CTS cyberattack: Why MSPs must make security an ongoing priority

Last month, CTS — a managed service provider (MSP) for law firms — fell victim to a cyber attack (November 24), preventing many law firms across the UK from accessing their case management systems. After three weeks of disruption, systems are still not back to normal, and the true scale of the issue is still to be determined.

This case highlights the specific cyber risk that MSPs face.

They are, by their very nature, a high-profile target. MSPs remotely manage a customer’s IT infrastructure and systems. If breached, they provide attackers with a ‘gateway’ into the data or operations of many other businesses.

MSPs are very aware of their value to malefactors and have been investing in security. The Government — recognising the strategic importance of MSPs to UK IT infrastructure — has also been looking to help tighten defences in the sector. It plans to bring MSPs under the scope of the Network & Information Systems (NIS) regulation, which would introduce new legal duties for security and for reporting breaches. To date, however, this hasn’t happened.

This attack will be the latest reminder that this focus on security must be an ongoing priority for MSPs’ management teams and that they must be doing all they can themselves, now, to protect their organisations and their customers. The risk of attack is only likely to get more and more severe, and attackers’ methods more sophisticated.

Taking action

So, what can MSPs do?

Investing in the right defences is the obvious starting point. But there’s another side to defence that can be overlooked: ensuring the right culture and processes are in place to both effectively prevent incidents and to respond to them if they occur.

What will help MSPs do this?

• Chief Information Security Officers (CISOs) should be empowered to raise concerns about vulnerabilities within organisations, and escalate these concerns to decisionmakers
• Issues and concerns should be documented, not just from a regulatory compliance and incident response perspective, but to help support accountability within each organisation for ensuring any specific vulnerabilities are addressed
• If an event does happen, pre-briefings should be prepared for MSPs’ boards, so that they can respond as quickly as possible. These pre-briefings are common in other fields that experience crises that require fast decisions when information is still trickling in, like medicine or the military

Our CyXcel Partner, Rob Floodeen, has recently published a primer as to what pre-briefings should contain, including the four key elements of:

• providing a refresher on relevant terminology and definitions
• establishing clear thresholds for decision-making
• equipping decision-makers with essential questions to critically assess the information presented
• revisiting regulatory and contractual obligations tied to vital assets and data

The reality is that cyber attacks are a very real and present danger, and this latest incident acts as a clear warning to MSPs of the threats that lie ahead.

Only with a combination of having the right technical defences and processes in place, alongside a culture that takes cyber risks seriously, can MSPs truly feel confident that they are equipped to prevent an attack and ready to respond when an attack occurs.