Guest writer Roddy Bergeron, Cybersecurity Technical Fellow, explores how Managed Service Providers (MSPs) can strengthen their vendor risk management strategies and build true cyber resilience. Learn how to protect your clients and your trust before the next threat tests your supply chain.
Every MSP knows ransomware isn’t going anywhere. It’s evolved from a rare catastrophe to an everyday business risk — one that makes headlines when it lands at the top of the supply chain. We won’t name names here, but the news cycle speaks for itself: even the biggest platforms can get locked down, partners can get stranded mid-transaction, and the silence that follows can cost more than any ransom note. It’s not a matter of if, but when.
We all brace for security incidents (like ransomware, leaked data, or credential theft), but what about the quiet assumptions we make about the people and companies we trust to protect us when it hits? That’s where real resilience begins… and where too many businesses learn the hard way that a security stack isn’t the same as a trust stack.
The real test of resilience
There’s a reason I keep telling partners: resilience isn’t just a firewall, a backup, or a patch cadence. Those things matter, but they’re not the first line of defense when something breaks. Your people and your partners are.
When a crisis strikes, you don’t want a silent status page. You want clear communication, early honesty, and a partner that respects how your reputation rides on theirs. Any breach is an opportunity to learn — some lessons just cost more than others when the response leaves partners guessing.
The blind spots no dashboard will flag
Most threats that burn MSPs aren’t new zero-days. They’re assumptions that never got tested:
- “We assumed our supplier’s stack was bulletproof.”
- “We assumed we’d hear about a problem before our clients did.”
- “We assumed our supply chain couldn’t be our single point of failure.”
Too often, the cracks show up when the lights go out and you realize you don’t have a plan B! That’s why I always tell partners: the real test is simple: if your primary system goes dark today, what do you do tomorrow? Who do you call, and how fast can you pivot?
Two big questions every MSP needs to revisit regularly.
I hear the same two questions, every time MSPs want to tighten their resilience. They’re simple but they’ll save you more pain than any antivirus ever will.
-
How do I transact when the platform is down?
For too many MSPs, a single pipeline feeds every piece of hardware, software, and licensing they deliver to clients. When that pipeline’s frozen, your client commitments don’t pause. They expect hardware to ship, licenses to activate, subscriptions to renew, and other downstream services to function. If you’re relying on a single supply route, you’re betting your revenue — and your reputation — on nothing going wrong. That’s not resilience.
-
What does my vendor actually have access to?
Here’s the other blind spot: delegated access. Whether it’s Office 365 GDAP permissions, admin consoles, or API keys, your vendors might have a direct line into you or your client environments. That access is there to help you work faster — until it isn’t. If your vendor’s compromised, could an attacker use that trust link to pivot deeper into your client tenants? It’s a question too few MSPs want to test in real time.
In my most recent Security Masterclass session in Toronto, I asked the room: “Who knows exactly what permissions their vendors have inside their client tenants?” Very few raised their hands. It’s simple: the more keys you hand out, the bigger the mess when one door gets kicked in. Vendor risk is a choice — you either manage it or you trust someone else to. Don’t leave it to chance.
Not sure where to start? I put together a simple vendor risk questionnaire you can use as a baseline to check your suppliers, their access and their security maturity, and make sure you’re covered. It’s not about mistrust; it’s about knowing exactly who holds your keys, how they protect them, and how they’ll stand up when you need them to.
So what should you do next?
If you only take one thing away from this make it this: you can’t patch trust gaps overnight. But you can tighten them with the same discipline you apply to your own internal stack.
Here’s where I tell every partner to start:
✓ Run a vendor risk management checkup.
If you don’t have one, build one. It’s not complicated. List your critical suppliers, understand what they access, and map out what happens if they go offline tomorrow.
✓ Review permissions regularly.
Check your delegated access — Office 365 GDAP is a big one for most MSPs. Remove accounts or roles you don’t truly need. Rotate passwords and keys. Apply least privilege like you do internally.
✓ Read your vendors’ SOC reports and ask for proof.
SOC 2 reports are table stakes now. But don’t stop at the paperwork, ask how they handle incidents, how they communicate, and whether they test their own disaster recovery playbooks.
✓ Plan your fallback.
How do you continue delivering if your vendor’s system goes offline? Who do you call? What’s your manual process? How do I revoke vendor access until the issue is over? A second source might cost a point or two on margin — until you need it. Then it saves the quarter.
✓ Bring your clients into the conversation.
Your clients don’t care who your supplier is, but they do care if they can’t get hardware, a new license, or support when they need it. Good partners explain the risks up front. Great ones show they have a plan when it counts.
Trust is a practice, not a promise
There’s no perfect defense against ransomware. But there is a clear difference between partners who talk about resilience and partners who live it. Real trust shows up before the breach. It’s in the questions you ask, the scenarios you test and the people you call when the system says try again later.
Don’t wait for the next headline
Review your stack. Review your assumptions. Review your partnerships. Because the only thing more damaging than ransomware is a trust breach no patch can fix.
We can’t stop every breach. But we can improve our resilience and make sure trust isn’t what gets compromised next.
