network technician inspecting-servers
Subscribe to Our Newsletter

IT outsourcing via managed service providers (MSPs) is commonplace in nearly all commercial industries. The global IT outsourcing market is currently valued at $526.6 billion and is only growing. Digital security is one of the main reasons companies hire MSPs — that and the demand for cloud systems and digital transformation. One report indicates that 55% of businesses are spending more with MSPs in these three areas.

While cybersecurity is a key driver for IT outsourcing, it’s ironically a major concern for the MSPs themselves. In a recent global survey of MSPs, 95% of respondents said that clients turned to them for cybersecurity planning and advice. Yet 50% of MSPs expressed fears of being at greater risk of cyberattacks.

In general, the current cyberthreat landscape is worrying. According to the Identity Theft Resource Center’s Annual Data Breach Report, a record 1,862 incidents were reported in 2021, 68% more than in 2020. Verizon’s 2022 DBIR paints a similar picture with rising cases of malware, hacking, and social engineering attacks. This explains why businesses are seeking digital asylum among MSPs. But MSPs are also falling victim to cyberattacks, which begs the question: is your IT infrastructure safe in the hands of a managed IT service provider?

Why MSPs are concerned about cybersecurity

It turns out that cyberattack fears among MSPs are entirely rational. IT providers are hot targets for cybercriminals. Threat actors know that MSPs handle tons of sensitive information for their clients, from protected data and user accounts to systems access. In most cases, IT providers play crucial roles in their clients’ digital supply chains. So, if a single MSP goes down in a cyberattack, it takes all its clients with it. To a threat actor, breaching an MSP means compromising dozens or hundreds of companies in one shot.

The situation is so dire that the National Security Agency/Central Security Service issued an official advisory in May 2022, urging IT providers to discuss cybersecurity concerns and responsibilities with their customers. The advisory came after a wave of cyberattacks targeting large MSPs devastated thousands of businesses.

According to the State of the Market: The New Threat Landscape report, nearly all the surveyed MSPs had experienced a successful cyberattack over an 18-month period. IT companies are also working much harder to protect themselves and their clients from cyberthreats. We’ve seen countless such attacks in recent years, including these headliners:

TSM Consulting Services Inc.

On August 5, 2019, a ransomware attack devastated nearly two dozen Texan communities for several days. The attack locked out local government agencies from critical IT services and data, preventing Texas residents from paying city bills and accessing vital online services.

The attacker, an infamous Russian cybercrime gang known only as REvil, gained access to citywide IT infrastructures through a successful attack on TSM Consulting, an MSP that served various government agencies and companies across Texas. REvil demanded $2.5 million to lift the siege, but luckily, all breach incidents were resolved without any ransom payment.


Kaseya is an IT solutions developer for MSPs and large enterprises. On July 2, 2021, Kaseya announced that it had fallen victim to a supply chain ransomware attack that exploited two vulnerabilities in its Virtual System Administrator (VSA) software.

The attack, which again was linked to the REvil syndicate, affected about 1,500 companies under 50 MSPs using the compromised VSA at the time. The attackers demanded a whopping $70 million to undo the damage. But two weeks after the attack, Kaseya was able to decrypt its systems.


On July 27, 2022, NetStandard, a Kansas-based managed service provider, sent an email to its customers bearing this message:
“As of approximately 11:30 AM CDT July 26, NetStandard identified signs of a cybersecurity attack within the MyAppsAnywhere environment. Our team of engineers has been engaged on an active incident bridge ever since working to isolate the threat and minimize impact.”

At the time, NetStandard had already shut down its main website and MyAppsAnywhere cloud services, which hosted various enterprise tools for its customers, including CRM systems, Dynamic GP, SharePoint, and Exchange. Although the company shared no specific details about the incident, researchers speculate it was probably a ransomware attack perpetrated by Russian hackers.

Outsource your IT services with caution

It’s unnerving to imagine that your go-to IT security solution might be an unintended gateway for cyberattacks. Sadly, that’s the reality. Signing an MSP has become a sort of security gamble. However, IT outsourcing is a necessary risk for many organizations that rely heavily on digital systems. So, outsourcing IT calls for cautious risk evaluation and mitigation like any other business activity. Here are three ways to minimize security risks when working with an MSP:

Partner with a security-first MSP

MSPs come in all shapes and sizes. It’s up to you to choose the IT provider that brings the most value to your organization. Make security a key consideration when vetting your IT partner. Just about every MSP boasts of security guarantees. But look past the marketing jargon and check the level of security you actually get with a particular MSP. Ask how well the company protects its clients from supply chain vulnerabilities and threats.

Understand your security responsibilities

Cybersecurity is not a one-way street. Every party involved in an organization’s ecosystem or supply chain must play their part in upholding cybersecurity. Even when working with an MSP or MSSP, you’ll still have critical cybersecurity responsibilities, such as identifying and reporting threats and ensuring employees follow the laid-out security protocols.

Choose the right MSP

Security should be a significant consideration when outsourcing IT. As mentioned before, cybersecurity is partly your responsibility, and you shouldn’t just take the MSP’s word for it. Do all it takes to check that the MSP exhibits internal security maturity — even if it means hiring an independent third-party cybersecurity assessor to verify the MSP’s operational maturity and the security controls they claim to have in place.

Remember, not all MSPs are created the same. Security guarantees vary widely between MSPs, and that’s usually reflected in their prices. A more security-conscious MSP will often cost more than its less secure counterparts. Ultimately, you get what you pay for, which can sometimes be very costly.

At GXA, we believe you can’t put a price on cybersecurity, which is why we go all out to protect our clients. We are ISO 9001 quality certified and pursing SOC2 Type 2 cybersecurity attestation. Both certifications require an external independent audit firm to valid out IT service quality as well as our internal cybersecurity posture.

GXA is a trusted, award-winning Texan MSP with over a decade of experience in the IT space. Businesses across multiple commercial industries rely on GXA to provide robust, dependable, and secure managed technology solutions, outsourced cybersecurity, business IT consulting, and support for business innovation. And you can too.

Schedule a free consultation with GXA today to discuss your organization’s IT and cybersecurity needs.