Here is a sentence you will almost never read on a managed IT provider's website: most of us got breached last year. Not "the industry faces challenges." Not "threats are evolving." Breached — as in an attacker got inside the company that your business pays to keep attackers out.
The 2026 CyberSmart MSP Survey, published in May 2026 and based on responses from 350 managed service provider leaders, put a number on it. Three quarters of MSPs admitted to suffering at least one breach in the previous twelve months. More than half — 54% — were breached two or more times. Nearly a third, 32%, were breached three or more times [IT Security Guru]. And in the same survey, MSP confidence in their own security posture remained high. That gap, between how often providers are actually being compromised and how secure they believe they are, is the most important thing a Texas business owner can understand about the company managing their technology.
This article is not an industry self-own. It is the opposite. The breach data is uncomfortable for every MSP, ITECS included — the threat environment does not exempt anyone. But the data also separates two very different kinds of provider, and that distinction is something every business deserves to be able to evaluate. The goal here is to give you the questions, the context, and the vocabulary to tell a hardened IT provider from a vulnerable one — because in 2026, that single decision sets a ceiling on your own security.
✓ Key Takeaways
- The 2026 CyberSmart MSP Survey found 75% of MSPs were breached at least once in the past 12 months, 54% were breached two or more times, and 32% three or more times.
- Your MSP is a single point of compromise: its remote management tools, shared tenancy, and credentials reach directly into your network. When the provider is breached, every client is in the blast radius.
- Software supply chain attacks now reach inside IT providers — the April–May 2026 "Mini Shai-Hulud" campaigns poisoned SAP, TanStack, and Mistral AI packages to steal exactly the cloud credentials and tokens MSPs depend on.
- A hardened MSP is distinguishable by concrete architecture: segmented per-client tenancy, a locked-down RMM, privileged access management, internal managed detection and response, and a credible SOC 2 trajectory.
- Asking your provider a short, specific set of questions — and listening for specifics rather than reassurance — is the single highest-value security review a business can run this year.
The Number Nobody in the Channel Wants to Discuss
The managed services industry sells trust. That is the product. A business hands over its infrastructure, its credentials, its backups, and its security controls because the provider promises to defend them better than the business could alone. For most organizations, that promise holds — a competent MSP genuinely raises the floor. But the CyberSmart numbers force an honest conversation about what "competent" now requires.
Seventy-five percent breached. Fifty-four percent breached more than once. The natural response is to assume those breaches are minor — a phishing email here, a spam incident there. Some are. But the same survey found that MSPs rank AI-driven threats as their top concern for the second consecutive year, and a parallel finding showed 46% of MSP customers are now more worried about operational costs and inflation than about cybersecurity [Technology Reseller]. Read those two facts together and the picture sharpens: attackers are getting faster and more automated, while budget pressure pushes security investment down the priority list on both sides of the contract. The breaches are not all minor, and the conditions that produced them are not improving on their own.
What makes the statistic genuinely alarming is not the breach rate by itself. It is the breach rate combined with the confidence rate. When an industry is being compromised at this frequency while remaining confident in its posture, it means a large share of providers do not have the visibility to know how exposed they are. A provider that cannot accurately assess its own risk cannot accurately assess yours. That is the real exposure a Texas business is buying into when it signs with the wrong MSP — not a single bad vendor, but a structural blind spot.
75%
of MSPs breached at least once in the past 12 months
54%
breached two or more times in the same period
32%
breached three or more times
Source: The 2026 CyberSmart MSP Survey (350 MSP leaders), via IT Security Guru.
Why Your MSP Is a Single Point of Compromise
To understand why an MSP breach is categorically different from an ordinary vendor breach, you have to look at what an MSP actually holds. A managed IT provider is not a vendor that sits beside your network. It is a vendor that sits inside it, by design, with the keys.
Three structural facts make every MSP a concentrated target. The first is the remote monitoring and management platform — the RMM. This is the tool that lets the provider patch your servers, push software, run scripts, and remote into any workstation. It is, functionally, a legitimate remote-access backdoor into every client at once. Security researchers are blunt about what this means: if an RMM is compromised, it can be used to execute ransomware, exfiltrate data, or disable security controls across multiple client environments simultaneously [NinjaOne]. One stolen RMM credential is not one breach. It is every client the provider serves.
The second fact is shared tenancy. Many MSPs run their clients inside shared management consoles, shared documentation platforms, and shared security tooling, often without strict separation between one client's data and the next. When the boundaries between clients are weak, an attacker who lands in one client's environment — or in the provider's own systems — can move laterally into others. The third fact is credential concentration: an MSP stores administrative passwords, cloud tenant access, backup system logins, and domain credentials for dozens or hundreds of businesses in one place. That concentration is the entire economic case for attacking providers instead of individual businesses. Compromise one MSP and you have pre-positioned access into its whole client base.
The MSP blast radius: a single provider compromise propagates through RMM access, shared tenancy, and stored credentials into every client environment at once.
None of this is an argument against using an MSP. A business that runs its own IT in 2026 without managed support is, in almost every case, less secure, not more. The point is narrower and more useful: because the provider is a single point of compromise, the security architecture of the provider itself is now a material part of your risk. You are not just buying a service. You are inheriting a security posture. And the CyberSmart data says three out of four of those postures failed at least once last year.
The Supply Chain Is Now Inside Your IT Provider
If the RMM is the front door, the software supply chain is the unlocked window most people never check. Through 2025 and into 2026, attackers shifted decisively toward poisoning the open-source packages that virtually all modern software — including the tooling MSPs build and run — depends on.
The scale is hard to overstate. Sonatype's 2026 State of the Software Supply Chain Report counted more than 1.2 million malicious open-source packages cumulatively across the major registries, with over 454,000 newly identified in 2025 alone — a 75% year-over-year jump [Sonatype]. Verizon's most recent Data Breach Investigations Report found the third-party share of breaches doubled from 15% to 30%, the largest single-year shift in the report's history. And IBM priced the average supply chain compromise at $4.91 million with a 267-day mean lifecycle — the longest-dwelling breach category it tracks.
Two 2026 campaigns make the threat concrete. In late April, a crew calling itself "Mini Shai-Hulud" — attributed by multiple research teams to the group TeamPCP — poisoned SAP-related npm packages including the Cloud MTA Build Tool and several CAP database service packages, which together draw over 500,000 weekly downloads [The Register]. The malicious versions ran a preinstall script that bootstrapped an obfuscated payload through the Bun runtime specifically to evade Node.js-based security monitoring, then harvested GitHub and npm tokens, AWS, Azure and GCP cloud secrets, Kubernetes credentials, and browser-stored passwords [SecurityWeek]. Two weeks later, a coordinated May 11 campaign compromised more than 170 npm packages and additional PyPI packages — 404 malicious versions in total — reaching projects from TanStack to Mistral AI [BankInfoSecurity].
Look closely at what those payloads steal: CI/CD secrets, cloud credentials, API keys, source-control tokens. That is a precise description of an MSP's operational toolkit. A provider whose engineers pull packages into automation scripts, internal tools, or client deployments without supply chain controls is one bad npm install away from handing an attacker the exact credentials that reach into client environments. The same TeamPCP cluster has already been tied to compromises of Checkmarx, Bitwarden-related tooling, Telnyx, LiteLLM, and the Trivy scanner — the developer and security tools that technical service firms use every day. The supply chain attack is no longer a problem for software companies. It is a problem for anyone whose IT provider writes a line of code or runs a build.
What Separates a Hardened MSP From a Vulnerable One
Here is the constructive half of the argument. The CyberSmart breach rate is an industry average, and averages hide structure. A meaningful share of those breaches concentrate in providers that never built the architecture to contain them. The providers on the other side of the distribution — the hardened ones — share five specific, verifiable traits. None of them are marketing language. Each is something you can ask about and evaluate.
1. Segmented Per-Client Tenancy
A hardened MSP isolates every client from every other client at the architectural level. Separate administrative boundaries, separate credential stores, separate management scopes, and network segmentation that prevents lateral movement between environments. The test is simple: if one client is compromised, does the blast stop at that client's boundary? In a hardened provider, the answer is yes by design. In a vulnerable one, a single client breach becomes a portfolio breach. Segmentation is also what makes the provider's own breach survivable — it converts a catastrophic event into a contained one.
2. A Hardened RMM
Because the RMM is the highest-value target a provider operates, it deserves the strictest controls in the building. A hardened RMM means phishing-resistant multi-factor authentication on every operator account, with no exceptions; tightly scoped role-based access so a help-desk technician cannot reach the whole estate; allow-listed source networks for console access; full session logging and recording; and real-time alerting on anomalous activity such as off-hours script execution or bulk actions [NinjaOne]. A provider that runs its RMM with shared logins, SMS-based MFA, or no session auditing is running the single most dangerous tool in managed services as if it were a convenience app.
3. Privileged Access Management
The credentials an MSP holds for its clients are the crown jewels, and they should be treated that way. Privileged access management (PAM) means client administrative credentials are vaulted rather than reused, access is granted just-in-time and time-boxed rather than standing, every privileged session is logged, and credentials rotate automatically. A hardened provider can tell you exactly which engineer accessed which client system, when, and why — and can revoke that access in seconds. As an authorized 1Password reseller and managed services partner, ITECS treats credential governance as a foundational control rather than an afterthought, because credential reuse is precisely what turns one stolen password into a multi-client incident.
4. Internal Managed Detection and Response
This is the trait that most directly explains the CyberSmart confidence gap. Many breached MSPs did not lack security tools — they lacked the ability to see their own compromise. A hardened provider monitors itself with the same rigor it sells to clients: 24/7 detection across its own endpoints, identity systems, and RMM; a defined incident response runbook it has actually rehearsed; and the instrumentation to detect an intrusion in hours rather than the 267-day industry average for supply chain compromise. A provider that delivers managed detection and response to clients but does not run it internally is selling a discipline it has not adopted.
5. A Credible SOC 2 Trajectory
SOC 2 is an independent audit of how an organization handles security, availability, and confidentiality. For an MSP, it is the closest thing to a verifiable proof of posture — because it forces documented policies, evidence collection, and a third-party examination rather than self-assessment. A provider that holds a SOC 2 report, or is on a genuine, dated path toward one, is demonstrating that its controls survive outside scrutiny. The word that matters is "credible." A real SOC 2 trajectory has an auditor engaged, a scope defined, and a timeline. A vague "we're working toward it" with no specifics usually means it has not started.
| Control Area | Hardened MSP | Vulnerable MSP |
|---|---|---|
| Client tenancy | Segmented and isolated per client | Shared consoles, weak boundaries |
| RMM access | Phishing-resistant MFA, scoped roles, full session logging | Shared logins, SMS MFA, no auditing |
| Client credentials | Vaulted, just-in-time, auto-rotated | Reused, standing, stored in spreadsheets |
| Self-monitoring | 24/7 internal MDR, rehearsed IR plan | Monitors clients, not itself |
| Independent assurance | SOC 2 report or dated, scoped path | Self-assessed, no external audit |
| Supply chain | Dependency controls, package vetting | Unmanaged installs, no visibility |
A hardened provider runs the same detection and response discipline internally that it sells to clients — and can prove it.
The Questions Every Texas Business Should Ask Their IT Provider
You do not need to be a security engineer to evaluate an MSP. You need a short list of specific questions and the willingness to notice whether the answers contain specifics or reassurance. A hardened provider will welcome these questions and answer them concretely. A vulnerable provider will deflect, generalize, or get defensive — and that reaction is itself the answer. Bring this list to your next quarterly business review.
The MSP Security Conversation — 9 Questions
- Were you breached in the past 12 months — and if so, how did you detect it and what changed? The honest answer in 2026 may well be yes. What matters is whether they can describe detection time, scope, and the concrete improvements that followed. Honesty plus a remediation story beats a confident "no" with no detail.
- How is my environment isolated from your other clients? Listen for "segmentation," "separate tenancy," and "no lateral path between clients." Listen against vague answers about "best practices."
- What protects your RMM, and who can access it? A strong answer names phishing-resistant MFA, role-based access, session logging, and source-network restrictions. A weak answer is "it's secured."
- How do you store and manage the administrative credentials to my systems? You want to hear "vaulted," "just-in-time access," "automatic rotation," and "full session logs." You do not want to hear "a password manager" with no further detail — or worse, silence.
- Do you run 24/7 detection and response on your own internal systems? This separates providers who sell security from providers who practice it. Ask when they last detected and responded to an incident in their own environment.
- Do you have a SOC 2 report, and may I see it — or what is your dated path to one? A scoped engagement with an auditor and a timeline is credible. "We follow SOC 2 principles" is not the same thing.
- How do you control software supply chain risk in the tools and scripts you run? Given the npm, PyPI, and SAP package attacks of 2026, a provider should be able to describe dependency vetting and package controls — not look puzzled by the question.
- What is your incident response plan if you are breached, and how and when would you notify me? You want a defined notification commitment measured in hours, not "we'd let you know."
- Can you produce a current security assessment of my environment — and when was the last one? A provider that has never formally assessed your posture is guessing. A current, documented assessment is the baseline of a real partnership.
"The right question is not 'have you ever been breached.' In 2026, the right question is 'when you are breached, what stops it from becoming my breach too.'"
— Cybersecurity Practice Lead, ITECS
How to Run the Conversation
None of this is about catching your provider out. A long-tenured MSP relationship has real value, and switching providers carries its own risk. The goal of the nine questions is not to assemble a case for leaving — it is to surface where your inherited posture is strong and where it is thin, so you and your provider can fix the thin parts together.
The most productive way to run the conversation is collaboratively. Share this list ahead of a quarterly review so the provider can prepare real answers rather than improvise. A confident, hardened MSP will treat the exercise as a chance to demonstrate exactly why it is worth its fee. If the response is defensiveness, vague reassurance, or pressure to drop the subject, you have learned something important — and you have learned it before an attacker did.
For Texas businesses that want an independent read, a third-party security posture assessment is the cleanest path. It evaluates your environment and, by extension, the quality of the controls your provider has put in place — without the conflict of interest that comes from asking a provider to grade its own work. ITECS conducts these assessments for organizations across Texas, including businesses that already have an MSP and simply want to know where they actually stand. Whether the outcome is a clean bill of health, a punch list for your current provider, or a conversation about managed cybersecurity services and managed IT services built on a hardened architecture, the value is the same: you replace assumption with evidence.
The CyberSmart survey delivered an uncomfortable number, but the uncomfortable number is also a useful one. It tells every business exactly what to do next — not panic, not necessarily switch, but ask. The providers worth keeping will have answers. The questions cost nothing. The blind spot, if you have one, is the expensive part.
Find Out Where You Actually Stand
ITECS runs independent security posture assessments for Texas businesses — including organizations that already have an IT provider and want an objective read on the architecture they have inherited. We evaluate tenancy isolation, credential governance, detection coverage, and supply chain exposure, then hand you a prioritized findings report you can act on with any provider.
Start Your Security Posture Assessment →Sources
- IT Security Guru — Over Half of MSPs Admit to Being Breached Multiple Times in Past Year (2026 CyberSmart MSP Survey): itsecurityguru.org
- Technology Reseller — Economic strain pushes cybersecurity down the priority list for MSP customers, CyberSmart research reveals: technologyreseller.uk
- The Register — Ongoing supply chain attacks worm into SAP npm packages: theregister.com
- SecurityWeek — SAP npm Packages Targeted in Supply Chain Attack: securityweek.com
- BankInfoSecurity — Mass Supply-Chain Attack Slams npm and PyPI, Hits Mistral AI: bankinfosecurity.com
- Sonatype — 2026 State of the Software Supply Chain Report: sonatype.com
- NinjaOne — MSP Cybersecurity Checklist 2026 (RMM hardening guidance): ninjaone.com