Close up of hourglass with running sand.

Blog | 6-minute Read

A false sense of security: Is your managed service provider a ticking time bomb?

Anna Webb profile headshot

Anna Webb

Head of Global Security Operations

Published: 30 November 2021

With attacks on the rise and new cyber legislation on the horizon, now is the time to assess your managed service provider to make sure they’ve got what it takes to keep you secure.

Organisations rarely manage their IT infrastructure alone, often outsourcing to a managed service provider (MSP) to keep on top of the day-to-day running of their environment and provide basic security measures. That used to be enough – but not anymore.

Following another record-breaking 12 months for cyber incidents, the UK government has proposed new changes to legislation – potentially requiring IT service providers to prove they have the security systems and expertise in place to keep their clients secure.

The world’s rapid switch to remote working has seen the number and severity of cyber attacks rise exponentially, and many MSPs are struggling to stay secure amid the deluge. A recent survey revealed that 96% of MSPs are worried they could suffer a security breach that would compromise a client’s infrastructure.

This is of particular concern to small and mid-sized businesses, who typically rely on IT support services more than larger companies who can afford to develop those capabilities inhouse. To make matters worse, SMEs are particularly attractive targets as they’re often easier to breach and suffer a much bigger impact to their bottom line – making a tasty ransomware pay-out more likely.

In this blog, we’ll explore the potential impact of these legislative changes and offer advice on what you can do now to ensure your current or considered MSP will meet the new standard and keep your organisation secure.

The NCSC Cyber Assessment Framework – A new standard for MSPs?

The government proposals follow on from a recent industry consultation on digital supply chains and third-party IT services conducted by the Department for Digital, Culture, Media, and Sport (DCMS).

The consultation began in May 2021 after a series of cyber incidents, including the widely reported SolarWinds breach, raised concerns about how third-party IT service providers could be exploited to target downstream customers.

The industry survey found that 82% of respondents felt that developing new legislation could be a solution to improve security in the IT service supply chain.

One potential policy presented by the DCMS would see MSPs legally required to meet the requirements outlined in the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework.

Under this new policy, MSPs would need to demonstrate wide security knowledge across identity and access management, through to more advanced measures such as proactive security monitoring and discovery.

Additional plans include new procurement rules to ensure the public sector only buys from firms with proven cyber security capabilities.

Many companies currently using a specialist IT support service will assume that their systems and data are safe and protected. This is often not the case, as very few MSPs can field a dedicated security function to protect their own environment – let alone yours as well.

This presents a window of opportunity for attackers, and it’s one the government is keen to close.

Security risks in the digital supply chain

Is your Managed Service Provider your security weak link?

Why now and what’s the danger for SMEs?

The past two years have seen a dramatic increase in cyber attacks across the board as the coronavirus pandemic forced businesses of all sizes to move almost entirely online.

Easy enough for larger organisations with dedicated security budgets, but SMEs are finding themselves dangerously exposed thanks to an unsecured remote workforce and limited internal security knowledge.

The US National Cyber Security Alliance estimates that 60% of small businesses that suffer a cyber attack go out of business within six months. Not surprising, given that Gartner puts the average cost of a ransomware attack at £130,000 – and yet, these are the organisations with the least amount of security in place.

“85% of SMEs agree that cyber security issues would have a detrimental impact on business, with 57% saying they would most likely go out of business.” – European Union Agency for Cybersecurity (ENISA), ‘Cybersecurity for SMEs’ 2021 Report.

But what are these businesses supposed to do without access to the same security skills and resources as a large enterprise?

A popular solution is for SMEs to outsource to a managed service provider, thereby gaining access to the technical knowledge and resources they could never develop inhouse. But with new legislation on the way and an ever-growing threat landscape – how confident are you that your MSP can deliver when it comes to security?

When are the changes likely to take place?

Now that the consultation has concluded, the government will work to develop a detailed policy proposal and review existing laws and measures that encourage good cyber security in IT service providers.

A new national cyber strategy is expected to be launched sometime before the end of this year, but it may be a while before the new changes become law – with some speculating it’ll be 2023 at the earliest.

But that’s no reason to be idle in the meantime. With remote working here to stay and cyber attack statistics only heading in one direction, now is a good time to examine your existing IT service supply chain and ensure that your chosen MSP is fully compliant with the NCSC’s Cyber Assessment Framework.

The NCSC has a useful 12 step approach to assess your supply chain, helping you understand the risks, establish control and assurance arrangements, and continuously improve security.

How to pick a future-proof MSP

Any MSP worth its salt should have some security assurances in place, but here are some key things to look out for to help identify an MSP that will keep you secure and be ready to meet the new requirements.

Security certifications

First, look at whether they’ve achieved any industry-recognised security certifications. Good ones to look out for are the government-backed Cyber Essentials Plus programme or an ISO 27001 certification. These will help shortlist MSPs who already meet the NCSC’s framework requirements.

Case studies and experience

Secondly, ask for relevant references and case studies that demonstrate experience with cyber security.

Check what policies and procedures they have in place internally to provide assurances that your – and your customer’s data – is secure. Browse their website for reviews and awards to see if they’ve been recognised for their expertise by client and partner organisations.

“Not all MSPs can offer both support AND security. Under this new legislation, you’re definitely going to need both – so do your homework and make sure they’ve got the capability to keep you secure.” – Mat Richards, Head of Mobility & Security, Kocho

Reputation and market standing

Also, research their history and standing as an MSP. Do they have a good reputation for security? What security-specific services do they offer? Will they proactively monitor for threats and support you in the event of an attack?

Are they upfront about security measures or are their responses vague and unclear?

If the answers are vague, chances are they’ll fall short of the requirements when the new legislation comes in – leaving you exposed to potential threats – so it’s best to be sure.

Security risks in the digital supply chain

Is your Managed Service Provider (MSP) the weak link in your security? Discover:

  • Must-ask security questions
  • Must-have security credentials
tag icon

Great emails start here

Sign up for free resources and exclusive invites

Subscribe to the Kocho mailing list if you want:

  • Demos of the latest Microsoft tech
  • Invites to exclusive events and webinars
  • Resources that make your job easier
Butterfly overlay image
Anna Webb profile headshot


Anna Webb

Head of Global Security Operations

Anna has over 20 years’ experience in operations management, major incident management, and cyber security. CISSP qualified, Anna is officially a Security Changemaker (Microsoft Security Excellence Awards).

Butterfly overlay image

Got a question? Need more information?

Our expert team is here to help.