When attackers compromised Kaseya VSA in 2021, they used the trusted MSP platform to push ransomware through service providers into hundreds of their customer environments. It remains one of the clearest examples of why MSPs have become a preferred entry point for sophisticated attacks targeting SMEs.
UK SMEs rely heavily on Managed Service Providers to run their IT, protect sensitive data, and keep operations moving. But as the supply chain risk intensifies, the National Cyber Security Centre (NCSC) has issued new guidance on how SMEs should choose — and manage — an MSP.
It's a shift that puts far more emphasis on security accountability, transparency, and operational maturity. And it's long overdue.
This blog breaks down the key messages from the guidance, highlights where Talanos aligns, and gives you practical questions to ask your MSP today.
1. Certifications are not “nice-to-haves” – they’re minimum requirements
The NCSC is clear: SMEs should use MSPs with recognised security certifications such as Cyber Essentials Plus, and ideally, ISO 27001 or SOC 2. In Talanos’s case, we also hold CREST accreditation, further demonstrating our commitment to maintaining the highest possible standards of security and service quality.
Certifications matter because they prove an organisation is independently audited and operating to a consistent, measurable security standard. Without them, you're taking an MSP's word that they "take security seriously"— and that's simply not good enough.
What this means for SMEs:
- Don't accept verbal assurances
- Ask for proof and verify certification status publicly
- Treat missing certifications as a red flag, not a negotiating point
While Talanos is a Managed SOC provider rather than a traditional MSP, our operating model is built on the same security-first principles the NCSC is promoting: identity-led detection aligned to modern threat models, structured security operations reviews, least privilege enforcement, and mandatory 2SV on privileged access.
We're designed to integrate with MSPs — and in many cases, enhance or compensate for gaps in their security maturity. When your MSP holds certifications, we validate that they're living up to them. When they don't, we provide the oversight layer that protects you regardless.
2. Transparency and communication are now essential requirements
The NCSC stresses that reputable MSPs must clearly articulate what they do, how they do it, what they don't do, how incidents are managed, and how quickly customers will be informed when something goes wrong.
Too often, SMEs inherit risk because their MSP's processes are ambiguous or undocumented. You might assume patching happens automatically. You might believe backups are tested monthly. But unless it's documented and verified, you have no real way of knowing whether these critical elements are in place.
Typical MSP approach vs. Talanos:
|
Area |
Typical MSP |
Talanos SOC |
|
Responsibility clarity |
Vague or implied |
Explicit responsibility matrices |
|
Incident communication |
Ad-hoc, often delayed |
Documented playbooks with timeframes |
|
Response SLAs |
"We'll get to it" |
15-min triage, 60-min containment guarantee |
|
Evidence provision |
Limited or reactive |
Proactive visibility of detections, response activity, access pathways, identity risks |
In short, we don't operate behind a curtain. Our customers get evidence, not assumptions.
3. Contracts must be clear, specific, and security-focused
The NCSC warns that vague contracts lead to delayed response, unclear ownership, and major gaps during incidents. They recommend detailed SLAs, clear incident reporting procedures, explicit responsibility for patching, backups and access, liability terms, regular review and reporting, and a defined exit plan.
This is an area where many SMEs discover problems too late — usually mid-incident, when it becomes clear that nobody agreed who was responsible for what.
While the NCSC guidance is correct, this is an area where first-rate MSPs and MSSPs go further. For example, our customers benefit from clearly defined breach responsibilities, documented roles for Talanos, the customer, and the MSP, regular structured operational reviews covering identity risk, configuration drift, monitoring coverage and incident learnings, and support for cyber insurance compliance including reportable audit trails.
We also frequently help SMEs interpret MSP contracts to ensure that SOC responsibilities, monitoring boundaries, and incident management roles are clear before something goes wrong.
A case in point — last year, we identified a client whose MSP contract stated they were "responsible for security monitoring" — but the MSP had no SOC, no 24/7 capability, and no defined detection coverage. The contract was technically accurate but operationally meaningless. We helped renegotiate clear boundaries, then filled the gaps the MSP couldn't deliver.
4. Critical security functions must be proactively managed
The NCSC calls out five areas SMEs must challenge MSPs on:
- Patch Management: Critical vulnerabilities must be patched within 14 day
- Regular, tested backups: Not just taken, but verified and restorable
- Access control and 2SV: Enforced across all privileged accounts
- Logging and retention: Sufficient to investigate incidents
- Incident response capability: Actual people, processes, and tools ready to respond
These are the functions attackers exploit most often — and the functions SMEs may mistakenly assume their MSP is delivering, even when they're not.
As a Managed SOC provider, Talanos is able to detect when these controls break down. We offer identity-led monitoring to highlight where unpatched systems create privilege escalation paths, continuous configuration telemetry to expose weak authentication, missing 2SV, unmanaged admin accounts, and/or legacy endpoints. In addition, centralised logging ensures SMEs have visibility even when their MSP cannot provide it. Working with a partner like Talanos also ensures independent incident response operates separately from the MSP, reducing finger-pointing during a breach.
5. Supply chain risk and end-of-life systems are now part of due diligence
The NCSC highlights two often-overlooked risks:
- MSP supply chain risk: Many MSPs rely on third-party tools, contractors, or offshore support. SMEs must understand where these dependencies sit, how they are secured, and whether they introduce additional risk.
- End-of-life (EOL) systems: Outdated systems are one of the most common sources of a breach. SMEs must agree upfront who tracks EOL dates, who replaces systems, and who carries the risk if those systems remain.
SMEs should therefore look for partners that are able to map identity pathways across your full technology stack, including legacy systems, and that review surface EOL exposure early — before attackers find it. It is also important to ensure that your security provider is assessing MSP access, privileged accounts, and remote access paths, ensuring MSP connections don't become the weakest link. You should also have access to support in understanding supplier criticality, including the MSP itself, through TPRM and risk reporting frameworks.
Red flags: is your MSP meeting the NCSC standard?
Ask yourself (and your MSP) these questions:
❌ Can you show me your current security certifications and when they expire?
❌ Do you have documented SLAs for critical patch deployment?
❌ When was the last time you tested our backups — and can I see the results?
❌ Who will contact me if you detect a security incident, and within what timeframe?
❌ Do you have 24/7 security monitoring, or is it business hours only?
❌ Can you provide a responsibility matrix showing exactly what you manage vs. what we're responsible for?
❌ What end-of-life systems exist in our environment, and what's the remediation plan?
❌ Do you use third-party contractors or offshore support to manage our infrastructure?
If your MSP can't answer these clearly and confidently, you have a gap that needs addressing.
SMEs deserve better than "IT support with security bolt-ons"
The NCSC guidance is a wake-up call for SMEs still selecting MSPs based solely on cost, convenience, familiarity, or the false assumption that "IT equals security."
The reality is that IT administration and cyber defence require different skills, different processes, and different response timelines.
MSPs keep things running. SOC providers like Talanos keep things safe when they fail. That's why our model is built to complement — and in many cases, elevate — the work of MSPs. SMEs need both, but they need them working together, with clarity, transparency, and measurable security outcomes. To learn more about how to choose the right Managed SOC partner, read our comprehensive guide.
What to do next
- Audit your current MSP relationship:
- Use the red flags checklist above to identify gaps in your current arrangement.
- Book a no-obligation SOC review
