Swiss SMEs are increasingly outsourcing their IT to external service providers. Managed service providers (MSPs), IT system houses, and cloud consultants manage networks, servers, and endpoints. This often makes sense — but it creates a risk that is not discussed enough: your IT service provider has extensive access to your systems. And if they are compromised, so are you.<\/p>\n
A typical SME scenario: the IT service provider has administrator rights on the domain controller, VPN access to the internal network, access to the firewall configuration, and root passwords for all servers. They manage the backups, maintain software updates, and handle onboarding for new employees.<\/p>\n
This is an enormous relationship of trust. And in most cases, there is absolutely no independent oversight<\/strong> of whether the service provider follows secure practices themselves. Is their own network protected? Do they use multi-factor authentication? Are their remote access tools up to date? Are their clients’ credentials stored securely?<\/p>\n The honest answer: most SMEs do not know. And most do not ask.<\/p>\n Supply chain attacks — attacks conducted through suppliers and service providers — are among the fastest-growing threat categories. The logic is compellingly simple: why would an attacker target 100 SMEs individually when they can gain access to all 100 companies through a single IT service provider?<\/p>\n Recent history provides striking examples:<\/p>\n These incidents are not isolated cases but a pattern. The European Union Agency for Cybersecurity (ENISA) classifies supply chain attacks as one of the top threats. And the Swiss Federal Office for Cyber Security (BACS) regularly warns about this risk.<\/p>\n The attack vectors through IT service providers are diverse:<\/p>\n MSPs use tools such as ConnectWise, Kaseya, Datto, or TeamViewer to manage their clients’ systems. These tools are designed to have extensive access to managed endpoints and servers. A vulnerability in the remote management tool or stolen credentials from an MSP technician opens the door to all client networks simultaneously.<\/p>\n Not every attack is based on a software vulnerability. Common problems at IT service providers:<\/p>\n Some service providers operate shared monitoring or backup systems. If this central infrastructure is compromised, all connected clients are affected.<\/p>\n Trust is good, but it should be based on an informed foundation. Here are concrete questions you should ask your IT service provider:<\/p>\n If your service provider cannot or will not answer these questions, that is a warning sign.<\/p>\n Regardless of how competent and trustworthy your IT service provider is, there are good reasons to run your own vulnerability scanning:<\/p>\n Independent visibility:<\/strong> Your IT service provider has an inherent interest in presenting their own work in a favourable light. An independent vulnerability scan shows you the objective reality: are the systems actually up to date? Are the firewall rules clean? Are there exposed services that should not exist?<\/p>\n Control over your own risk:<\/strong> Responsibility for your data cannot be outsourced. Even if the IT service provider manages the systems, you as a company bear the liability in the event of a data breach. The nDSG (Swiss Data Protection Act) makes this unambiguously clear.<\/p>\n Early detection of problems:<\/strong> Regular scans detect when a patch has not been installed, a service is misconfigured, or a new vulnerability affects your systems. You can act proactively instead of waiting for the next security incident.<\/p>\n Negotiation basis:<\/strong> With concrete scan results, you can hold informed discussions with your service provider. “Our scan shows that the Exchange server is missing two critical patches” is a very different starting point than “Is everything secure?”<\/p>\n Supply chain transparency:<\/strong> An external scan of your own infrastructure also reveals whether the systems managed by the service provider have vulnerabilities that the service provider should have remediated.<\/p>\n The principle “trust, but verify” originally comes from diplomacy, but it is highly relevant in IT security. It does not mean distrusting your IT service provider. It means that as a company, you cannot fully delegate responsibility for your own security.<\/p>\n Concrete measures every SME can implement:<\/p>\n ExposIQ enables Swiss SMEs to run simple, independent vulnerability scanning that operates alongside their existing IT service provider. The platform requires no technical expertise: you enter your domains and IP ranges and receive regular, up-to-date overviews of your security posture.<\/p>\n With over 35 scan engines, 64’000 CVEs, and EPSS-based risk scoring, you can see at a glance which vulnerabilities exist and how urgently they need to be addressed. The results provide an objective basis for conversations with your IT service provider — or confirm that they are doing a good job.<\/p>\n Hosted in Switzerland, nDSG-compliant, and available from just CHF 99 per month. Because independent oversight is not a vote of no confidence but professional risk management: exposiq.ch<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Swiss SMEs are increasingly outsourcing their IT to external service providers. Managed service providers (MSPs), IT system houses, and cloud consultants manage networks, servers, and endpoints. This often makes sense — but it creates a risk that is not discussed enough: your IT service provider has extensive access to your systems. And if they are … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"rank_math_focus_keyword":"it service provider security risk supply chain","rank_math_title":"IT Service Providers as Security Risk: Supply Chain Security for SMEs","rank_math_description":"Your IT provider has admin access to your systems. If they are compromised, so are you. Why SMEs need their own vulnerability scanning.","rank_math_robots":"","rank_math_canonical_url":"","rank_math_primary_category":"","footnotes":""},"categories":[8],"tags":[],"class_list":["post-1180","post","type-post","status-publish","format-standard","hentry","category-it-sicherheit","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-33"],"_links":{"self":[{"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/posts\/1180","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/comments?post=1180"}],"version-history":[{"count":0,"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/posts\/1180\/revisions"}],"wp:attachment":[{"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/media?parent=1180"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/categories?post=1180"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/tags?post=1180"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Supply Chain Attacks Are on the Rise<\/h2>\n
\n
How IT Service Providers Become a Gateway<\/h2>\n
Compromised Remote Management Tools<\/h3>\n
Insecure Practices at the Service Provider<\/h3>\n
\n
Shared Infrastructure<\/h3>\n
How to Assess Your IT Service Provider<\/h2>\n
\n
Why SMEs Need Their Own Vulnerability Scanning<\/h2>\n
Trust, but Verify<\/h2>\n
\n
ExposIQ as Independent Oversight<\/h2>\n