New research shows overconfidence in MSP security is putting UK firms at risk

Kocho, a leading provider of managed services including managed IT support, has announced the results of an independent survey designed to assess the preparation and resilience of UK businesses’ digital supply chains.

The report suggests that many organisations are over-confident in the security resilience of their managed service providers (MSPs).

In the event of a major cyber attack, virtually all of the respondents were either totally confident (71%) or moderately confident (29%) that their MSP could continue to deliver their services.

However, 97% of those surveyed confirmed that they had suffered unscheduled downtime in the previous year, with a whopping 88% of these incidents being connected to cyber-related activity.

Survey results reveals failure to ask tough questions

The research was conducted in October 2022 on behalf of Kocho by Vanson Bourne, an independent specialist in market research for the technology sector. Their reputation for robust and credible research-based analysis is founded upon rigorous research principles.

The online survey polled 200 senior business and technology professionals at mid-sized UK businesses, employing between 500 and 3,000 people.

These businesses hail from the worlds of finance, insurance, private healthcare, the legal sector, and manufacturing. All of them rely on MSPs to run at least some of their IT estate.

50.5% of those surveyed stated their operations would be severely impacted by a disruption to their MSP’s service, with 15% saying they would be left unable to operate at all.

Just over a quarter (25.5%) said that their ability to operate would be partially impacted by such a disruption.

When it came to selecting an MSP, 60% of respondents stated that cyber security was a top priority, while 34% said it was a key part of the decision-making.

Despite this, many organisations failed to ask fundamental security-related questions during the tender process.

Not so essential? Cyber Essentials and GDPR gaps

Even though it’s a scheme backed by the UK government, only 40% checked/asked if their MSP was Cyber Essentials Accredited at the tender process.

The scheme is specifically designed to protect organisations against a range of threats, and yet, less than half of businesses surveyed thought it important enough to inquire about.

Shockingly, even fewer (38%) asked if their MSP was fully GDPR compliant. GDPR violations can cost a business up to £17.5 million (€20 million) or up to 4% of an organisation’s total global turnover of the preceding fiscal year, whichever is higher.

And, despite two-factor authentication being a cyber security must-have, only 36.5% of those surveyed stated that 2FA must be deployed.

Fewer still (34.5%) asked their MSP if an incident response policy was in place. With just over half (56%) of organisations thinking it important enough to do third-party audits to verify or test MSP defences.

“…At least some of this confidence might be misplaced.”

“On the whole, UK businesses are very trusting of their MSP’s abilities to withstand attacks and have considerable confidence in their digital supply chains.

“However, this research does also suggest that at least some of this confidence might be misplaced,” said Jacques Fourie, Director of Information Security, Kocho.

“When selecting an MSP, businesses don’t always ask enough tough questions; this could leave them vulnerable.

“Organisations may think that by passing the management of their IT to a third-party, they no longer need to worry about security, but that’s simply not the case – we can see from this research that any MSP outage could hit businesses hard.”

Download the full report below.