MSPs increasingly are coming under fire for their lack of cybersecurity, and new research by ESET shows nearly half admitted waiting until after an attack to invest in cybersecurity products.

ESET, a provider of antivirus, anti-malware and internet security, surveyed 400 MSPs to uncover their attitudes and future plans around cybersecurity. The findings suggest that many MSPs “still have their heads in the sand over the gravity of the threat,” it said.

David Mole, ESET’s U.K. channel director, tells us it is “probably human nature to expect that the business providing your cybersecurity is implementing best practice for their own businesses.”

ESET’s David Mole

“The growing threat of cyberattacks for all types of businesses is widely publicized, so it is shocking that so many MSPs are waiting until they are attacked to invest in cybersecurity,” he said. “Cyberattacks and data breaches are becoming more sophisticated all the time, so the only way to keep your business safe is to be as proactive as possible about staying on top of the threats. Clients are relying on MSPs to help them keep their businesses safe, which means there is no excuse for a delayed or reactive approach. MSPs should be investing in comprehensive cybersecurity for all their devices and doing so as soon as these are purchased or brought onto their network. It is also vital to carry out regular reviews on all aspects of cybersecurity to ensure that the strategies and solutions in place are as up to date and effective as possible.”

In response to ESET’s findings, Andy Chiquoine, chief technologist of managed services at ConRes, said, “we take a holistic approach to cybersecurity.” ConRes is a member of the Channel Futures MSP 501.

“Our multivendor end-to-end approach encompasses our customers’ entire IT infrastructure,” he said. “We offer solutions in cloud, endpoint, network, threat intelligence/security analysis, CASB, data and apps, incident response, identity and access and mobile management.”

The study did, however, find that some MSPs are more proactive than others, with 41% of respondents saying that they invest in cybersecurity whenever they buy a new device. Additionally, 38% said they have been prompted to protect themselves by reading stories about hacking in the news.

However, a big area of weakness appears to be smartphones, with nearly a quarter of the MSPs questioned saying they still don’t have any protection on their mobile devices.

“Although smartphone awareness has increased massively, it remains one of the easiest pools of information to compromise,” Mole said. “Our phones are designed to be easy, apps are created to be run with ease, already authenticated and with little intrusion. Through those same apps we store so much more info than we do on our desktops, and there is also a degree of crossover from private to work life that would, in most cases, not happen on a standard computer.”

With all this data stored in easily accessible applications and files, it makes the mobile device a very desirable target, Mole said.

“Our awareness of acceptable security standards are somewhat substandard in most cases; even with facial ID or biometrics the passcode is still the core of that security process, and most users will use older passcodes for device entry,” he said. “Often if they use separate devices based on work or private life, they will use the same passcode, usually not having been changed for a number of devices or years. We also need to understand the sheer amount of message history stored on those devices and how it could be used in targeted attacks along with the increasing number of apps storing and using financial information for payment purposes.”

When researching and buying cybersecurity products, 49% of MSPs consider the price of the solution and its ability to perform spyware or malware scans above any other factors. Compatibility with existing systems (39%), and speed and download protection (36%) are also considered important for many.