search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
MSPs Onboarding and ofoarding sit at the centre of the issue. MSPs


gain and lose clients. Staff turnover. Each access grant that is not reviewed adds to a growing pool of credentials no one fully tracks. Over time, it becomes harder to say who has access or whether they should still have it.


Proof, not assurance Credential management has moved beyond an IT concern. Clients in financial services and regulated sectors are no longer satisfied with general assurances; they want evidence of how access is controlled. Procurement conversations increasingly include questions about access governance and audit capability that would not have come up a few years ago. Te cyber insurance market is equally direct about where the bar


now sits. MFA is a baseline that insurers assume is in place. What underwriters are focused on now is the layer of controls around it: phishing-resistant authentication, privileged access management, zero-trust principles, and audit trails demonstrating those controls are applied consistently. Critically, coverage can be denied if a company cannot prove it was doing what it claimed. Tat’s a documented pattern, and it applies directly to MSPs who manage credentials on behalf of clients but cannot evidence how that access is controlled. Under GDPR, the chain of responsibility does not end at the primary


data controller. MSPs operating within a client’s data environment carry obligations as sub-processors, and the principal organisation must demonstrate its sub-processors meet equivalent standards. In a breach investigation, every party in the chain is scrutinised. Inadequate credential governance creates legal exposure on top of the operational and reputational damage already at stake.


What mature credential management looks like Te gap between informal and mature credential management is narrower than most MSPs assume. Te steps to close it are not complex; they require discipline and ownership more than significant investment. Consolidation comes first. Credentials need to live in one centralised,


One credential, many victims Te structural exposure described above leads to a well-understood attack pattern. When credentials are reused across client environments, a single compromise can expose an entire client base. An attacker does not need to break in multiple times. Tey get in once, then move laterally using valid access. Te failure modes are familiar: shared master passwords across


clients, credentials stored in spreadsheets on shared drives, no ofoarding when staff leave, and no audit logs showing who accessed what or when. Tese are the predictable outcomes of treating credential management as an aſterthought rather than an operational discipline, and they appear repeatedly in post-incident reviews. Human factors amplify the risk. Te annual Verizon Data Breach


Investigations Report consistently finds the human element in the majority of breaches, whether through phishing, credential misuse, or simple error. In the UK, phishing remains the primary entry point, accounting for 85% of attacks on businesses, according to the government’s 2025 Cyber Security Breaches Survey. When an MSP technician falls for a convincing email, the exposure does not stop with their own organisation. Every client environment they can access is at risk. Tat asymmetry is the core of the problem.


www.pcr-online.biz


access-controlled repository, not across spreadsheets, inboxes, and individual tools. Everything else builds from that foundation. Least-privilege access should then be applied in practice: role-based permissions that reflect what people actually need, reviewed regularly as roles and client relationships change. Tis limits the blast radius of any individual compromise. Audit trails are essential. Knowing who accessed which client


environment and when is how an MSP identifies anomalous activity before it escalates, and it is precisely what insurers and clients now ask to see. Ofoarding must be a defined process, not something that gets done when someone remembers. Former access leſt unreviewed is ongoing exposure. None of this holds up if it is set up once and leſt alone. Periodic


review confirms policies are followed and access remains appropriate. An MSP that can demonstrate consistent, documented credential hygiene over time is one that can stand behind its security posture with confidence, retain clients who now ask these questions, and meet the scrutiny coming from insurers and regulators. Te risk is real, the expectation is rising, and the tools to manage it are available. Te question is whether credential governance gets the operational attention it has always deserved.


May/June 2026 | 43


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52