UK businesses overconfident in digital supply chain security
Organisations are too trusting of Managed Service Providers, according to new research. Just four-in-ten believe they need to make sure Managed Service Providers are certified in providing cyber security essentials, while one-third agreed personnel of providers should undergo security checks before taking on such work.
Managed services is the practice of outsourcing the responsibility for maintaining, and anticipating need for, a range of processes and functions, ostensibly for the purpose of improved operations and reduced budgetary expenditures through the reduction of directly-employed staff. To that end, Managed Service Providers (MSPs) can help business stay flexible when it comes to resources, and can accommodate swift changes which an in-house team might not be able to respond to efficiently.
But as with any outsourcing practice, MSPs also come with a host of risks, which have been exacerbated by the pandemic. As the Covid-19 outbreak opened even more avenues for fraudsters to commit financial crimes, 64% of UK companies admitted they had experienced fraud or economic crime since 2020 – and when pointing to external sources of such incidents, 20% said they had been hit by outsourced suppliers, such as MSPs.
Even so, a new study from cyber security advisory firm Kocho has found that most companies implicitly trust their MSPs. As a result, they often fail to ask them basic cyber security-related questions, even as they admit to suffering ‘unscheduled downtime’ due to the actions of their suppliers.
Speaking to 200 senior business and technology professionals, from firms employing between 500 and 3,000 people, Kocho found that 71% of respondents were “totally confident” in their MSP to deliver services in the event of a major attack. Meanwhile a further 29% said they were “moderately confident”.
Despite this relative confidence from the vast majority of respondents, 97% told Kocho they had suffered unscheduled downtime in the previous year, with 88% of these incidents connected to cyber-related activity. All of these businesses were from finance and insurance, private healthcare, legal or manufacturing verticals and rely on MSPs to run at least some of their IT – meaning cyber breaches could have wide-ranging consequences for not only clients, but the broader economy.
Jacques Fourie, Director of Information Security, Kocho, said, “On the whole, UK businesses are very trusting of their MSPs’ abilities to withstand attacks and have considerable confidence in their digital supply chains. However, this research does also suggest that at least some of this confidence might be misplaced.”
For example, Fourie explained, when selecting an MSP, businesses don’t always ask enough tough questions; possibly leaving them vulnerable. Even as 60% of respondents identified cyber security procedures as a top priority when their organisation selected its MSP – and a further 34% stated they were a major part of the decision-making process – most did not speak to MSPs to verify their cyber credentials.
At the initial tender stage, only 40% of businesses stipulated their MSP should be Cyber Essentials certified, even though this is the UK Government-backed scheme designed to protect all organisations against a range of threats. Meanwhile, an even smaller 35% asked if an incident response policy was in place, and 33% thought providers should perform security checks on new staff – even though their line of work might involve the handling of sensitive information.
Fourie concluded, “Organisations may think that by passing the management of their IT to a third-party, they no longer need to worry about security, but that’s simply not the case – we can see from this research that any MSP outage could hit businesses hard.”