MSP
I did wonder what Members of the Scottish Parliament had got involved in now, when I saw the headline!
Small and medium-sized managed service providers (MSPs) could find themselves subject to the Network and Information Systems Regulations under government plans to tighten cybersecurity laws – and have got three months to object to the tax hikes that will follow. Plans to amend the EU-derived Network and Information Systems …
.. is that security is still seen as a COST, ditto for most companies.
If they want to go that route, could we start with much, MUCH higher fines for banks that get breached, because they're presently very good at dodging decent fines for it which is why it keeps happening. A breach should cost a bank at least four times as much as it has saved by 'good enough" security, which usually isn't, but they get away with it. Stop the volume discount and apply the same fines as a poor SME would get if they lost the details of 10 customers, multiplied by actual.
Sure, getting MSPs up to scratch would be good, but you'd have to start with getting people people interested in IT and security. In case you didn't notice, the combination of Brexit and allowing HMRC to scare away talent with its IR35 gaming has rather reduced the amount of people willing to stay here, and there are not enough in school to cover the gap, also because the newbies first have to build up a bit of experience. Even DISorganised crime does better.
Nice words, little substance.
The MSP I joined in 2017 and was bought out a year later looked slick and professional from the outside, but as soon as you get in you realize their security was an absolute joke, with the vast majority of management and remote user access being done over RDP with an administrator password of, I kid you not, Magic123. I'm surprised ransomware didn't hit earlier, but it rolled through like a bulldozer in 2018. The clients I actively serviced were mostly immune, since I shut things off and instituted some best practices (even though I'm no CISSP), but I seemed to be the only person who gave two shits and wasn't surprised when the worst hit and they had to sell. Plus staffing was way too lean to do anything but fight fires all day, taking home work was the only way to get anything longer done.
There should definitely be some sort of compliance regulation, though I worry it'd be watered down to overbearing yet useless, like PCI.
They won't, going on previous experience around "critical infrastructure", everything they need to know to comply will be hidden behind government security. So just to be able to read the new Network and Information Systems Regulations you will need to be a CLAS consultant.