How Crap MSPs, Slack Vendors, and a Culture of Complacency Are Fueling the Ransomware Epidemic

The Smiling Saboteur

It happened in a conference room with stale coffee and too many chairs. The room was quiet, except for the low hum of the air conditioning and the heavy silence that followed a disaster. The director, eyes fixed on the MSP account manager, asked the question quietly, almost politely.

“Weren’t we covered?”

The account manager, Tom—mid-thirties, smooth tie, a voice practised for denial, looked down at his notes. He shifted slightly in his seat. He’d said this before, more times than he liked to admit.

“Well,” he began, “that wasn’t strictly in scope.”

And just like that, the spell was broken. The last illusion shattered. This wasn’t a partnership. It was a service contract dressed up as trust, and trust just died on the table.

The Second Infection

Ransomware doesn’t travel alone. It rarely walks in by itself. More often than not, it hitches a ride—delivered not just by phishing links or zero-day exploits, but by those already inside the house.

The IT supplier. The cloud vendor. The cheerful MSP who smiled through the onboarding process and handed over a brochure full of green ticks and buzzwords.

They were supposed to protect the business. They were the ones who said, “We’ve got this.” They made cybersecurity seem simple. Too simple.

What they didn’t say, what they didn’t want the customer to ask, was that their protection was mostly cosmetic. A façade. A managed illusion of safety that ran fine right up until the first real test.

And when that test came, as it always does, everything collapsed.

The Cheap Package with an Expensive Price

It started with a bargain.

A slick pitch deck. Unlimited support. Monitoring. Patching. Email security. A fixed monthly price per user, just under a tenner. The business signed off. The FD loved the savings. The MD loved the simplicity.

Everyone felt safe.

But no one asked what patching really meant. Or what tools were used. Or how often backups were tested. Or whether alerts were actually acted on.

It wasn’t that anyone was lying. It’s just that no one told the truth. Not completely.

The antivirus was free-tier rebranded software. The “monitoring” was just a dashboard that someone glanced at once a week. Backups ran, but no one had ever done a full restore.

MFA wasn’t enforced because the director didn’t like the prompts. Patching was scheduled weekly, but failures weren’t followed up. Endpoints were enrolled but never reviewed.

Everything looked fine.

Until it wasn’t.

The Harwood Example

The breach came thirty-one days after a new firewall was installed. The old one had been overdue for replacement. Harwood Systems, the MSP, came in, replaced the hardware, and assured the client that everything was configured. They even sent a PDF with screenshots.

It turned out the firewall was misconfigured. The remote access policy allowed logins without geo restrictions. Logs weren’t stored externally. Alerts weren’t tested.

But no one knew that—not the client, and not most of Harwood’s team. The documentation was thin. The engineer who’d installed it was on leave. The alerts, such as they were, vanished into a shared mailbox no one checked.

So when the ransomware actor walked through the front door—legit credentials, legitimate access—there were no alarms. Just silence.

By the time they started encryption, they’d already disabled the backup jobs.

And Harwood? They did what many MSPs do when panic sets in. They closed ranks.

The Email That Should Have Stayed Hidden

On Day 2, while still in reactive mode, Harwood sent an internal email. It named the misconfiguration. It said it was the cause of breach. It said they’d confirmed it was their responsibility.

And it included one damning line: “This cannot be shared with the client.”

Except someone forwarded it. The client was CC’d. And now they knew.

Day 3 was meant to be a status update. Instead, it became a reckoning. The client read the email aloud on the video call. No one from Harwood spoke for 15 seconds.

In breach response, silence is confession.

The Dashboard Illusion

Across the UK, thousands of businesses are staring at dashboards that make them feel secure. Green ticks. “Compliant.” “Healthy.” “Protected.”

But none of those words mean anything if no one’s checking what’s underneath.

Those dashboards don’t show whether the machine has 200 known vulnerabilities. They don’t tell you that the backup job succeeded but the data inside is corrupt. They don’t tell you the firewall was misconfigured. They don’t know that your domain admin account was created in 2016 and never had its password changed.

They just show you what the tool was told to look at. Not what matters.

And the MSP? They use those dashboards as proof. "Look, we’re keeping you safe." They show the green, but not the gaps. They sell calm while missing the crisis.

The Vendors Who Want You Quiet

It’s not just the MSPs.

Vendors are in this too. They promise resilience while racing features to market. They sell backup software that doesn’t encrypt by default. They provide security appliances with remote admin enabled out of the box. They push cloud platforms with permissions hell built in.

And when something goes wrong? They lean on SLAs, not service. You get a case number, a callback time, and a shrug.

You’re not their client. You’re a SKU.

The truth is, the cybersecurity industry is full of incentives to look secure rather than be secure. Compliance instead of defence. Revenue instead of resilience.

And most businesses? They buy what’s sold.

The Willing Victims

Here’s where it gets uncomfortable.

Small businesses enable this. Not deliberately. Not maliciously. But with every decision to not ask questions. Every time a report is filed unread. Every time a director says, “We trust our IT.”

That trust isn’t the problem. The lack of verification is.

Because if you don’t check your supplier’s work, who will?

If you don’t review the logs, who will?

If you don’t test the backups, who will?

You can outsource services. You cannot outsource responsibility. That’s the rule ransomware proves every single day.

The Point Where Blame Becomes Shared

After the incident, when things settle, there’s always an audit.

The client brings in an external expert. The findings are brutal: the MSP missed obvious signs. The backups weren’t truly isolated. The EDR license had expired. Password policies were outdated. The firewall hole had existed since day one.

But there’s always a moment—always—when the auditor says, “This should have been spotted earlier. By you.”

Because risk is cumulative. It’s shared. It’s collective.

And silence is complicity.

The Real Cost of Crap IT

Ransomware rarely bankrupts a business with the ransom itself. The real cost is operational downtime. Lost trust. Regulatory reporting. Legal fees. Customer churn. Reputation collapse.

And after all that, they still have to rebuild.

They still have to fix the mess they didn’t think could happen.

They have to pay for the solution they could’ve had a year ago—at half the price, and none of the pain.

They look back at the MSP contract. It’s watertight. Clever. Empty.

And they wonder how it was ever allowed to get this far.

The Diagnosis We Keep Ignoring

Ransomware is not just a technical problem. It’s an ecosystem failure.

It’s what happens when MSPs commoditise safety. When vendors cut corners. When business leaders look away. When cost beats caution. When no one owns the problem, and everyone shrugs when it lands.

These aren’t zero-day exploits.

They’re old servers. Open ports. Weak passwords. Missing updates. Unasked questions.

Every breach was a to-do list someone ignored.

The Conversation That Needs to Start

If you're a business leader, it starts with you. Ask what your IT provider is doing, and make them prove it. Ask for the firewall config. Ask to see the last backup restore. Ask when the logs were reviewed. Ask what happens if your Office 365 tenant is compromised. Ask who checks MFA exceptions. Ask how long it takes to detect a breach.

If the answers sound defensive, vague, or patronising, leave.

Because the cost of staying silent is one day seeing your entire business frozen behind a red ransom screen—while the person you paid to protect you says, “Well, that wasn’t in scope.”

Next in the Series

Part 3 – The Cure: Why Ransomware Will Keep Winning Until Cybersecurity Becomes a Business Risk, Not a Tech Problem