fbpx

Managed service providers (MSPs) form a key vertebrae in the backbone of the UK economy. According to the Department for Science, Innovation & Technology (DSIT) research, the country’s 11,000 plus MSPs were worth £52.6 billion to the UK economy in 2022 alone.

Despite that impressive figure, MSPs’ importance to the UK economy exceeds their financial contribution.

MSPs often represent a one-stop shop for many SMEs’ IT needs, providing and administering everything from office software packages to network security. This makes them a critical first line of defence against cyber threats for small businesses.

However, the same thing that makes MSPs a cornerstone of our economy has also made them a target.

As trusted partners to hundreds of thousands of UK businesses, MSPs typically have access privileges to clients’ infrastructure and inner workings – making them a highly lucrative target.

Indeed, a 2024 report from Kaseya reveals that 78% of MSPs view cybersecurity as their greatest challenge.

And, as we’ll cover later in this report, they’re right to feel that way; almost every MSP we spoke to had experienced a data breach in the last 12 months.

All of this begs the question, given MSPs are such a critical part of the UK’s IT infrastructure, why is there so little research (beyond the UK government’s) into their cybersecurity? How prepared are MSPs and their clients? What are the key threats they face? And, most importantly, how are they managing them?

In early 2024, we set out to change this. Alongside OnePoll, we surveyed 250 leaders from UK MSPs. To ensure we got a broad spectrum of views, we spoke to MSPs with customers across every major industry, from all over the UK, ranging in size from one to one thousand employees (see table below).

  • Where do you live?

  • In which industry do you specialise in, with regards to MSP?

  • How many employees work within the MSP part of your organisation?

    What follows are the results of this study, providing an accurate picture of the cybersecurity landscape for MSPs and their customers in 2024.


MSPs are a key target for cybercriminals

Let’s begin with perhaps the least surprising finding in our report. MSPs continue to be a key target for cybercriminals. However, what might surprise you is how often MSPs are being successfully breached.

A clear majority (87%) of our 250 MSPs reported having experienced at least one data breach in the past 12 months, with many being hit multiple times. This illustrates just how big a threat cybercrime has become to every MSP. What’s more, it’s not just MSPs with good cyber hygiene. As we’ll discuss later, many of these leaders reported having either a ‘fair’ or ‘great’ deal of cyber confidence.

Why are MSPs being attacked?

Upon first hearing, it might sound odd that cybercriminals target and often successfully attack MSPs. We think of MSPs as IT and cybersecurity experts with good defences, so surely there are more tempting targets?

Unfortunately, this is only partially accurate. Although many MSPs do have robust cyber defences, there’s another reason they get cybercriminals champing at the bit.

MSPs are so attractive to hackers because they can typically remotely access clients’ networks and IT environments. And, that’s before we mention how much data the average MSP has access to – everything from financial information to breakdowns of customers’ security.

In short, MSPs are targeted for the same reason as supply chains. Successfully breaching an MSP means cybercriminals gain access to much more than the initial target. It could lead to ‘follow-on’ activity across the MSP’s customer base.

MSPs feel their customers are
more vulnerable to cyber threats

The last year has seen a confluence of factors negatively affecting SMEs’ online security, from the cost of living crisis to increased geopolitical tensions to lowered technical barriers to entry for cybercrime. Given this landscape, it's unsurprising that 60% of MSPs believe their customers have been more vulnerable to cyber threats in the last 6 months.

However, this figure is quite revealing if we dig a little deeper. Cyber awareness is on an upward curve within businesses and society. It’s difficult to be unaware of the risks when each news cycle brings a new story on the latest breach. This means the perceived threat of cybercrime is continually increasing as awareness grows.

Indeed, as we’ll see later in the report, MSPs are switching to providing cybersecurity services and products in ever-increasing numbers, partly as a response to customer demand. Accordingly, perhaps this fear of customer vulnerability stems from greater awareness of the threats.

What kind of threats do MSPs and their customers face?

We’ve established that MSPs are hyper-aware of the threat of cybercrime. So, what do they perceive as the biggest threats to themselves and their customers?

Which, if any, of the following are the biggest possible threats to your business? [Select up to 3]

57%

Ransomware or malware infection

43%

Inflation and spiralling costs

41%

Exploitation of unpatched or undisclosed vulnerabilities

37%

Insider threats

35%

Skills shortages

26%

Supply chain

14%

Slowing sales pipeline

MSPs Align with Customers on Top Cyber Threats, but Overlook Key Risks

In common with their customers, MSPs feel the number one threat is ransomware and malware (57%). This is followed closely by inflation and spiralling costs (43%), exploitation of unpatched vulnerabilities (41%), and insider threats (37%). Skills shortages (35%) and supply chain security (26%) complete the top six.

This tells us that MSPs have a good grasp of the threats they face. As our 2023 cost of living report revealed, inflation and its impact on security budgets and staff wellbeing is a major concern for all SMEs, as are insider threats (both negligent and malicious).

However, there are some notable exceptions. Given the large networks many MSPs administer, supply chain attacks should be more prominent in their thinking. It’s also surprising to see so few MSPs specifically mention phishing scams. DSIT’s Cyber Security Breaches Survey 2024 revealed that the most common type of breach or attack is phishing (84% of businesses and 83% of charities). However, many MSPs possibly viewed phishing as synonymous with ransomware and malware.

What about MSPs’ customers?

Which, if any, of the following represent the biggest
possible threats to your customers’ businesses?

[Select up to 3]

55%

Ransomware or malware infection

44%

Exploitation of unpatched or
undisclosed vulnerabilities

31%

Supply chain threats

26%

Skills shortages

12%

Slowing sales pipeline

For the most part, the MSPs we surveyed listed the same biggest threats to their customers as themselves. Ransomware and malware came out on top again (55%) followed closely by exploitation of unpatched vulnerabilities (44%).


What can we learn from this? Most obviously, MSPs feel they are subject to the same fears as their customers. But it also demonstrates that MSPs are in a great position to understand the security needs of their customers. In many cases, the service provider has implemented many of the same measures they recommend to customers.

The role of the MSP is changing

.

As signposted by their name

MSPs’ traditional role was to provide managed IT infrastructure services to clients. However, our survey points to a shift in what MSPs’ customers expect from them and the services they offer.

65%

of the MSP leaders we surveyed said that customers now expect them to either manage or implement customers’ cybersecurity.

  • Have you noticed more or less scrutiny?

    This has increasingly become a dealbreaker for prospects choosing a managed service provider. Over 70% of MSPs have noticed ‘more scrutiny’ of their security capabilities during new business meetings in the past 12 months.

  • MSPs are responding to the demand

    Managed service providers have long prided themselves on delivering exactly what their customers need to do business. As cybersecurity has become more important to customers, MSPs have rapidly shifted towards offering security and regulation services.

Almost 70% of the companies surveyed have increased their security capabilities over the last 12 months.

And, this isn’t just an investment in products and services, nearly half have made specialist security or regulatory hires.

It’s clear from their responses that MSPs are leaning into cybersecurity in a big way. This also looks like a permanent trend. Barracuda estimates that 83% of UK small and medium enterprises are using some form of IT-managed service and, as these companies look to improve their security, it’s only natural that they turn to their MSP for help. It’s a real opportunity for MSPs to become their customers’ trusted security provider – more on that in our next section.

A huge opportunity for MSPs

So far we’ve mostly talked in the abstract about the opportunity changing customer demands presents to MSPs

However, it’s also revealed in responses to our survey. 37% of MSPs report one in five or fewer customers have an in-house security team. This means that, for many providers, a substantial
chunk of their customer base requires managed cybersecurity services – representing a rich source of revenue for those MSPs ready to grab it.

This is backed up by DSIT’s research into the sector

Which reveals that of nearly 11,500 active MSPs, just 3,000 currently offer cybersecurity-related solutions to their customers. This constitutes a golden opportunity for any MSP ready to provide cybersecurity services to get a headstart on the competition and tap into an emerging market.

Cyber confidence is high among MSPs and their customers

At the end of the survey, we asked our MSP leaders about cyber literacy and confidence. We defined cyber confidence as engaging in the following activities or processes:

Proactive risk management

Cyber training in place for employees

Continuous threat monitoring

Risk reporting

Demonstrable
cyber credentials

Incident response and/or recovery plans

IT policies in place

Nearly all of our respondents ranked their business as possessing a ‘fair amount’ or ‘great deal’ of cyber confidence.

  • How much ‘cyber confidence’ does your organisation have?

    Engaging in the following activities or processes for example: Proactive risk management, Continuous threat/risk monitoring, Incident response and/or recovery plans, Cyber training in place for employees, Risk reporting, IT policies in place, Demonstrable cyber credentials (e.g. CE or ISO)

Staying safe

Policy problems?

Despite senior leaders’ confidence in their processes, when we dig a little further into companies’ security policies this appears misplaced. Only 55% and 54% of SMEs have clear policies and procedures for sharing information and gaining access to confidential information, respectively.

Our findings are borne out by DSIT’s Cyber Security Breaches Survey 2024

Government research discovered that, while awareness of schemes like Cyber Essentials has declined, basic cyber hygiene – by which we mean basic cyber controls – is increasing across all businesses.

Cyber Security Breaches Survey 2024

Most cyber threats are relatively unsophisticated so organisations can go
a long way towards protecting themselves by simply adopting simple measures. And most businesses and charities have a broad range of these measures in place. These include:

.

Up from 76% to 83%

Using up-to-date malware protection

Up from 67% to 73%

Restricting admin rights

Up from 66% to 75%

Network firewalls

Up from 48% to 54%

Agreed processes for phishing emails

This suggests that MSPs and their customers have become more cyber-savvy and collective security awareness is increasing.

Nevertheless, there’s still work to be done, as we’ll see in our next section.

Getting to Complete Cyber Confidence

Although it’s a positive development that cyber confidence is so high among
MSPs and their customers, that doesn’t mean it can’t improve further. The
eagle-eyed reader will have noticed that despite reporting high levels of
cyber confidence, MSPs are still being breached at an alarming rate.

What’s going on?

This suggests that MSPs and their customers have become more cyber-savvy and collective security awareness is increasing.

Well, the high breach numbers suggest areas of cybersecurity that MSPs
aren’t so strong on. This is a normal part of the graduation process from
cyber confidence to Complete Cyber Confidence.

Complete Cyber Confidence is CyberSmart’s cybersecurity framework, we define it as:

An organisation’s trust in its ability to protect its digital assets, data, and systems from unauthorised access, cyber-attacks, and data breaches. Our approach goes beyond mere compliance with regulations and encourages a proactive and comprehensive approach to security.

Using this framework, we asked MSPs which cybersecurity measures should be strengthened to achieve Complete Cyber Confidence.

The measures were:

.

1st (60%)

Cyber security training for employees - ensuring staff
are aware of security best practices and potential threat

2nd (57%)

IT policies - establish and enforce
cyber-safe conduct

3rd (56%)

Cyber secure culture - where employees are aware of
threats and proactively report suspicious activity
to the business

4th (49%)

Continuous monitoring - of systems and networks to detect unusual activity

5th (49%)

Proactive risk management - identify and mitigate risks before cybercriminals can exploit them

6th (40%)

Incident response plans - having a well-defined response plan in case a security incident occurs

7th (39%)

Cyber credentials - external verification and certification of your cyber credentials

8th (36%)

Risk reporting - quantify and assess risks

These responses give us a crystal clear vision of what MSPs can do to protect themselves and their customers more completely. Two areas for improvement, immediately stand out.


First, it’s clear from the responses that MSPs feel that more needs to be done to give staff the knowledge they need to counter cyber threats. This reduces the risk of negligent insider threats and gives businesses an extra line of defence against anything that makes it past technical controls. MSPs can do this by offering cyber awareness training internally and to customers.

Second, MSPs need the ability to monitor and proactively manage risk across their network and clients’ IT infrastructure. In short, they require a way to identify and resolve vulnerabilities before cybercriminals can exploit them.

1

2

Ransomware and malware are the biggest concerns for MSPs
and their customers

3

Customers increasingly expect MSPs to provide cybersecurity
services alongside IT infrastructure – so much so that it’s become a dealbreaker. This represents a huge revenue growth opportunity for those providers ready to take it

4

Despite the high number of attacks on MSPs, our respondents proved remarkably confident in their cybersecurity and that of their customers. However, there was an acknowledgement among all MSPs that there were further steps they could take to achieve Complete Cyber Confidence.

5

Our survey identified some key measures that would help
MSPs achieve Complete Cyber Confidence, such as staff
training, company security policies, continuous monitoring
and proactive risk management. This gives MSPs and vendors like CyberSmart a clear framework to work from.

What our partners say

slider arrow
slider arrow

"The work culture, knowledge, great experience and above all expertise especially within the auditing team is second to none"

CyberSmart are a fantastic partner to work with and this is underpinned by the great collaboration and success that has been achieved over the last 2.5 years. The work culture, knowledge, great experience and above all expertise especially within the auditing team is second to none, the assessors in this team such as Glen Patrick & Mark Shaw are critical to our success. This is the reason why our existing client base in this market is so strong and continues to grow.

British Standards Institute Logo

Shilpa Moror

Cybersecurity BDM, BSI

"The accessibility and availability of people throughout the organisation (from bottom to top) is fantastic"

CyberSmart is innovative and ambitious, and we believe they’re totally customer focused, with a determination to succeed. All of this generates enthusiasm internally for us, and the partnership is something that we strive to continue to grow, in a way that all of us at E-ZU can really get behind. It’s also important to mention that the accessibility and availability of people throughout the organisation (from bottom to top) is fantastic, and we get the sense they really want to work with us.

Sam Lockwood

Head of Marketing, E-ZU solutions

"We wanted a partner who would be able to provide that encompassing solution from a Cyber Security Perspective"

Working with CyberSmart has been very positive. The way they engage in terms of feedback has been really useful to help develop both CyberSmart’s and our portfolio and feel comfortable that the solution set is moving in the right direction. Synergy with us as a business, growing and trying to do it in the right way is important and we wanted a partner who would be able to provide that encompassing solution from a Cyber Security Perspective.

Stuart Colley

Chief Operating Officer, MFM IT

"Their service and support, both commercially and technically, are top-class"

CyberSmart offer a unique portfolio of add-on products which enhanced the services I was able to offer to my clients. You could say I have grown with them, and I am now very much looking forward to new products and services they are developing which should enable me to add new clients and grow revenue. Their service and support, both commercially and technically, are top-class. I can be confident that if my clients raise problems or ask questions I can get a swift response for them from the CyberSmart team. I have no hesitation in recommending them.

Peter Elliot

Senior Partner, Empiric Partners

Why partner with CyberSmart?

CyberSmart is the UK’s leading cybersecurity solution for Managed IT Providers.

Join our Partner Programme and get all the software, expert support, and resources you’ll need to be the partner your clients can’t live without.

Expand your portfolio, extend your reach through new solutions and win more business effortlessly, with CyberSmart