Want to speak with sales?
MSPs are often overlooked. You’ll rarely hear about them in the media, and beyond the odd government report, there’s little research conducted about these organisations that form the backbone of many economies. And this is especially true when it comes to their cybersecurity.
In 2024, we set out to change this with our first CyberSmart MSP Survey. For 2025, we went a little further. This year we’ve expanded the survey to include markets with a strong MSP presence across the globe. The CyberSmart MSP Survey 2025 features 900 MSP leaders from the UK, France, Belgium, Australia, New Zealand, Sweden, Germany, and the Netherlands.
However, not everyone has time to read the full report. So, if that’s you, strap in and we’ll run through the key takeaways for The CyberSmart MSP Survey 2025.
1. MSPs are being breached at an alarming rate
The last year has seen a number of high-profile breaches of MSPs. One such example is the £3m fine levied by the Information Commissioner’s Office (ICO) on an MSP providing software and services to the NHS in March 2025, over security failings that led to a ransomware attack.
Or, even more recently, in May 2025, the Dragonforce ransomware gang breached an MSP’s remote monitoring and management (RMM) tool to conduct a supply chain attack. But beyond the headlines, our survey uncovered evidence that successful attacks on MSPs are widespread.
Of the 900 MSP leaders we surveyed, 69% reported being breached two or more times in the last 12 months. This represents a slight increase from the 67% who reported breaches in our 2024 edition. Shockingly, 47% of those surveyed had experienced three or more breaches in the last 12 months.
Want to know more about the threats facing MSPs? Read the report in full here.
2. Perception of customer risk remains high
2025 has become the year of the major cyber breach. We’ve seen everyone from big-name retailers to government agencies being hit with attacks. So it’s not a surprise to see that MSP leaders are about as concerned for their customers’ cyber safety as they were in 2024.
58% of those that we surveyed felt their customers were more at risk, a slight decrease from 61% last year. However, what is interesting is that the percentage of MSPs who sense no change in risk level in the previous 12 months has halved (from 24% to 12%).
This suggests that MSPs broadly fall into two camps on risk. Either they’re relatively confident in their customers’ cybersecurity measures, and so feel risk has declined, or emerging threats have made them more concerned than ever.
3. Emerging AI threats are what keep MSP leaders up at night
Earlier this year, Forbes labelled 2024 “a landmark year in the evolution of AI”, and in many ways it was. 2024 was the year many of us began using generative AI in our day-to-day lives and work.
However, as with any new technology, the rise of generative AI has a darker side. Cybercriminals, never ones to miss a chance at innovation, have also begun using the technology, whether for uber-convincing deepfakes, spinning up malware in minutes, or weaponising AI’s tendency to hallucinate to launch attacks.
It’s perhaps this which explains why AI has rocketed to the top of MSP leaders’ concerns. Some 44% of our respondents listed it as a concern, which is remarkable when you consider that it barely featured in last year’s report. Worryingly, it’s also probably the threat most MSPs are least well-equipped to deal with, due to the lack of easy-to-use tools to counter AI-powered attacks.
4. MSPs transitioning to full cybersecurity providers
In last year’s report, we highlighted how customers increasingly expect MSPs to manage and implement their cybersecurity alongside IT services. In 2024, 65% of MSP leaders we spoke to told us that customers now expect them to manage their cybersecurity.
This trend has continued in 2025. A staggering 84% of MSPs now manage either their clients’ cybersecurity infrastructure or their clients’ cybersecurity and IT estate combined.
This growing expectation for MSPs to manage cybersecurity is reflected in the scrutiny placed on them by customers in new business meetings. 77% of respondents said scrutiny of their businesses’ security capabilities has increased either slightly or a lot, suggesting that MSP customers are more aware than ever of the importance of good cyber credentials in a potential partner.
5. MSPs are rising to meet demand
81% of the MSPs we spoke to said they’d increased spend on specialist cybersecurity hires.
Likewise, 78% had upped spending on their security capabilities such as training, defences or products and services for customers.
But it’s not just security that MSPs have invested heavily in over the past 12 months.
MSPs are increasingly concerned about compliance with cybersecurity regulations and frameworks. Whether it’s the European Union’s Network and Information Systems Directive 2 (NIS2), Essential 8 in Australia, or the UK’s upcoming Cyber Security and Resilience Bill, compliance with regulations has become an important part of the landscape for MSPS across the globe.
As a result, MSPs are spending big on regulation. 60% of our respondents had invested in specialist regulatory hires in the last 12 months. Meanwhile, 64% had increased spending onregulatory capabilities over the same period.
6. MSPs’ cyber confidence is high, but there’s room for improvement
Despite the number of breaches suffered by MSPs, it doesn’t seem to affected overall confidence. 76% of respondents said that their business displayed either complete or above average cyber confidence, despite 69% of them suffering multiple breaches in the past year.
However, before we conclude that MSPs are overconfident in their cybersecurity, it’s worth adding a caveat. Given their role as cybersecurity providers and advisors to their clients, most MSPs do display above-average levels of cyber confidence, especially when compared to other businesses.
It’s also worth noting that the number of MSPs who described their cyber confidence levels as average or above (96%) has remained consistent with 2024. 97% of those we surveyed last year rated their cyber confidence levels as ‘fair’ or ‘great’. What’s more, outside the 20% who categorised their cyber confidence as complete, most MSPs (80%) recognised there was some room for improvement.
7. Confusion reigns over ransomware payments
By far the most surprising result of our survey concerns ransomware payments. Attitudes towards ransomware payments have shifted in the last few years. Many governments, most notably the UK, have mooted bans on ransomware payments for public bodies and government contractors. Meanwhile, cyber insurance providers are increasingly advising clients not to pay ransoms.
With that in mind, it was unexpected to see so many MSPs (45%) answer that they kept a dedicated allocation of money in case of ransomware attacks. More worrying still is the 11% of MSPs that have no dedicated budget for ransomware payments or cyber insurance.
What’s at the root of this? Well, what businesses should or shouldn’t do when it comes to ransomware payments has always been poorly defined. What your business is advised to do will largely depend on where you’re based and who’s advising you. And this is reflected in our survey results, suggesting that MSPs are just as confused as everyone else.
8. MSPs are concerned but prepared for regulations
For our last questions, we asked MSPs which upcoming regulations and legislation they were most concerned about.
As you’d expect, the results were largely predicated on geography, with UK MSPs most concerned about the upcoming Cyber Security and Resilience Bill (28%) and the Cyber Assessment Framework (49%). Whereas, MSPs based in the European Union were more concerned with the Digital Operational and Resilience Act (40%) and NIS2 (14%). And, naturally, Australian MSPs were focused on Essential 8 (15%).
However, what’s far more interesting is how prepared MSPs are to meet legislative and regulatory changes. Regardless of jurisdiction, a large portion of our respondents were ready to meet regulations. 46% said they had a compliance plan for their business, and a further 15% indicated that they were ready to adapt to regulatory changes as and when they happen.
Another 39% of MSPS felt they were ready to offer a solution or guidance to customers in meeting cybersecurity regulations. This is a healthy figure; however, it’s a little unexpected that it isn’t higher.
Helping clients meet regulatory obligations is set to be the key opportunity for MSPs across 2025 and beyond, so those MSPs not meeting demand could be leaving revenue on the table.