There have been some discussions of the idea that MSPs may be the targets of cyber criminals in order to reach and exploit the end-user customer. This idea seems unlikely but it cannot be simply ruled out. Let us therefore examine whether this can really happen and what the actual concerns are.
The idea is that it may be riskier to partner with an MSP than not to. This is an incorrect idea though. The increase in "aggregation" of customers by an MSP does not present any increased risk to any particular customer.
By virtue of their field of work, MSPs partner with many different customers, but this does not indicate that they pose a risk different from any other business partnering relationship.
Customers find it difficult to effectively secure and manage their IT resources on their own! This is one of the primary reasons why customers partner with MSPs. This has been the reasoning for more than 20 years!
You can imagine that an ultra secret military or intelligence organization, which employs 3rd party vendors (such as MSPs), would view such partnerships as additional risk. It is important to note, however, that governments commonly outsource tasks as a regular practice. It is important to assign the outsourced vendors with an appropriate risk factor, which is directly relevant to the function provided.
MSPs are experts in their field and can perform specific IT services functions better, cost-effectively, and more efficiently. This is the value behind partnering with an managed services. MSPs pay considerable attention to their internal networks and security than most customers. They have processes in place to manage their own security before they manage the client's networks.
Good vendor management involves knowing your risks and taking measures to mitigate those risks. Verified MSPs must demonstrate this with their vendors, but quite frankly, so should customers.
To mitigate risk with outsourced entities, transparency and disclosure forms an excellent approach. Outsourcing to MSPs should be similar to outsourcing other services such as accounting and legal, which also pose business risks.