43% of MSPs Got Burned by a Supplier Breach Last Year. Here's the Vendor-Access Audit to Run This Quarter

When a managed IT provider gets breached, the damage rarely stops at their front door. Your provider holds the keys to your email, your servers, your backups and often your admin accounts. So when CyberSmart's June 2026 research found that 43% of UK MSPs suffered a breach via one of their own suppliers last year, that isn't just an industry statistic. It's a description of your attack surface.

Think about the chain for a moment. Your business trusts your IT provider. Your IT provider trusts a remote-monitoring tool, a password manager, a backup platform, a documentation system and a handful of distributors. Each of those is a supplier with privileged access. A weakness in any one of them can roll downhill until it lands on you. That's roughly what happened in the 2024 attacks on widely used MSP software, where a single compromised tool gave attackers a path into thousands of downstream customers at once.

The uncomfortable truth is that you can do everything right inside your own four walls and still get hit because someone three steps up the chain left a door open. The good news is that this gives you leverage. You're paying for managed IT, which means you're entitled to ask hard questions about how that IT is secured. Most providers won't volunteer the detail. You have to ask.

Below is an audit you can run this quarter. You don't need to be technical to use it. Send it to your provider, ask for written answers, and pay attention to how quickly and clearly they respond. A good provider will be glad you asked. A weak one will stall.

Why MSPs are such a tempting target

Attackers like efficiency. Breaking into one small accountancy firm gets you one small accountancy firm. Breaking into the IT company that manages forty of them gets you forty. That's the maths driving so-called supply-chain attacks, and it's why criminals increasingly go after the tools and the providers rather than the end customer directly.

The tools themselves are the soft spot. Remote management and monitoring software is designed to do exactly what an attacker wants: reach into many machines, run commands, install software and do it all quietly in the background. If that tool is compromised, or if the credentials to it are stolen, the attacker inherits all of that reach. The same goes for the password vault your provider uses to store your admin logins, and the documentation platform where they keep network diagrams and recovery details.

This is the context for that 43% figure. The breaches aren't usually the result of an MSP being careless with your data directly. They come in sideways, through a supplier the MSP trusted. Which means your questions need to follow the same path.

The vendor-access audit: what to ask your provider

Work through these in order. Ask for the answers in writing.

1. Who can access our systems, and how is that list kept current?

Ask for a named list of the staff and tools that hold privileged access to your environment. Then ask how often that list is reviewed and who removes access when an engineer leaves. The classic failure here is the dormant account belonging to someone who left the company eight months ago. If your provider can't tell you when they last reviewed access, that's your answer.

2. Is multi-factor authentication enforced on every tool that touches us?

Not encouraged. Enforced, with no exceptions. That includes the remote-monitoring platform, the password manager, the admin portals for Microsoft 365 and any backup console. Ask specifically whether MFA is required for their own engineers logging into your tenant. A surprising number of breaches trace back to a single admin account protected by a password alone.

3. What's in your supplier inventory, and how do you vet them?

This is the heart of it. Ask your provider for a list of the suppliers that have access to, or could affect, your systems. Then ask what security checks they run on those suppliers. Do they require evidence of certification, such as Cyber Essentials Plus or ISO 27001? Do they reassess when a supplier changes ownership or product? If your provider has never thought about their own supply chain, they certainly haven't protected you from it.

4. How quickly would you tell us about a breach affecting our data?

UK GDPR gives the affected business 72 hours to report a qualifying breach to the ICO. Your provider needs to feed you the information well inside that window. Ask for their breach-notification commitment in writing, ideally as part of the contract. Vague reassurances about 'prompt communication' are worthless when the clock is running.

5. What happens if one of your tools is compromised?

Ask them to walk you through it. If their remote-monitoring platform were hit tomorrow, how would they detect it, contain it and stop it reaching you? Can they isolate your environment quickly? Do they hold offline or immutable backups that an attacker with admin access couldn't delete? The 2024 software supply-chain incidents were so damaging precisely because compromised tools were used to wipe the very backups customers were relying on.

6. Are administrative tasks done from dedicated, hardened accounts?

Good practice is for engineers to use separate, locked-down accounts for privileged work rather than logging into your systems from the same laptop they use for email and browsing. Ask whether they use privileged access workstations or equivalent controls. This sounds like deep technical detail, but the question itself tells a provider you expect them to take separation seriously.

7. Can you show us evidence, not just promises?

Finish by asking for proof. A recent penetration test summary. Their Cyber Essentials Plus certificate. A copy of their incident-response plan. The supplier inventory itself. A provider with mature security practices will have these documents ready. A provider that has to scramble for weeks is telling you something important.

What to do with the answers

Don't expect perfection. Even strong providers will have gaps, and an honest 'we don't do that yet, here's our plan' is more reassuring than a polished non-answer. What you're really testing is whether your provider treats their own supply chain as a risk to you, or whether they've never considered the question at all.

If the responses are thin, raise it formally. Put your expectations into the next contract renewal: enforced MFA, a maintained supplier inventory, a defined breach-notification window and immutable backups. These are reasonable things to demand, and naming them turns a worrying headline into a concrete improvement.

The 43% figure is genuinely alarming, but it's also a prompt. Your provider's security is your security. This quarter, find out exactly how good it is.

If you'd like a hand running this audit against your current provider, or you want to see how Cloudworks answers every one of these questions, get in touch. We'd rather you asked.