When you take on a managed IT provider, you hand over a significant amount of access. Sometimes the lot. Your email. File servers. Admin credentials for your accounting software, your CRM, your cloud backups. In some setups, the ability to log in as you. This isn't unusual or alarming on its own. It's a necessary part of having someone else manage your IT. But what most people don't think about until something goes wrong is what that access means if the provider themselves gets hit.
What Happened to M&S Last Easter
In April 2025, Marks & Spencer suffered a cyberattack that shut down online orders for weeks, disrupted food supply to hundreds of stores, and cost the company an estimated £300 million in operating profit. But the attackers didn't target M&S directly. They went after a contractor, a third party with access to M&S systems that nobody had paid much attention to.
Security professionals call this a supply chain attack. The logic is simple: if breaking into a company directly is hard, find someone who already has access and go through them instead.
Large retailers aren't the only ones at risk. In 2021, attackers compromised Kaseya, a platform that managed service providers use to remotely administer their clients' systems. By getting into one product, the attackers were able to pushed ransomware to 1,500 businesses simultaneously. These businesses weren't targeted. They just happened to use a vendor whose platform got hit.
Your Vendor List Is Also Your Attack Surface
For most Sydney businesses, the list of companies with access to your systems is longer than you'd expect. Your IT provider, obviously. But also whoever runs your payroll, your cloud storage, your accounting software, your website. Each of those is a bet on someone else's security practices, and chances are you've never asked to see their hand.
The Conversation Worth Having
You don't need to be technical to have this conversation. You just need the other person to give you straight answers.
Start with credentials. How do they store yours? A proper setup involves an encrypted password vault, and getting access to your systems should require them to authenticate themselves first. A shared spreadsheet or a "we just remember it" answer is a problem.
Staff turnover matters more than most people realise. When someone leaves their team, how quickly does their access to your systems get revoked? Old credentials that linger after someone walks out the door are one of the more common ways businesses get compromised, and it's entirely preventable.
Security incidents are fair game to raise too. "Never" isn't necessarily the right answer. What you're after is a real one: what happened, what they learned, what changed. Anyone claiming a spotless record over many years has either never been tested or is not being straight with you.
And also consider scope. A provider worth trusting only holds credentials for systems they're actively managing. If they've got access to things they haven't touched in years, that's worth a conversation.
The Person at the Other End of the Phone
Underneath all of this is a simpler question: do you actually know who you're dealing with? Not the company name, but the person. Can you picture their face? Do you know what their name? When something goes wrong at 8am on a Monday, are you confident they'll pick up?
Ticketing systems are fine when everything is fine. When your email is down and you've got clients waiting, you want to call someone who already knows your business and can start working immediately without needing a full briefing on your setup. That kind of relationship takes time to build, which is part of why it matters that the person you're building it with actually stays around.
We've been looking after Sydney businesses for over 20 years. You'd be talking to Jamie, same name, same number, same person who set things up. We manage credentials through an enterprise vault with strict access controls, and document everything so your access is always yours, and ours is always accounted for.
If you want to talk through how we handle your data and access, or just want a frank conversation about whether your current setup has any gaps, get in touch. No sales process, just straight conversation.
WhatsApp 