According to several cybersecurity agencies, state-sponsored advanced persistent threat (APT) groups and other malicious cyber actors are likely to increase their targeting of managed service providers (MSPs) against both provider and customer networks. 

In a new cybersecurity advisory, cybersecurity authorities of the United Kingdom (NCSC-UK), Australia (ACSC), Canada (CCCS), New Zealand (NCSC-NZ), and the United States (CISA), (NSA), (FBI) detail cybersecurity best practices for information and communications technology (ICT), focusing on enabling transparent discussions between MSPs and their customers to ensure data privacy and data protection. 

MSP customers should ensure their contractual arrangements specify that their MSP implements the measures and controls in this advisory, such as: 

• Prevent initial compromise by implementing mitigation resources to protect initial compromise attack methods from vulnerable devices, internet-facing services, brute force and password spraying, and phishing.  
• Enable monitoring and logging, including storage of most important logs for at least six months, implement endpoint detection and network defense monitoring capabilities and use application allowlisting/denylisting.  
• Secure remote access applications and enforce multifactor authentication (MFA) to harden the infrastructure that enables access to networks and systems. 
• Develop and exercise incident response and recovery plans, including roles and responsibilities for all organizational stakeholders, including executives, technical leads, and procurement officers. 
• Understand and proactively manage supply chain risk across security, legal, and procurement groups, using risk assessments to identify and prioritize the allocation of resources.  

“As this joint advisory makes clear, malicious cyber actors continue to target managed service providers, which can significantly increase downstream risk to the businesses and organizations they support – why it’s critical that MSPs and their customers take action to protect their networks,” said CISA Director Jen Easterly. “Securing MSPs are critical to our collective cyber defense, and CISA and our interagency and international partners are committed to hardening their security and improving the resilience of our global supply chain.”

Organizations should implement these guidelines as appropriate to their unique environments, in accordance with their specific security needs, and comply with applicable regulations. MSP customers should verify that the contractual arrangements with their provider include cybersecurity measures in line with their particular security requirements.

For the full cybersecurity advisory, visit https://www.cisa.gov/uscert/ncas/alerts/aa22-131a