs didn’t provide any mobile security training to staff. This comes at a time when it’s becoming clearer that higher spending on cybersecurity tools doesn’t necessarily correlate with safer businesses.

CyberSmart Learn is our commitment to addressing this. We believe that employee training is one of the most cost-effective means of protecting your business and CyberSmart Learn can help you do it.

What does this mean for CyberSmart Academy?

CyberSmart Academy lives on. But, we’ve rebranded as CyberSmart Learn Lite. Nothing else has changed. It’s still included as standard with CyberSmart Active Protect and includes all the features you currently know and love.

However, one thing to bear in mind, is that CyberSmart Learn is a new platform requiring its own configuration of users and assignments so you’ll need to start afresh if you upgrade.   

How do I get CyberSmart Learn?

Get in touch. CyberSmart Learn is live and ready for use. So if you’re ready to get started please reach out directly or through your managed service provider.

You asked, and we listened. After being one of our most requested features from partners, we’re delighted to announce the general availability of our Ticketing API to help you automate security workflows effortlessly.

Here’s everything you need to know.

What is it?

Our Ticketing API now offers full access to certifications and desktop security controls, providing deeper integration and flexibility for your customers’ security needs. Whether you want to automate workflows, integrate with other systems, or customise your offerings, our API gives you the tools to do so.

Who is it available to? 

All CyberSmart Partners, no matter your tier. Our Ticketing API isn’t currently available to direct customers. 

How do you set it up?

Although our Ticketing API offers powerful features, it’s worth noting that it’s not a plug-and-play solution. You’ll require developer expertise to set it up and take advantage of its full functionality.

We’ve prepared some resources to help your team get started, including: 

• A step-by-step guide to setting up our ticketing API, which you can find here
• A video demo, available through our BeCyberSmart Community

We recommend sharing these resources with your developers as soon as they begin the implementation process.  

What’s next? 

We understand that this current rollout is quite technical, and we’re aware that not all partners may be ready to dive in immediately. While this is the first phase, we’re committed to improving and expanding the functionality in the future. 

However, for the moment, this is full scope of our Ticketing API release. Rest assured we’ll keep you updated as we work on future enhancements. 

We’re excited to see how you use the Ticketing API to unlock new possibilities for your customers. Please reach out with any questions or feedback, and thank you for being a valued partner.

Managed service providers (MSPs) are at greater risk of cyberattacks than other businesses. The question is, why? 

What makes MSPs, like yours, such an enticing target? And what can you do to protect your business and your clients?

Why do cybercriminals target MSPs?

MSPs might seem like an odd target. We tend to think of them as technology experts, with the best cybersecurity solutions, processes, policies, and tools. So surely there are more tempting targets? Unfortunately, this is only partially true.

No matter how well-protected an MSP might be, plenty of cybercriminals believe the risk is worth the reward. MSPs have remote access to their clients’ systems and networks. Not to mention huge amounts of data – everything from employee login credentials to financial records.

In short, cybercriminals target MSPs for the same reason they attack supply chains. Successfully breaching their defences can create a domino effect that extends way beyond the initial target, leading to ‘follow-on’ activity across the MSP’s client base.

What are the consequences of a successful MSP cyber-attack?

Cyber-attacks have direct and indirect consequences for MSPs.

Direct consequences

Disruption is perhaps the most obvious consequence. Unless you catch it early, a successful cyber-attack can bring your systems down, requiring a lengthy clean-up operation to put right. Not only does this impact productivity, it also has a detrimental effect on employee confidence and morale. There may be financial consequences to consider, too.

A serious malware attack can lead to prolonged service outages that directly impact your bottom line. Meanwhile, a successful ransomware attack may result in locked systems or stolen data, leaving you no choice but to pay the ransom. Additionally, you may have to pay a fine if an independent investigator decides your cybersecurity failed to meet the minimum requirements of your industry.

Then there's the possible reputational damage of a cyber-attack, which can make harder to attract new clients and retain existing ones.

Indirect consequences

Often, your clients suffer most from a managed service provider cybersecurity breach – particularly if you work with SMEs.

Only 33% of UK SMEs use threat monitoring tools, according to one government survey. At the same time, even fewer (31%) conducted a cybersecurity risk assessment last year. This makes SMEs more susceptible to threats than large organisations, enabling attacks to spread faster.

The Kaseya ransomware attack illustrates how easily an attack can get out of control. After exploiting vulnerabilities in the provider’s software, the breach spread to dozens of MSPs and over 1,500 of their customers in a matter of hours.

7 tips to defend against managed service provider cybersecurity threats

There’s no doubt cyberattacks can have serious consequences for MSPs. However, adopting a few simple measures can go a long way to protecting you and your customers.

1. Install software patches

Even the best-protected software can develop vulnerabilities over time, presenting a golden opportunity to wily hackers. You can mitigate this risk by updating your software with the latest patches as soon as they become available.

It’s like mending a puncture. The sooner you apply the patch, the less air escapes. Updating your software works on the same principle, allowing you to catch issues before they escalate. The best part? It’s quick and easy, taking only a couple of minutes a month.

Want to learn more about managed service provider cybersecurity? Check out our MSP Survey 2024.

2. Set up multi-factor authentication

Multi-factor authentication (MFA) is an application security process that requires users to set up two or more verification methods. Alongside the traditional username and password, these include:

• Security questions
• PIN codes
• Biometrics (e.g. thumbprints)

On their own, passwords are vulnerable to data leaks and brute-force attacks. By contrast, MFA is difficult to crack – even for the most sophisticated hackers.

3. Back up your systems and data

Backing up your systems and data provides a vital failsafe should you suffer a breach. In some cases, it can even help you avoid having to pay a ransom. 

The simplest and most cost-effective approach is to use data backup software. Once installed, it automatically copies data to one or more external sources. For example, an external drive, data centre, or cloud server.

Not sure what to back up? Use this simple rule of thumb: anything you don’t want to lose, back up.

4. Segregate your networks

Dividing your network into distinct parts (or sub-networks) helps to prevent unauthorised access to sensitive data.

The key to this is setting strict access controls for each sub-network, based on the zero-trust principle. This ensures users only have the privileges they need to do their job. It might sound extreme, but it’s critical in allowing you to isolate affected systems, customers, or accounts in the event of an attack.

5. Train staff

Education is arguably the most important component of effective cybersecurity. After all, human error causes 55% of data breaches.

Start with the basics. Teach staff how to spot the tell-tale signs of a cyberattack and how to respond. Looking further ahead, consider running regular top-up courses to keep staff up to date with best practices. This gives them the knowledge, skills, and confidence to combat threats.

6. Create an incident response plan

Cyberattacks aren’t inevitable. But, statistically speaking, they are likely. That’s why you need a coherent and actionable response plan, in case the worst does happen.

An incident response plan is a set of instructions that tells employees what to do in the aftermath of a cyber-attack. It helps you organise an effective and coordinated response, minimising damage and helping you recover faster.You’ll also need to encourage your clients to develop their own incident response plans. Just 4% of MSPs say all their clients have active incident response plans.

7. Map your supply chain risks

Supply chain attacks are increasingly common. So, once you’ve locked down your own cybersecurity, identify who among your customers or suppliers could pose a risk.

The National Institute of Standards and Technology (NIST) recommends asking questions like these to gauge a supplier’s security posture:

• Is your software/hardware process documented, repeatable, and measurable?
• How do you stay updated on emerging vulnerabilities?
• What level of malware protection do you have in place?
• What physical and digital access controls do you use?
• How do you ensure upstream suppliers adhere to cybersecurity best practices?

Remember: when it comes to cybersecurity, a unified approach is the best defence.

Stay on top of cybersecurity

The cybersecurity landscape is like a daunting place. New threats emerge all the time, creating obstacles for you and your customers. But by following these simple steps, you can reduce your exposure to common security risks and work safely.

How prepared are managed service providers (MSPs) to deal with cyber threats? 

This might seem like an obvious question, but there’s surprisingly little research on the subject. So, we set out to change this. Alongside our friends at OnePoll, we surveyed 250 UK business leaders from every major industry to understand the challenges and opportunities facing MSPs.

Here are the key takeaways from the CyberSmart MSP survey 2024.

The MSP cybersecurity survey 2024: 5 things you need to know

1. MSPs are a popular target for attackers

MSPs are among the most attractive targets for cybercriminals. 87% of respondents said they’d experienced at least one breach in the last year – with many suffering multiple attacks.

So, why are they such a popular target?

Many businesses rely on MSPs for everything from IT support to network monitoring. They provide essential services, but need privileged access to their customers’ critical systems and data to deliver them.

As such, breaching an MSP gives cybercriminals access to data from multiple targets. This allows them to reach more victims with minimal effort, maximising the amount they can earn from a single attack.

Want to know more? Read our MSP report in full here.

2. Malware and ransomware are the biggest threats to MSPs

Cyber threats take various forms. Some, like phishing, are more common than others. But for MSPs, the biggest threats come from malware and ransomware.

57% of respondents ranked malware and ransomware as their biggest concerns, ahead of unpatched vulnerability exploits (41%) and insider threats (37%). These results are particularly interesting given that many businesses don’t have ransomware recovery plans or policies to deal with them.

3. MSPs overlook key cybersecurity risks

Despite growing awareness among MSPs of the biggest cybersecurity risks, our survey revealed some notable exceptions. 

The cybersecurity skills gap is a prime example. Only 35% of respondents identified it as a key concern – in sharp contrast to recent World Economic Forum research suggesting it remains a serious threat.

Alarmingly, only 26% recognised supply chain attacks as a threat, while few explicitly mentioned phishing. This is particularly surprising, given that 84% of businesses that reported breaches last year experienced some form of phishing attack. 

4. Customers expect more from MSPs

IT services are the bread and butter for many MSPs, providing guidance and support for businesses that don’t have the resources to manage their infrastructure in-house. But customer expectations are changing.

65% of respondents said customers expect MSPs to implement or manage their cybersecurity. Meanwhile, 73% feel their security capabilities are under greater scrutiny, especially during request for proposal (RFP) and new business meetings.

In response, we’ve seen many MSPs adapt their services to meet this demand. 70% of respondents have expanded their capabilities over the last year, adding cybersecurity support services and products to their portfolios.

5. Cybersecurity confidence is high among MSPs

Nearly all respondents said they were confident in their business’s cybersecurity. We defined this as having or engaging in at least one of the following:

• Continuous threat monitoring
• Proactive risk management
• Risk reporting
• Incident response and recovery
• Cybersecurity training
• Cybersecurity policies
• Demonstrable cyber credentials (e.g., Cyber Essentials)

When we dig a little deeper, this confidence appears misplaced. Only 55% and 54% of SMEs have clear policies for accessing and sharing sensitive data, respectively. This suggests a disconnect between perception and reality.

A golden opportunity for MSPs

Our survey reveals some interesting truths about MSP cybersecurity.

MSPs remain the most popular target for cybercriminals, with malware and ransomware attacks the biggest threats. Service providers are increasingly aware of the dangers of the digital frontier and are confident in their defences, but overlook some key risks nonetheless.

Arguably, the most interesting point is the changing perception among customers. Many now expect service providers to offer cybersecurity products and services as standard. While this might seem like another hurdle to overcome at first glance, it presents a golden opportunity to MSPs willing to adapt to meet this demand.

Few targets are as enticing to cybercriminals as managed service providers (MSPs). And for good reason.

From IT support to finance management, MSPs provide essential services to large customer bases. But to deliver them, they need privileged access to internal systems and sensitive data. As such, successfully breaching an MSP can give cybercriminals access to huge amounts of information from multiple businesses.

To help you stay one step ahead, we’ve listed five of the most common MSP cybersecurity threats – along with some simple tips to defend against them. 

The 5 most common MSP cybersecurity threats

1. Phishing

Phishing is a form of social engineering attack that tricks people into handing over sensitive information or downloading malicious software. Typically, by impersonating a trusted individual or organisation, or by creating panic.

Cybercriminals often use email to initiate phishing attacks. How many times have you seen messages like this appear in your inbox?

“Hi Jane, this is Bob. We need to send an urgent payment to a new supplier, but I’m in a meeting for the rest of the day. Can you organise it on my behalf, please? It needs to go out immediately. Please see the details attached.”

Generative AI has made phishing attacks harder to spot and more dangerous. For example, advanced AI can clone the voice of trusted contacts.

Quick tips to defend against phishing

• Check the sender’s name and address: does it look legitimate?
• Read emails carefully: are there any obvious typos or grammatical mistakes? Does the tone sound strange?
• Report suspicious emails: not sure if an email’s legitimate? Forward it to the National Cyber Security Centre.
• Install antivirus software: some programs can spot malicious links or and potential phishing sites. 
• Train staff: run regular training sessions to help employees spot the tell-tale signs of a phishing attack, and teach them what to do in the event of a breach.

Want to know more about the threats facing MSPs? Check out our MSP Survey 2024.

2. Malware and Ransomware

A combination of “malicious software”, cybercriminals use malware to attack business-critical systems, disrupt operations, and steal sensitive data. It comes in various forms, the most common being:

• Ransomware
• Spyware
• Adware
• Trojan horses
• Worms

Cybercriminals have even begun to lease malicious software. Known as malware-as-a-service, this model allows people with minimal coding skills to launch full-blown cyber-attacks.

Small and medium-sized businesses (SMBs) are particularly vulnerable to malware. Few have the knowledge or skills to handle a targeted attack, which explains why 57% of industry leaders see it as the biggest MSP cybersecurity threat.

Quick tips to defend against malware and ransomware

• Only use secure networks: avoid public or unsecured networks when using work devices.
• Backup data regularly: create separate copies of important files so you can quickly restore lost data in the event of a breach.
• Install anti-malware: this monitors your systems to identify and sometimes remove malicious software.
• Invest in a ransomware recovery toolkit: these contain business continuity and disaster recovery plans, helping you respond constructively to breaches.

3. IT vulnerability exploits

Unlike the other MSP cybersecurity threats on this list, IT vulnerability exploits describe a tactic or method – rather than a specific type of threat.

IT vulnerability exploits don’t rely on victims to click on malicious links or download compromised software. Instead, they deliberately target weaknesses in your software, systems, or processes, often using exploit kits.

Common vulnerabilities include:

• Misconfigured programs
• Unpatched software
• Weak passwords
• Bugs

Quick tips to defend against IT vulnerability exploits

• Patch your software: install updates as soon as they become available to nip vulnerabilities in the bud.
• Install vulnerability scanning software: scan your systems periodically to identify and address potential issues.
• Run penetration tests: simulate cyber-attacks to pinpoint weaknesses and see how your systems stand up to threats.
• Follow cybersecurity best practices: create clear processes and policies to minimise vulnerabilities that stem from human error, such as duplicated passwords.

4. Insider threats

As the name suggests, insider threats originate from within your business. They fall into two broad categories: accidental and malicious.

1. Accidental: caused by someone unintentionally exposing your systems to cyber threats. For example, by clicking on a malicious link, visiting a compromised website, or leaving an unprotected device in a public place.
2. Malicious: caused by someone deliberately abusing their access rights to steal data or damage your systems. Malicious insider threats often stem from disgruntled employees, contractors, or partners.

This MSP cybersecurity threat has become more common in recent years. 38% of UK SMEs attribute this to the cost-of-living crisis, and it stands to reason. Financial pressures force many businesses to reduce headcount, while some employees may need to find other revenue streams to make ends meet.

Quick tips to defend against insider threats

• Set strict access controls: only give administrative rights and account access when employees need it to do their jobs.
• Embrace multi-factor authentication (MFA): enforce MFA on business-critical systems and accounts to provide extra protection.
• Look out for suspicious activity: monitor systems for common insider threat indicators, such as unusual login behaviour or privilege escalation.
• Enforce strong security policies: ensure a consistent approach to cybersecurity across your business, with clear guidelines governing things like password etiquette and access privileges.

5. Supply chain attacks

Supply chain attacks are an indirect MSP cybersecurity threat. They work by exploiting weaknesses in third-party software, hardware, or services to bypass your defences and give cybercriminals access to your systems.

Because they originate through legitimate suppliers, supply chain attacks are difficult to spot. For example, it took months for cybersecurity professionals to discover the root cause of 2019’s infamous SolarWinds attack.

Alarmingly, only 26% of MSPs see supply chain attacks as a threat – suggesting a lack of awareness among industry leaders.

Quick tips to defend against supply chain attacks

• Enforce strong cybersecurity measures: before worrying about your suppliers, ensure your cybersecurity is up to scratch.
• Speak to your suppliers: start an open dialogue with channel partners to discuss cybersecurity challenges and best practices.
• Conduct cybersecurity risk assessments: evaluate current and new suppliers to ensure their cybersecurity meets minimum requirements. 
• Follow NCSC supply chain security guidance: this lists the five basic steps to secure your supply chain. 

No threat is insurmountable

MSP cybersecurity threats come in many forms. The good news is that most are relatively unsophisticated. Adopting simple and affordable security measures can go a long way in securing your business. Not sure where to start? Consider a cybersecurity certification, like the government-backed Cyber Essentials scheme. Built around five security controls, it provides impartial guidance to help you improve your cyber hygiene.

Although MSPs are increasingly under threat, the current landscape also offers new opportunities. Read our latest report to find out more.

Increased focus on offering security as a service from the customers of Managed Service Providers, CyberSmart survey finds 

New research conducted by CyberSmart, a leading provider of SME security solutions indicates that Managed Service Providers, historically expected to manage IT infrastructure for their customers, are increasingly expected to protect this infrastructure too. 

The research, conducted by OnePoll in Spring 2024, polled 250 senior leaders at UK-based Managed Service Providers, found that 65% of MSP customers now expect their provider to manage either their cybersecurity infrastructure or both their cybersecurity and IT infrastructure. 

This interest in Managed Service Providers’ security capabilities has been noted by the MSPs surveyed in new business/RFP meetings, where 73% suggested either somewhat more (51%) or much more (22%). 

The expectation that MSPs should manage security as well as IT can be viewed as a response to the security capabilities which their customers have in-house: 37% of respondents indicated that only 20% or less of their customers have a specific cybersecurity role in-house, reflecting the need for MSPs to take ownership of cyber on behalf of their customer base 

What’s more, it has been reflected in strategic and structural changes taking place at MSPs. Respondents indicated they had made the following changes in the past 12 months: 

• 33% had increased the associated budget for their security capabilities 
• 28% have increased the associated budget for their regulatory capabilities 
• 28% have made specialist cybersecurity hires
• 14% have made specialist regulatory hires 

“This change in customer expectation and need reflects a sea-change in how Managed Service Providers need to operate,” said Jamie Akhtar, Co-Founder and CEO at CyberSmart. Managed Service Providers are a lifeline for many SMEs and the underappreciated backbone of much of our economy’s IT infrastructure as such. As IT and cybersecurity threats become increasingly intertwined, it makes sense that managed service providers would begin to offer more security services. However, as previous research has indicated, MSPs themselves are vulnerable to cyberattacks. It’s important that they - and the wider security industry - do all that they can to empower MSPs to provide the security services they are now expected to with absolute confidence.” 

CyberSmart research reveals high levels of cyber confidence in MSPs, despite 87% experiencing a breach in the past 12 months.

London, UK - July 10th 2024 - New research conducted by CyberSmart, a leading provider of SME security solutions indicates that nearly all MSPS report high rates of cyber confidence across their organisations, despite the vast majority having experienced at least one data breach in the past 12 months.

The research, conducted by OnePoll in Spring 2024, polled 250 senior leaders at UK-based Managed Service Providers, found that an overwhelming majority of MSPs - 87% - had experienced at least one data breach in the past 12 months, with 16% indicating they had experienced more than 5 incidents in the same timeframe.

This track record on cybersecurity stands in contrast to the associated cyber confidence that the surveyed MSPs reported. Almost all - 97% - of the MSPs surveyed suggested that their organisation had either a ‘fair’ amount of cyber confidence or a ‘great deal’ of cyber confidence.

Another interesting aspect of the results is that this confidence appears to be projected onto MSP customers too, with respondents reporting that they believed 85% of their customers had either a fair or a great deal of cyber confidence.

What are the top threats to MSPs?

Both the customers and providers identified ransomware and malware infection as the top concern, at 55% and 57% respectively. For MSPs, inflation and spiralling costs came in second (43%) and for customers, exploitation of unpatched or undisclosed vulnerabilities was the second most concerning threat (44%).

“The associated confidence noted by MSPs is heartening but needs to reflect the reality on the ground for MSPs, and their own perception of their security posture is concerning and highlights the need for the cybersecurity to step up and work closer with Managed Service Providers,” said Jamie Akhtar, Co-Founder and CEO at CyberSmart.

“MSPs, due to the levels of privileged access they will have into multiple companies, make for an appealing target for cybercriminals. This, coupled with the fact they are responsible for the IT infrastructure of companies without IT or security resources, means it is paramount that security providers work closer with them to protect the £ 5.5 million SMEs who in many cases turn to MSPs to keep them safe. Failure to do this could be existential for many of their customers.”

MSPs suggested that a focus on cybersecurity training, IT policies and fostering a more security-conscious culture would help them to achieve complete cyber confidence.

Do you run a small charity or legal aid firm? If so, you could be eligible for funded Cyber Essentials certification to help you put basic cybersecurity measures in place. Here’s everything you need to know.

What is the funded Cyber Essentials scheme? 

Small charities and legal aid firms protect and serve some of the most vulnerable in our society. However, unfortunately, they’re also a key target for cybercriminals. The NCSC’s Cyber Breaches Survey 2022 revealed that 30% of UK charities identified a breach in the last 12 months.

The reason for this is simple. Charities and legal aid firms process large volumes of highly sensitive data but often have relatively weak defences – making them an ideal target for cybercriminals.

To counter this, the National Cyber Security Centre and IASME have launched the new Funded Cyber Essentials Programme. This offers small organisations in high-risk sectors free, practical support to help put basic cybersecurity controls in place and achieve Cyber Essentials certification. 

How does the scheme work? 

Qualifying organisations will receive up to 20 hours of remote support with a Cyber Essentials Assessor – all at no cost. Our assessors will spend this time helping you identify and implement the improvements needed to meet the 5 technical controls of Cyber Essentials. We’ll follow this up with an assessment to ensure everything is in place. 

With our guidance, you’ll be ready to take the Cyber Essentials and Cyber Essentials Plus certifications. If it’s not possible for you to complete Cyber Essentials Plus after 20 hours of support, we’ll give you clear directions on how to become assessment ready. 

Is the certification free? 

Yes. IASME has agreed to fund both Cyber Essentials and Cyber Essentials Plus certification for successful applicants to the scheme.

Who is eligible for the scheme? 

To qualify for this scheme, your organisation must be:

• A micro or small business (1 to 49 employees) that offers legal aid services
• A micro or small charity (1 to 49 employees) that processes personal data

No previous cybersecurity experience or certification is required. Even if you’re completely new to cybersecurity, we’ll guide you through the process.

How long is the scheme running for? 

The scheme runs until the end of March 2023. However, it’s worth noting that IASME is offering a limited number of funded packages. So it’s worth getting your application in as soon as possible. 

What is Cyber Essentials?

The Cyber Essentials scheme is a UK-government-backed cybersecurity certification that outlines the security procedures a company should have in place to secure its data. Cyber Essentials is highly recommended for SMEs because this certification protects you against 98.5% of the most common cyber threats.

Cyber Essentials Plus includes all of the same technical controls but with one major difference. Whereas Cyber Essentials is a self-assessed certification, Cyber Essentials Plus includes a technical audit of your systems. This next step gives you 

complete peace of mind your cybersecurity is up to scratch. And, your clients and partners don’t have to take your word for it that you’re cyber secure – they can rely on the expertise of a professional.

Can I apply to the scheme through CyberSmart? 

Yes. As the UK’s leading provider of cybersecurity certifications, we’re proud to be taking part in this scheme. 

To apply for the scheme, head to IASME’s Funded Cyber Essentials page and fill in the form at the bottom of the page. If you’re successful in your application, IASME will pass you over to us (or another certification body) to complete the certification process.

Alternatively, if you’re one of our partners or MSPs and want to refer a customer for the scheme, get in touch. We can apply on your client's behalf and ensure the support and certification is carried out by CyberSmart.

Want to know more about cybersecurity certifications? Check out our in-depth guide to cybersecurity certifications in the UK.

According to security services from the ‘five eyes’ countries – Britain, the US, New Zealand, Australia and Canada – Managed Service Providers (MSPs) are increasingly at risk of cyberattacks. But why? What makes MSPs such an enticing target for the bad guys? And, more importantly, what can MSPs do to protect themselves and their customers? 

Why are MSPs being targeted? 

Upon first hearing, it might sound odd that cybercriminals are targeting, and often successfully attacking, MSPs. We think of MSPs as IT and cybersecurity experts with good defences, so surely there are more tempting targets?

Unfortunately, this is only partially accurate. Although it’s true that many MSPs do have pretty robust cyber defences, there’s another reason they get cybercriminals champing at the bit.

MSPs are so attractive to hackers because they can typically remotely access clients’ networks and IT environments. And, that’s before we mention how much data the average MSP has access to – everything from financial information to breakdowns of customers’ security. 

In short, MSPs are being targeted for the same reason as supply chains. Successfully breaching an MSP means cybercriminals gain access to much more than the initial target. It could lead to ‘follow-on’ activity across the MSP’s whole customer base.

In other words, it’s a huge win for the bad guys. And cybercriminals are very obviously aware of that fact. According to new research by N-able, 90% of MSPs suffered a successful attack in the last 18 months. The study also found that the number of attacks prevented by MSPs almost doubled during the same period.

What are the consequences of a breach?

The impact of a successful attack on an MSP can be severe. The best way to think about it is to split the consequences into two categories – direct and indirect. Let’s deal with direct first.

Perhaps the most obvious impact of a breach is the disruption it could cause an MSP. Your business could be hit with a lengthy clean-up operation, systems downtime, and a big dent in staff morale. What’s more, depending on the kind of attack, there may be a financial aspect to the disruption.

A ransomware attack could lead to your business having to make a hefty payout. Meanwhile, a serious malware attack, with a long period of systems outage, could lead to you haemorrhaging revenue.

Likewise, the reputational damage to any MSP successfully breached could be grave. Most MSPs pride themselves on their strong security and market themselves thus to customers. So the news of an attack could seriously weaken customer trust, leading to a PR nightmare and potential loss of revenue.

We’ve dealt with the direct consequences, let’s move on to indirect. As we mentioned earlier, the major reason why cybercriminals are targeting MSPs is due to their customer base. And it's your customers who could be the most affected by an attack.

A real-world example of this is the REvil ransomware attack on Kaseya, the MSP software provider. The breach spread to dozens of MSPs and over 1,500 of their customers, illustrating just how fast an attack could get out of control.

What can MSPs do to protect themselves and their customers? 

We’ve painted a pretty terrifying portrait so far. However, just because the consequences can be dire, it doesn’t mean there aren’t things you can do to protect your business and customers. Here are a few of the most important.

Set up multi-factor authentication (MFA)

MFA is an authentication method that requires you to provide two or more verification methods to sign into an application. Instead of just asking for your username and password, MFA adds some extras, like a randomly generated pin code sent by SMS, a thumbprint, or a piece of memorable information known only to the user. 

MFA is also a sure-fire way to protect your business against cyberattacks. Passwords alone are vulnerable to data leaks and brute-force attacks. MFA, on the other hand, is very tricky for even the most sophisticated hackers to crack. 

Back up your systems and data

Backing up your systems and data can provide you with a vital failsafe after an attack. In some cases, it can even help you avoid having to pay a ransom. And, when it comes to what to back up, use this simple rule of thumb: ‘anything you don’t want to lose, back up’.

For more on how to do it, read this.

Segregate networks 

Both you and your customers should segment networks and systems as much as possible. What do we mean by segment? Well, one example is to never use admin credentials across multiple customers or systems.

Another is to ensure that no one has access or privileges beyond what they need to do their job. That might sound harsh but, in the event of an attack, it’ll allow you to isolate affected systems, customers, or accounts.

Train staff

At CyberSmart, we’re constantly pushing the importance of training. After all, if your staff don’t know which security behaviours are harmful or don’t know the warning signs of an attack, they’ll struggle to protect themselves or your business.

Training can fix this. And it’s probably the single most important thing you can do as a business. Find out more, here. 

Develop incident response plans

A successful attack on your business isn’t inevitable. Nevertheless, statistically, it is likely. So you need a coherent, easy-to-action response plan, in case the worst does happen.

You’ll also need to encourage or help your customers to develop their own. Currently, just 4% of MSPs report that all their clients have an incident response plan. And, this means thousands of weak links across the IT sector. 

Regularly patch software

Patching or updating any software you use, so that it doesn’t have easily exploited weak points, is incredibly simple but very important. Over time, even the best software develops vulnerabilities, suffers a breach, or simply becomes outdated. Applying patches released by the software provider can fix this.

Think of it as being like fixing a puncture. You apply the patch so no air can leak out. Updating your software effectively does the same thing, giving you air-tight cybersecurity. 

The best part? It won’t take you anywhere near as long as fixing a puncture, just a couple of minutes each month. 

Map your supply chain risks

Last of all, understand your supply chain risks. Assuming you’ve locked down your own cybersecurity, identify who among your customers or suppliers could pose a risk. Alongside this, talk to your customers and partners about their cybersecurity. The best defence against threats is a unified approach and common strategy.

To find out more about the threats facing businesses, read our guide, The State of UK SME Cybersecurity. It’s full of useful insights on the risks small businesses face and what can be done to counter them. Get your copy here.