Nine in 10 (90%) managed service providers (MSPs) experienced a successful cyber-attack in the past 18 months, according to new research by N-able.
The study also found that the number of attacks prevented by these organizations during this period almost doubled, from six to 11. According to the researchers, this shows that MSPs are quickly becoming more of a primary target than their customers for cyber-criminals.
The research reflected the views of 500 senior decision-makers at MSPs about their security experiences both before the pandemic and today.
More than four-fifths (82%) of MSPs reported seeing attacks on their customers rise in the past 18 months, preventing an average of 18 attacks per month.
The study also revealed a wide range of effects arising from successful cyber-attacks on MSPs. Over half of respondents experienced financial loss and business disruption following an attack. At the same time, 46% said they had lost business, 45% suffered reputational effects and 28% saw their customers suffer a loss of trust.
The most common attack methods detected by MSPs were phishing (75%), DDoS (56%) and ransomware (42%).
Worryingly, the researchers found that many MSPs are still not implementing basic security measures. For example, while most MSPs offer two-factor authentication to their customers, only 40% have introduced it in-house.
Dave MacKinnon, chief security officer at N-able, commented: “MSPs have worked tirelessly throughout the pandemic to ensure that the businesses they support can stay online and connected as circumstances changed.
“But the cyber-criminals they’re protecting against are working equally as hard to make use of these shifts against their targets. MSPs need to understand how the threat landscape continues to evolve and make the changes needed to protect both their customers and themselves and make the most of the enormous opportunity that enhancing security provides.”
The findings follow numerous high-profile attacks on MSPs, most notably the Kaseya incident last year. In response to these incidents, the UK government opened a consultation on introducing new measures to force MSPs to follow updated security standards.