As an IT provider what should you be considering in relation to remote working?

Remote working is here to stay. Even if the pandemic finished tomorrow, the flexibility and work life balance has changed many employees’ expectations for the future. But with that in mind, how does remote working affect the infrastructure of Managed Service Providers (MSP), and the companies they support?


A recent survey revealed that 97% of MSPs are worried they could suffer a security breach that would compromise a client’s infrastructure (*Vanson Bourne, ‘MSPs speak: cyber security and the future role of the MSP’, 2021) and the same survey showed that only 2% of MSPs said they were not struggling with any cybersecurity backup and/or disaster recovery challenges as a result of the rise of remote work.


What are the threats?

Supply chain attacks.

As demonstrated by the Solarwinds attack, and more recently Log4J vulnerability, products which MSPs install into their client’s infrastructure, which are then exploited, can cause all the


clients to be vulnerable to attack. It is crucial therefore that MSPs thoroughly assess the protections that their vendors have in place. The National Cyber Security Centre have a 12-step approach to assess your supply chain to help understand the risks, establish control and continuously improve cyber security.


Lack of trust

49% of MSPs admit that their clients do not completely trust the security of the services their organisation provide, with 53% of MSPs not trusting their vendors the currently use*. Lack of trust has massive implications for a customer-based business. If your clients don’t trust you then why would they stay with you? But how can you build trust?

  • Be proactive with your security conversations – if you help your clients to stay safe and build their business, they are more likely to stay with you.

  • Admit when you can’t deliver what your customer needs, but instead of letting that customer but under supported, build a relationship with a cyber security company who has that knowledge and experience to assist with key services such as incidence response or virtual CISO responsibilities.

  • Test your systems. Get an outside company to test your and your clients’ systems. The ECRC has affordable student services which include vulnerability assessments, meaning that you can mitigate the issues before they are the cause of a data breach.

Increasing costs

Only 1% of MSPs didn’t have to raise costs due to the increased remote working, but 71% struggled to demonstrate the value of the cost increase. Businesses don’t want to pay more for services they don’t understand and let’s face it some of them can’t afford it. There is a wide range of free tools and services that you could offer to clients to add value, without cost. For example, Police CyberAlarm is a free tool which monitors incoming threats to a network, and the NCSC’s Logging Made Easy monitors internal network traffic. For those companies with tight budget this might be a way of offering increased security without the associated price tag. You can find some more free tools on the ECRC website.


Software as a Service that is not managed by you

Average number of Saas tools in a company = 14, number managed by the MSPs = 58%*. That would suggest there could be substantial blind spots on your clients’ networks, which you are unable to protect. Conversations about how MSPs can be a benefit in terms of managing licences, onboarding, security and performance of SaaS might be required. At the very least, you need to have a clear understanding with your client about liability and risk.


The Future?

The National Cyber Security Service (NCSC) have created a Cyber Assessment Framework (CAF) which the DCMS are considering asking MSPs to adhere to. Under this new policy, MSPs would need to demonstrate wide security knowledge across identity and access management, through to more advanced measures such as proactive security monitoring and discovery. Although this is unlikely to be made in legislation this year, thinking about how your company can implement these now means that you won’t be panicking in the future.


Further guidance & support

You can contact the Cyber Resilience Centre for guidance and support through our e-mail enquiries@ecrcentre.co.uk or use our online booking system to make an appointment with one of our team.

We also provide free guidance on our website and we would always encourage you to sign up for our free core membership. Core members receive regular updates which include the latest guidance, news, and security updates. Our core membership has been tailored for businesses and charities of all sizes who are based across the seven counties in the East of England.



The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.