Share This:

If you saw my most recent post here on Smarter MSP, you probably remember that we were discussing new MSP Legislation in the UK and how it might affect you and your clients. Staying updated and informed will be crucial to keep your business and your customers’ businesses safe, protected, and compliant.

In yesterday’s post, we highlighted the proposal for a legislation in the UK that would ‘crackdown’ on MSP’s with inadequate security measures in place. This means MSPs now come under NIS regulations (Network and Information Systems). This is critical knowledge for all MSPs given the looming possibility that they could face up to £17 Million in fines for not complying with the new regulations.

Time to implement Cyber Hygiene

There are five key steps to follow for what’s best described as ‘Cyber Hygiene’. These should all be part of every MSPs repertoire.

  1. Establish what needs to be protected the most. This includes both data and systems themselves. It could include passwords, sensitive information, or information that your clients need for their own compliance needs.
  2. Following on from step one, you need to build a safety net of security around the data. Security should be multi-layered and include network security, email protection, application security, and more.
  3. Monitoring is key, it’s essential to keep an eye on your comes to information security, if you aren’t aware of a threat, it can be challenging to properly respond to it.
  4. Consider response time. If you have a problem the difference between it being a private or a public issue is how quickly you catch it and doing so before someone else does it for you.
  5. The final step in being cyber disease free is establishing a framework. Framework is how you mitigate a risk. Find a framework that covers the big three: People, Process & Technology.

However, as Ettine Greef (the CEO of Flow Communications) said in his conversation with CRN, “a lot of MSPs aren’t holding themselves accountable. At times, customers’ information is not being handled with care. With new regulations implemented, this will force MSPs to truly hold themselves accountable.”

Fines aside, what could this mean for MSPs?

First, companies will have to start taking more precautions, which will include having to undertake new and thorough risk assessments and putting more security measures in place to keep their customers’ data safe. Essentially, MSPs will be treated as an essential service.

Waiting in the wings like an understudy ready for the role of a lifetime, is the issue of cost and taxation. As it stands, all costs for enforcing the new regulations will go from the taxpayer to the MSPs covered by the legislation, which the UK government believes will create a more flexible financial system and ease the burden on general taxation.

Research by the Department for Digital, Culture, Media, and Sport (DCMS) has made it known that only one in twenty firms address vulnerabilities in their often wide-scoping supply chains. That equates to about 5 percent. So, the reality is this legislation means the finger will finally be pointed to say “this is your mess, clean it up” which is a long overdue development.

If you can’t pay the fine, don’t do the crime

According to CRN, their cybersecurity expert sources agree with me, calling it ‘many years too late’ but better late than never. Of course, there’s the argument that the damage has already been done, but that doesn’t mean there isn’t room for change. When a child is misbehaving or has broken a toy (or your will to live), you wouldn’t just let that go unpunished or at the very least unaccountable. So, why is it any different with MSPs? As the old adage goes, if you can’t pay the fine, don’t do the crime.

A key takeaway

The main takeaway here is you need to have trust. Your customers need to trust you as an MSP and as an MSP you need to trust your third-party vendors. Minister Lopez and her team are hoping this legislation will improve how cybersecurity threats are reported but considering only 12% of organisations are bothering to review the risks from their immediate suppliers, that remains to be seen.

Photo: An Mazhor / Shutterstock

Share This:
Jason Howells

Posted by Jason Howells

Jason Howells is the EMEA Sales Director for Barracuda MSP. Email Jason at: or connect with him on LinkedIn (


  1. this is a very good reminder to evaluate things with Risk and Security at the for front. This is a change in mindset but well worth it in the long run regardless if you are doing business in the UK


  2. Moss Jacobson March 3, 2022 at 5:35 pm

    I agree that we all need to take a heightened approach to IT and cyber hygiene. An assessment of current state and benchmark goals are an effective combination to ensure MSPs are serving clients most effectively in this area. Fines are one thing, but what about the entire existence of a business hanging on a level of cyber hygiene apathy? It is time to tell businesses the reality of the environment we are in, and how MSPs can help.


  3. Good article


  4. Good Content with kind of a checklist.


Leave a reply

Your email address will not be published. Required fields are marked *