Cybersecurity skills shortage is biggest risk to Managed Service Providers (MSPs) and their clients, according to a new report by Sophos dubbed the Sophos “MSP Perspectives 2024” survey report.
Commissioned by Sophos and conducted by research house Vanson Bourne in March 2024, the inaugural report surveyed over 350 MSPs across the U.S. [200], U.K. [50], Germany [50] and Australia [50]. The report found that the biggest day-to-day challenge facing Managed Service Providers [MSP] is keeping up with the latest cybersecurity solutions/technologies, cited by 39% of the MSPs surveyed.
According to Scott Barlow vice president of MSP at Sophos. “The speed of innovation across the cybersecurity battleground means it’s harder than ever for MSPs to keep up with threats and the cyber controls designed to stop them. When you couple this with a global skills shortage, which has made it infinitely more difficult for many MSPs to attract and retain cybersecurity analyst resources, its unsurprising that MSPs feel unable to keep pace with the changing threat landscape. This is all compounded by the need for 24×7 coverage as indicated in our 2023 Active Adversary report for Tech Leaders, which finds that 91% of ransomware attacks now happen out of business hours.”
MSPs perceive the shortage of in-house cybersecurity skills to be the single biggest cybersecurity risk to both their own business and their clients’ organizations while stolen access data and credentials and unpatched vulnerabilities are amongst the biggest security risks to their customers. The latest State of Ransomware 2024 report found that nearly a third [29%] of ransomware attacks started with compromised credentials, showing the prevalence of this entry vector.
There is growing demand for managed detection and response [MDR] services to provide always-on coverage. Currently 81% of MSPs offer an MDR service, and almost all [97%] MSPs that do not currently offer MDR plan to add it to their portfolio in the coming years.
Reflecting the shortage of in-house cybersecurity skills, 66% of MSPs use a third-party vendor to deliver the MDR service and a further 15% deliver jointly through their own SOC and a third-party vendor. Topping the list of essential capabilities in a third-party MDR provider is the ability to provide a 24/7 incident response service. Hiring new cybersecurity analysts to keep up with customer growth and keep pace with the latest cyberthreats is also a top challenge.
MSPs are also streamlining their cybersecurity partnerships, working with a small number of vendors. The study revealed that over half [53%] of MSPs work with just one or two cybersecurity vendors, rising to 83% that use between one and five. Reflecting the effort and overhead of running multiple platforms, MSPs estimate that they could cut their day-to-day management time by 48% if they could manage all their cybersecurity tools from a single platform.
The report also indicates that 99% of MSPs saw an increase in demand for cyber insurance-related support, with the most common requests including clients wanting to implement an MDR service to improve their insurability [47%] or to receive help completing their insurance application [45%.