TL;DR: Per the Guardz 2026 State of MSP Threat Report, the Guardz Threat Hunting team predicts that MSP supply chain attacks will intensify in H2 2026 as threat actors impersonate legitimate RMM infrastructure to establish access. The ConnectWise 2026 MSP Threat Report reinforces the same finding: identity abuse is now the primary MSP risk, and AI-assisted tooling has compressed attack timelines from weeks to hours. Recent events validate the forecast: in February 2026, attackers exploited CVE-2026-1731 in BeyondTrust Remote Support for unauthenticated remote command execution; in 2025, DragonForce affiliates exploited SimpleHelp RMM vulnerabilities to compromise MSP environments and deploy ransomware across multiple downstream client networks simultaneously. For NC small businesses that rely on a managed IT or managed cybersecurity partner, the question is no longer "do we have an MSP?" - it is "is the MSP we have hardened enough that an attack on them is not also an attack on us?"
Key takeaway: When your MSP is compromised, you are not collateral damage - you are the target. NC small businesses need to evaluate MSPs on three axes that 2024 vendor-selection RFPs did not even mention: RMM tool hardening evidence, identity security maturity, and incident response transparency. A 60-minute conversation can reveal which MSPs have done the work and which have not.
Need a managed IT or cybersecurity partner that has actually hardened its own toolchain? Preferred Data Corporation has provided managed IT and cybersecurity services to North Carolina small businesses since 1987. Call (336) 886-3282 or request an MSP capability review. Serving the Piedmont Triad, Charlotte, and Raleigh metros.
What is an MSP supply chain attack?
An MSP supply chain attack is a breach that begins by compromising a managed service provider's tooling (RMM, PSA, backup, security platform) or staff credentials, then spreads through the MSP's connectivity into downstream customer environments. Per Huntress's MSP security industry analysis and Smarter MSP's coverage of evolving supply chain attacks, the typical pattern:
- Attacker compromises an MSP technician's credentials (info-stealer, phishing, third-party breach)
- Attacker logs into the MSP's RMM, PSA, or remote-access console
- Attacker pivots into customer endpoints using the MSP's legitimate management connectivity
- Attacker deploys ransomware, exfiltrates data, or persists for later monetization across the MSP's entire customer base simultaneously
The leverage is brutal: one compromised MSP can affect tens or hundreds of downstream small businesses in hours.
What are the recent MSP supply chain events that should worry NC small businesses?
| Date | Event | Impact |
|---|---|---|
| April 2025 | DragonForce affiliates exploit SimpleHelp RMM vulnerabilities | Multiple MSP environments compromised; ransomware deployed across downstream clients |
| February 2026 | CVE-2026-1731 BeyondTrust Remote Support unauthenticated RCE | Wave of attacks against MSPs using the platform |
| April 3, 2026 | Dental software supply chain compromise | Three downstream companies affected |
| April 15, 2026 | MSP compromise | Mass isolation of 78 downstream businesses; further exploitation across four customers |
| Q1 2026 | RMM tool abuse hits 26% of all endpoint threat detections | Single largest endpoint threat category per Guardz |
| H2 2026 | Forecast: intensification of MSP supply chain attacks | Per Guardz Threat Hunting predictions |
The trend line is clear and accelerating. The defensible posture for NC small businesses is to treat MSP selection as a security decision, not just a service decision.
What is the practical NC small business MSP due diligence checklist?
A 60-90 minute conversation with any prospective or incumbent MSP that surfaces the key risks. Ten questions to ask:
1. What RMM tool do you use, and what is your hardening evidence?
Expected answer: a specific product (ConnectWise ScreenConnect, NinjaOne, Atera, Datto RMM, N-able, Kaseya), with documented MFA enforcement on the RMM console, IP allowlisting for technician access, signed binary deployment to endpoints, agent integrity monitoring, and prompt patching of RMM CVEs.
2. How do you protect technician identities?
Expected answer: MFA on every technician account (including admin), phishing-resistant MFA where possible (FIDO2/passkey), conditional access policies, just-in-time elevation rather than standing privileged access, dark-web monitoring of MSP employee email domains.
3. What is your incident response runbook if your tools are compromised?
Expected answer: A documented runbook with explicit isolation procedures, customer notification timelines (24-72 hours), forensics partner pre-engaged, and tested via tabletop exercises annually.
4. Do you have SOC 2 Type II or equivalent attestation?
Expected answer: Yes, with the most recent report available under NDA. For smaller MSPs, equivalent self-attestation against NIST CSF or CIS Controls with third-party validation is acceptable.
5. How do you manage your own non-human identities (NHIs)?
Expected answer: Service accounts and API keys are rotated on a documented schedule; OAuth grants are inventoried; AI agent identities are scoped to least-privilege. (Connects to the NHI crisis discussion.)
6. What is your dwell time detection capability?
Expected answer: Continuous monitoring (EDR + XDR + UEBA) with median detection time under 24 hours; alerts routed to a real SOC (internal or partnered) with documented response SLA.
7. What is your cyber insurance coverage?
Expected answer: Specific coverage limits, including for incidents affecting downstream customers; carrier name on request; willingness to add the customer as an additional insured for managed services.
8. What is the offboarding procedure?
Expected answer: A documented exit-clause process that includes credential return, agent removal, knowledge transfer, and incident-log handoff within 30-60 days of termination, regardless of cause.
9. Where is your operations team located?
Expected answer: Geographic distribution disclosed, with primary operations in jurisdictions with strong cyber and privacy law alignment (typically US-based for NC SMBs with NC customer data).
10. Can you provide three customer references in similar industries?
Expected answer: Yes, with sector-relevant references (NC manufacturers, construction, professional services) willing to speak about incident response history and operational discipline.
If an MSP cannot answer 7 of these 10 directly, that is a yellow flag. If they cannot answer 4 of these 10, that is a red flag.
Schedule an MSP capability comparison →
What contract clauses should NC small businesses negotiate with MSPs?
Per Risk Ledger's 2026 supply chain risk analysis and standard managed services contracting practice, six clauses move the needle most:
1. Breach notification (24-72 hours)
Explicit timeline (24 hours preferred for material incidents) with required content (incident summary, affected systems, indicators of compromise, remediation timeline).
2. RMM tool transparency
The MSP must disclose RMM/PSA/backup tools in use, with notification of changes. This enables the customer's own EDR to allowlist properly.
3. Sub-processor disclosure
Any subcontractor or sub-processor with access to customer data or systems must be disclosed and approved.
4. Cyber insurance coverage and customer-as-additional-insured
Stated minimum coverage limits (typically $1M-$5M for SMB-focused MSPs serving 25-250 employee customers) with the customer listed as additional insured where the MSP's tools or staff create the exposure.
5. Right to audit
In proportion to risk, the customer has the right to request evidence of security controls, including SOC 2 reports, vulnerability scan summaries, and incident logs.
6. Exit clause with credential return and agent removal
A documented offboarding procedure that includes credential return, RMM agent removal from all endpoints, knowledge transfer of configurations, and handoff of incident history. Often the most contentious clause - and the most important.
What is the RMM tool hardening checklist?
Per the Guardz report, the Intel 471 RMM threat hunting analysis, and standard MSP security frameworks:
| Control | Description |
|---|---|
| Console MFA | Phishing-resistant MFA on every RMM console account, including admin |
| IP allowlisting | RMM console access restricted to known MSP IPs (office, VPN) |
| Signed agent binaries | Endpoints only execute RMM agents signed by the legitimate vendor |
| Agent integrity monitoring | EDR detects modified or spoofed RMM agents (e.g., spoofed AteraAgent MSI installers) |
| Session recording | Technician sessions recorded for audit and incident response |
| Just-in-time elevation | Standing global admin access eliminated; elevation requires approval |
| Patch SLA | RMM platform patches applied within 24-72 hours of disclosure |
| Anomaly detection | Unusual technician access patterns (off-hours, mass operations) flagged |
| Network segmentation | RMM management traffic on a dedicated segment, not commingled with general internet |
| Tabletop testing | Annual exercise simulating RMM compromise and customer notification |
A customer asking these specific questions is signaling that the MSP-customer relationship is being treated as a real security relationship, not just a service contract.
Why is identity the new MSP perimeter?
Per Group-IB's 2026 forecast cited in Smarter MSP's analysis and the ConnectWise 2026 MSP Threat Report, identity is now the primary MSP attack vector:
- Identity beats malware: Compromising a technician credential is faster, quieter, and more durable than dropping malware
- Identity scales: One compromised credential can authenticate to dozens of customer tenants in seconds
- Identity bypasses perimeter controls: A legitimate login from a residential proxy is hard to distinguish from a real technician on a coffee-shop network
- Identity persists: OAuth tokens and session cookies can outlast password rotations
The MSPs that have done the identity work (phishing-resistant MFA, conditional access, dark-web monitoring, just-in-time elevation) are the ones that will be defensible through H2 2026 and beyond. The MSPs that have not - many - will be the supply chain incidents on the news.
Schedule an MSP identity security review →
How does this connect to broader vendor risk management?
The MSP is one (very high-leverage) vendor in a typical NC small business's vendor stack. Per the Black Kite 2026 Third-Party Breach Report, the average breached vendor compromises 5.28 downstream customer organizations. The MSP is structurally positioned to be far worse than the average:
- The MSP has direct network access to customer endpoints (most vendors do not)
- The MSP has admin credentials in customer Microsoft 365 and Google Workspace tenants
- The MSP has visibility into customer backup data, configurations, and incident history
- The MSP often holds the documented runbook of how to operate the customer's systems
This is not a reason to avoid MSPs - it is a reason to pick the right one and contract it tightly.
How does Preferred Data Corporation handle its own MSP supply chain risk?
We operate hardened RMM and PSA tooling with the controls listed above: phishing-resistant MFA on every console, IP-allowlisted technician access, signed agent binaries, EDR-monitored agent integrity, session recording, just-in-time elevation, and 24-72 hour patch SLAs on management platforms. We rotate technician credentials and monitor our own employee email domain for dark-web exposure. We carry cyber insurance with customer-as-additional-insured options. We run annual tabletop exercises simulating tooling compromise. We document offboarding procedures and execute them on the same timeline regardless of how a customer relationship ends. And we are based in High Point, NC - so when a customer needs to look an MSP partner in the eye to ask "how are you protecting us right now?" the answer is local. Most NC SMBs do not need a perfect MSP; they need a partner that treats the customer's security as the deliverable.
Frequently Asked Questions
What is an MSP supply chain attack in plain English?
An MSP supply chain attack happens when a hacker breaks into your IT provider's tools or accounts, then uses that access to attack you and other customers of the same provider. Because the IT provider has admin access into your network, the attack can spread to dozens or hundreds of small businesses at once.
How does an NC small business evaluate whether an MSP is safe?
Use the 10-question due diligence checklist: RMM tool hardening evidence, technician identity protection, incident response runbook, SOC 2 or NIST CSF attestation, NHI management, dwell time detection, cyber insurance with customer-as-additional-insured option, offboarding procedures, operations team location, and verifiable customer references. If an MSP cannot answer 7 of the 10, find another.
What should an NC small business do if its current MSP cannot answer these questions?
Three options. First, share the checklist with the current MSP and give 90 days to provide evidence; many MSPs have the controls but have never been asked to document them. Second, request a third-party security assessment of the MSP (some carriers will fund this through cyber insurance). Third, evaluate alternative MSPs in parallel and prepare a migration plan if the current MSP cannot close the gaps.
How long does it take to switch MSPs?
For a 25-100 employee NC SMB, a planned MSP transition typically takes 60-120 days end to end: 30 days of due diligence and contracting, 30-45 days of knowledge transfer and parallel operations, 15-30 days of legacy MSP offboarding (credential return, agent removal). Emergency transitions following a compromise are faster but less clean.
Is it worth paying more for a hardened MSP?
Yes for most NC SMBs. The cost difference between a baseline MSP and a hardened MSP is typically $10-$30 per user per month - well below the cost of even a single contained ransomware incident ($120K+ for a 50-person company per the VikingCloud 2026 SMB Threat Landscape Report). Cyber insurance underwriting in 2026 increasingly requires MSP attestation, which means the spend is at least partially offset by premium reductions.
Should small businesses run their own RMM instead of using an MSP?
Almost never. Operating an RMM safely requires 24/7 monitoring, dedicated patching SLAs, identity controls, session recording, and incident response capacity that very few SMBs can staff. The right answer is a hardened MSP, not no MSP.
Does PDC use ConnectWise, NinjaOne, or another RMM?
We use a hardened RMM/PSA stack with the controls listed in this post: phishing-resistant MFA on consoles, IP allowlisting, signed agent binaries, EDR-monitored integrity, session recording, just-in-time elevation, and documented patch SLAs. Specific tooling is shared under NDA as part of the diligence process so prospective customers can verify our controls against their own RFP standards.
Related Resources
- Guardz 2026 MSP threat report - 89% SMBs compromised users NC
- Non-human identity crisis: NC small business 2026 NHI playbook
- Black Kite 2026 third-party breach report manufacturing pressure zone NC
- Vercel OAuth breach SaaS supply chain defense NC
- Managed IT services for North Carolina businesses
- Managed cybersecurity services for NC businesses
About the author: Preferred Data Corporation has provided managed IT, AI transformation, and cybersecurity services to North Carolina small businesses since 1987. Based at 1208 Eastchester Drive, Suite 131, High Point, NC 27265, we serve manufacturers, construction firms, and professional services organizations across the Piedmont Triad, Charlotte, and Raleigh metros. Call (336) 886-3282 or request an MSP capability review.