Editorial

MSPs can help protect organisations from supply chain attacks

Tech firms say MSPs can help prevent supply chain attacks after the NCSC found that only 10 percent of businesses are assessing the risk of their suppliers.

Posted 20 October 2022 by Christine Horton


IT managed service providers (MSPs) should be stepping in to help their customers prevent a supply chain attack.

That’s according to Daniel Hurel, VP cyber security & next gen solutions, at IT distributor Westcon.

The comments follow the NCSC issuing guidance on supply chain attacks last week after its own research found that only 10 percent of businesses are assessing the risk of their suppliers.

“Only around one in ten businesses are reviewing the risks posed by their immediate suppliers, and it’s easy to see why: looking after your own security is challenging enough, ensuring suppliers are up to scratch is perhaps a bridge too far,” said Hurel.

“MSPs can rise up and meet this challenge. They have the tools and expertise that means they can assess the risk of a supply chain attack, and identify suppliers that may carry more risk than a business should be happy to tolerate. As nearly 90 percent of businesses are failing to check their suppliers’ security, it’s too much to expect this to change quickly, especially with so many other pressures on businesses.

“With supply chain attacks an immediate threat—enough to warrant special, government, guidance—businesses need experts on the case today, rather than spending time creating their own supplier review processes.”

Businesses taking risks

Elsewhere, Dave MacKinnon, chief security officer at MSP software firm N-able noted that most businesses have probably never been hit by a major cyberattack and therefore do not necessarily see the value created by investment in security audits.

“After all, if they’ve not been attacked before why would they be attacked now?” he said.

“This sentiment is dangerous and is exactly what the bad guys want you to think. When you buy a new car, do you opt out of getting the air bag because you’re probably not going to have an accident? Why wouldn’t you make sure the vendors you’re using are effectively protecting your business and customers?”

MacKinnon said this is where MSPs play a critical role, providing advice to businesses on how they can minimise security risks against their IT estate.

“For businesses that are struggling to navigate their cybersecurity environment or don’t see the value in it, MSPs need to recognise their place as an expert advisor, directing them to the best and most cost-effective security solutions. The MSP community must communicate with their vendors, partners, and clients about improving their security internally and share information collaboratively across the space,” he noted.

Assessing the cyber risks

The new NCSC guidance is designed to help medium and larger organisations effectively assess the cyber risks of working with suppliers and gain assurance that mitigations are in place.

Ian McCormack, NCSC deputy director for government cyber resilience, said supply chain attacks are a major cyber threat facing organisations and incidents can have a profound, long-lasting impact on businesses and customers.

“With incidents on the rise, it is vital organisations work with their suppliers to identify supply chain risks and ensure appropriate security measures are in place.

“Our new guidance will help organisations put this into practice so they can assess their supply chain’s security and gain confidence that they are working with suppliers securely.”