What do JLR, the Co-op Group and Marks & Spencer have in common? Yes, they all suffered financially significant security breaches this year. But there’s something else that unites them. They’re all customers of a well-known Indian outsourcing provider. At least two were compromised via a phishing attack on their IT helpdesk, run by that MSP. All the threat actors had to do was call the desk, impersonate an employee, and persuade their ostensive colleagues to reset that user’s credentials.
These are not isolated examples. If anything, the risk is growing as malicious actors target single points of failure to maximise their ROI for attacks. And sometimes, the failure isn’t an outsourced function like an IT service desk. BPO giant Capita was recently fined £14m by the Information Commissioner’s Office (ICO) after a series of internal security failings enabled ransomware affiliates to steal nearly a terabyte of data. Some 6.6m individuals were affected, many of them customers of client organisations. The financial and reputational cost to those corporate clients is unclear. But the combined cost of the M&S (£300m), Co-op (£206m), and JLR (£900m-£1.4bn) incidents could end up close to £2bn.
At times, the fallout of attacks extends beyond mere financial impact. A Ministry of Defence (MoD) payroll outsourcer was breached by alleged Chinese hackers last year, exposing the records of 270,000 current and former British military personnel, including their home addresses. Meanwhile, a 2022 ransomware attack on NHS IT supplier Advanced Computer Software Group led to “delays in treatment and ultimate risks to the health, safety and wellbeing of data subjects,” according to the ICO.
A global study of the sector by security startup CyberSmart reveals that such incidents are on the rise. Of the 900 MSP leaders it polled this year, 69% say they were breached two or more times in the previous 12 months, up from 67% in the 2024 edition. Nearly half (47%) suffered three or more breaches, while 58% felt their customers were more at risk this year than last.
“This is not just a business continuity issue; it is a national infrastructure risk. Supply chain security is now everyone’s responsibility, but too few boards treat their MSPs as critical suppliers rather than commodity vendors,” argues Mit Patel, founder and CEO of security firm Assurix. “Outsourcing does not remove accountability. CISOs and boards still retain ultimate responsibility for outcomes, even if execution sits with a third party.”
That responsibility matters. If CISOs don’t lock down the mounting risks posed by their MSPs, there’s the potential for serious financial, reputational and compliance damage. For outsourcers themselves, there’s not only a commercial incentive to get security right. Pretty soon, there will also be a regulatory one, as the sector comes under the scope of a new Cyber Security and Resilience Bill.
Bigger doesn’t always mean better
MSP risk is nothing new. Back in 2017, PwC and BAE Systems published research into ‘Cloud Hopper’, a global cyber-espionage campaign by Chinese actor APT10 that targeted managed IT service providers for access to customer networks. Then, as now, the threat actors exploited human error to achieve their goals – in the case of Cloud Hopper, gaining initial access via a spear-phishing email and malicious attachment sent to an MSP employee.
Today, ransomware has upped the stakes considerably, as the trio of big-name UK firms breached this year attests to. According to CyberSmart, MSPs are most likely to believe AI threats (44%) represent the biggest risk to their business. But this is followed close behind by ransomware infection (40%) and insider threats (40%.) In the case of M&S and Co-op, the latter two factors combined to enable threat actors from the Scattered Spider collective to access corporate IT systems.
Kevin Beaumont, a cybersecurity researcher, has argued that outsourced IT helpdesks are especially vulnerable to voice phishing (vishing) attacks these actors reportedly use to compromise access credentials. MSPs tend to rely on well-documented standard operating procedures that, if leaked, can act as an attack blueprint for threat actors.
“MSPs rely on commonality to scale. They use, for example, teams of people who cover vast numbers of customers. They run IT helpdesks where, based on the phone number you call, you get a customised one in that company’s name — e.g. [outsourcer] TCS runs a Microsoft frontline employee IT service desk,” he recently wrote. “But that person answering the phone is spinning many plates and just sees the number you called, pulls up that company process, and runs through a script with you. It’s easy to abuse, and easy for the operator to make a human error.”
.This all seems to contradict the widely-held view among CIOs and their peers that the larger the outsourcer, the better resourced and more capable it should be. Indeed, it has been argued that a growing wave of private equity-driven consolidation is creating a market where financial outcomes are prioritised over client service.
Another reminder that bigger doesn’t necessarily mean better, or more secure, came recently with the ICO’s Capita fine. The regulator’s penalty notice lays bare a catalogue of security failings that contributed to its 2023 ransomware breach. The firm was unable to prevent privilege escalation and lateral movement, in part because it didn’t follow best practice “least privilege” policies, the ICO said. Its penetration testing of systems processing millions of records was extended to just one test on commissioning. The results of those tests were apparently siloed in business units, meaning issues were not “universally addressed”. Perhaps most damning of all is the fact that Capita’s own security operations centre (SOC) failed to respond “appropriately” to the initial high-priority security alert for 58 hours. This enabled its attackers to gain a foothold in the network. The ICO noted that the SOC was understaffed.
Capita claims to have put right many of these failings. But the incident should stand as a cautionary tale for business leaders looking to outsource. Among the data stolen from Capita were passport scans, criminal record checks, National Insurance numbers, and information on the sexual orientation of data subjects. Over 300 pension schemes that entrusted the firm with their customers’ data were caught up in the breach.
Proof, not promises
Could new government legislation help to raise the bar on cybersecurity, so we don’t see another Capita-sized breach? Tellingly, 60% of MSPs polled by CyberSmart invested in specialist regulatory hires over the past 12 months. The new Cyber Security and Resilience Bill, set to be introduced to parliament soon, is designed to bring the UK’s regime more in line with the EU’s NIS2 directive. In so doing, it will bring MSPs into scope for the first time, placing the same obligations on them as “relevant digital service providers”.
The devil will be in the detail – but outsourcers will likely be expected to follow a strict set of requirements as laid out in the NCSC’s Cyber Assessment Framework (CAF). It focuses on four key areas: managing security risk, protecting against cyber-attacks, detecting cybersecurity events, and minimising the impact of these incidents. Expect a major focus on supply chain risk management and more rigorous incident reporting requirements, including mandatory ransomware reporting. More power will be given to regulators (the ICO in the case of MSPs) to levy fines, set fees, and recover costs. Penalties could potentially reach £17m or 4% of global turnover, if the bill goes down the same route as the UK GDPR.
“The great hope for the Cyber Security and Resilience Bill is that it’ll improve the cybersecurity of supply chains across the economy, and MSPs are a huge and underappreciated part of that,” says CyberSmart founder Jamie Akhtar. “What it should do is force those MSPs who are lagging behind to improve their cybersecurity and, as a result, better protect their clients.”
However, in the absence of regulatory mandates, what can CISOs do to mitigate MSP risk? “As with any partnership or business transaction, track record is everything. Ask for testimonials and read reviews from existing or previous clients. You could even ask for references,” Akhtar continues. “A good MSP will be happy to be placed under this kind of scrutiny, as they’ll be confident in their ability to deliver.”
He advises CISOs to check for compliance with best practice standards like ISO 27001 and Cyber Essentials Plus, scrutinise SLAs and support, and demand MSPs run proactive threat monitoring. “Look for transparent pricing with no hidden fees,” he adds. “Ensure their cost is justified by the value they provide and that they can provide metrics on performance and usage.”
When it comes to specific helpdesk risk, Ontinue CISO Gareth Lindahl-Wise has a more prescriptive list to ensure service delivery is up to scratch. Providers should have a “special process” list for high-value targets and ensure that level one staff always escalate password reset requests. “Retire weak, knowledge-based checks for info which is probably publicly accessible and require out-of-band verification such as callbacks using a company number,” he adds.
“Develop and test a formal disruption playbook for Scattered Spider-style intrusions, and conduct regular tabletop exercises to validate teams can quickly detect, disrupt and recover from social-engineering compromises,” Lindahl-Wise continues. “Finally, reinforce a culture of ‘it’s safe to say no’. Publicise internally the ‘true positives’ where this approach stopped a potential breach. Seeing that people are not punished for following process and instinct says more than 1,000 posters.”
Ultimately, most IT leaders won’t have a choice about whether to outsource or bring services back in-house. For financial or operational reasons, they are bound to continue down this path. The key to minimising risk as they do so will be to get more prescriptive about their security requirements.
“Too many MSPs are audited once a year and then left unchecked,” concludes Assurix’s Patel. “Outsourcing can be secure if accountability and visibility are enforced. Boards should demand proof, not promises.”
Read more: The EU thinks Big Tech is the weak link in Europe’s fight against fraud
