New research suggests UK businesses are overconfident when it comes to digital supply chain security
Organisations trust their MSPs, yet fail to ask them basic cyber security-related questions and admit to suffering unscheduled downtime
Kocho, the UK-based provider of cyber security, identity, cloud transformation and managed services, today announced the results of a survey assessing the cyber resilience of UK businesses’ digital supply chains. While virtually all of the respondents were either totally confident (71 percent) or moderately confident (29 percent) that their Managed Service Provider (MSP) could continue to deliver services in the event of a major attack, 97 percent had suffered unscheduled downtime in the previous year, with 88 percent of these incidents connected to cyber-related activity.
Conducted by Vanson Bourne in October 2022, the online survey polled 200 UK senior business and technology professionals at mid-sized businesses employing between 500 and 3,000 people. All of these businesses were from finance and insurance, private healthcare, legal or manufacturing verticals and rely on MSPs to run at least some of their IT. Slightly over half (51 percent) stated their operations would be severely impacted by a disruption to their MSP’s service, while 15 percent said they would be left unable to operate. Approximately one quarter (26 percent) said they would be partially impacted.
Six in ten (60 percent) respondents stated that cyber security procedures were a top priority in their decision-making process when their organisation selected its MSP, with a further 34 percent stating that they were a major part of the decision-making process. Despite this priority, many businesses failed to ask fundamental security-related questions at this initial tender stage.
Only 40 percent of businesses stipulated their MSP should be Cyber Essentials certified, even though this is the UK Government-backed scheme designed to protect all organisations against a range of threats. Just 38 percent asked if the MSP was fully GDPR compliant, while only 37 percent stipulated two factor authentication must be deployed. Fewer still (35 percent) asked if an incident response policy was in place and only 56 percent of organisations undertook third party audits to verify or test MSP defences.
“On the whole, UK businesses are very trusting of their MSPs’ abilities to withstand attacks and have considerable confidence in their digital supply chains. However, this research does also suggest that at least some of this confidence might be misplaced,” said Jacques Fourie, Director of Information Security, Kocho. “When selecting an MSP, businesses don’t always ask enough tough questions; this could leave them vulnerable. Organisations may think that by passing the management of their IT to a third-party, they no longer need to worry about security, but that’s simply not the case – we can see from this research that any MSP outage could hit businesses hard.”
For additional insights as well as actionable advice on how to verify MSPs’ security credentials, please download Kocho’s new report ‘Securing risks in the digital supply chain.’