UK government to intervene to ensure MSP cybersecurity

DCMS announces proposals for managed service providers to follow tough new security standards

Posted 16 November 2021 by Christine Horton

Managed service providers (MSPs) could be required to follow new cybersecurity rules as part of new proposals to help British businesses manage the growing cyber threat.

The announcement by the government follows a call for views in May by the Department for Digital, Culture, Media and Sport (DCMS) to enhance the security of digital supply chains and third party IT services, which are used by firms for things such as data processing and running software. 

The Supply Chain Cyber Security Call for Views sought insights from industry to inform the government’s understanding of supply chain cybersecurity.

DCMS says there is a need to adopt “a more interventionist approach to improve resilience across supply chains, with regulation perceived to be ‘very effective’ by more respondents than any other suggested intervention.”

The interventions prioritised by the government will include legislative work to ensure that MSPs undertake “reasonable and proportionate cybersecurity measures.”

MSPs may need to adhere to the National Cyber Security Centre’s Cyber Assessment Framework, as an example.

The research also said that while the managed services industry plays “a positive and critical role in building systemic cyber resilience in the UK, respondents identified systemic dependence on a group of the most critical providers which carry a level of risk that needs to be managed proactively.”

High risk threats

Other plans to protect the country’s digital supply chains include new procurement rules to ensure the public sector buys services from firms with good cybersecurity and plans for improved advice and guidance campaigns to help businesses manage security risks.

It comes as new research of chairs, CEOs and directors of Britain’s top companies shows that most (91 percent up from 84 percent in 2020) see cyberthreats as a high or very high risk to their business. However, nearly a third of leading firms are not acting on supply chain cybersecurity, with only 69 percent saying their organisation actively manages supply chain cyber risks. 

The government’s National Cyber Security Centre (NCSC) also offers cybersecurity support and advice on identifying business-wide risks and vulnerabilities, including the Cyber Assessment Framework – as well as specific Supply Chain Security and Supplier Assurance guidance. 

There is also advice on defending against ransomware attacks and the Cyber Essentials scheme offers small and medium-sized firms a cost-effective way of getting basic measures in place to prevent the vast majority of cyberattacks.

Policy proposals

Minister for Media, Data and Digital Infrastructure, Julia Lopez, said as more organisations do business online and use a range of IT services to power their services, networks and technology must be secure. 

“Today we are taking the next steps in our mission to help firms strengthen their cybersecurity and encouraging firms across the UK to follow the advice and guidance from the National Cyber Security Centre to secure their businesses’ digital footprint and protect their sensitive data,” she said. 

Today’s government’s response to the call for views shows there is industry support for developing new or updated legislation, with 82 percent of respondents agreeing legislation could be an effective or a somewhat effective solution.

The government will now develop more detailed policy proposals and it is currently carrying out a review of the laws and measures which encourage firms to improve their cyber security and will launch a new national cyber strategy later this year.