Joint Cyber Security Advisory: Protecting against cyber threats to managed service providers (MSPs) and their customers


New Zealand’s National Cyber Security Centre (NCSC) has issued a cyber security advisory in conjunction with its international partners the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), and the United Kingdom’s National Cyber Security Centre (NCSC-UK).

The joint cyber security advisory focuses on enabling transparent discussions between managed service providers (MSPs) and their customers on securing sensitive data. The advisory provides several actions that organisations can take to reduce their risk of becoming a victim to malicious cyber activity. It recommends MSP customers ensure their contractual arrangements specify that their MSP implements measures and controls including: 


  • Preventing initial compromise by implementing mitigations against attack methods exploiting vulnerable devices and internet-facing services, brute-force attacks, password spraying, and phishing. 
  • Enabling monitoring and logging, including storage of most important logs for at least six months, and implementing endpoint detection and network defense monitoring capabilities in addition to using application allowlisting/denylisting.  
  • Securing remote access applications and enforcing multifactor authentication (MFA) where possible to harden the infrastructure that enables access to networks and systems. 
  • Developing and exercising incident response and recovery plans, which should include roles and responsibilities for all organisational stakeholders, including executives, technical leads, and procurement officers. 
  • Understanding and proactively managing supply chain risk across security, legal, and procurement groups, using risk assessments to identify and prioritise the allocation of resources.  


Read the full cyber security advisory on CISA’s website.

Read the full media statement on CISA’s website.