The £35 million cyberattack on NHS supplier Advanced in October 2022 exposed a uncomfortable truth for managed service providers: credential compromise at the MSP level can cascade across hundreds of client environments simultaneously. Within hours, 111 services across multiple NHS trusts were offline, patient care was disrupted, and a single password-based breach had rippled through an entire healthcare ecosystem.
For MSPs serving regulated industries—healthcare, finance, critical infrastructure—this incident crystallised a growing client concern: how can they trust their service provider's credential security when their own regulatory compliance hangs in the balance?
The MSP credential paradox
Managed service providers face an inherent contradiction. Clients increasingly demand robust cybersecurity services, yet MSPs must store and manage thousands of privileged credentials across multiple client environments to deliver these services. Each credential represents both operational necessity and systemic risk.
The challenge intensifies with regulatory frameworks. Under GDPR, a credential breach at an MSP can trigger data protection violations across every affected client. The NIS2 Directive, taking effect across the EU, extends liability further up the supply chain. Financial services clients bound by PCI DSS or SOX requirements cannot simply delegate credential risk—they remain accountable for their service provider's security posture.
Traditional approaches compound the problem. Most MSPs issue credentials to technicians who then manage, store, and use them across client systems. This human-centric model creates multiple failure points: credentials shared via insecure channels, stored in browsers, written down, or retained by departing employees. When technicians control their own access credentials, the MSP loses fundamental oversight of its most critical security assets.
The scale of credential exposure
Industry data reveals the magnitude of the challenge. The 2023 Verizon Data Breach Investigations Report found that 49% of breaches involved stolen credentials, with business email compromise accounting for £2.1 billion in losses globally. For MSPs, the multiplier effect is severe—a single compromised administrator credential can provide access to dozens of client environments.
Ponemon Institute research indicates that 65% of organisations have over 500 privileged accounts, with many MSPs managing thousands. Yet according to CyberArk's 2023 survey, 55% of organisations admit they cannot quickly identify all privileged accounts in their environment. For MSPs juggling multiple client infrastructures, this visibility gap becomes exponentially more dangerous.
The regulatory landscape adds financial urgency. GDPR fines averaged £85 million in 2022, according to DLA Piper's annual review. In the financial sector, the FCA issued £260 million in penalties for operational resilience failures in 2023 alone. These figures exclude reputational damage and client defection—costs that can prove existential for mid-sized MSPs.
Breach containment times compound the problem. IBM's Cost of a Data Breach report shows an average 277-day lifecycle from initial compromise to containment. For MSPs, this extended timeline means prolonged multi-client exposure, regulatory scrutiny, and service disruption.
Why traditional solutions fall short
The cybersecurity industry has responded with increasingly sophisticated tools: Identity and Access Management (IAM) platforms, Privileged Access Management (PAM) systems, Single Sign-On (SSO), Multi-Factor Authentication (MFA), and Zero Trust architectures. Yet credential breaches continue to proliferate.
The fundamental flaw lies in the underlying assumption: these tools enhance credential security but maintain the principle that users create, know, and control their credentials. Even with MFA, biometrics, and behavioural analytics, the credential itself remains vulnerable to social engineering, phishing, and insider threats.
PAM solutions encrypt and vault credentials but must ultimately decrypt and present them to users for authentication. This "decrypt-to-use" model creates an inherent window of vulnerability. Similarly, SSO systems centralise authentication but cannot eliminate the risk of credential compromise at the identity provider level.
Zero Trust architecture represents significant progress, continuously verifying user identity and device status. However, it cannot address scenarios where legitimate users with valid credentials have been socially engineered or coerced. If the user legitimately knows their credential, Zero Trust has no basis for denial.
A structural approach to credential control
A different architectural principle is emerging: separating identity verification from credential control. Rather than enhancing user-controlled credentials, this approach eliminates user access to credentials entirely.
Under this model, organisations generate all credentials using cryptographically secure methods, encrypt them immediately, and store them in distributed, tamper-evident systems. Users authenticate their identity through multiple vectors, but never receive or handle the actual credentials required for system access.
MyCena's patented implementation exemplifies this approach. When an MSP technician requires access to a client system, they authenticate their identity through the MyCena client. The system then dynamically generates and injects the required credential directly into the target application, without the user ever seeing it. The credential exists only for the duration of the session and is cryptographically unique to that specific access request.
This architecture renders traditional attack vectors ineffective. Phishing campaigns cannot harvest credentials that users never possess. Social engineering fails when employees cannot provide what they do not know. Insider threats diminish when privileged access requires both identity verification and system-mediated credential injection.
For MSPs, this model provides unprecedented visibility and control. Every credential access generates immutable audit logs. Suspicious patterns trigger automatic alerts. Client-specific access policies enforce segregation between environments. Most crucially, credential revocation is instantaneous and absolute—terminated employees cannot retain access to systems they never directly accessed.
The competitive imperative
MSPs implementing comprehensive credential assurance create distinct competitive advantages in regulated markets. They can demonstrate to prospective clients that credential compromise—the vector behind nearly half of all breaches—has been architecturally eliminated from their operations.
This capability becomes particularly valuable during client security assessments and compliance audits. MSPs can provide definitive answers about credential lifecycle management, access logging, and revocation procedures. They can guarantee that client credentials remain segregated and that departing staff cannot retain privileged access.
The insurance implications are significant. Cyber insurance providers increasingly scrutinise credential management practices when underwriting policies. MSPs with provable credential control may access better coverage terms and lower premiums—advantages they can partially pass to clients.
Most importantly, comprehensive credential assurance transforms client conversations from cost-based procurement to strategic partnership. MSPs become enablers of client regulatory compliance rather than potential sources of regulatory risk. In an environment where credential breaches can trigger multi-million pound penalties, this assurance commands premium pricing and drives client retention.
The Advanced NHS breach demonstrated that credential security is no longer an internal IT concern—it is a board-level business risk that cascades through entire supply chains. MSPs that recognise and address this reality will define the next generation of managed services.