invidis.com and sixteen-nine.net have united

Cyber-Security: The Hidden Risk in Managed Services

Managed Service Providers are central to modern communication infrastructures – and increasingly attractive targets for cyberattacks. invidis spoke with MVC Videra Managing Partner Sven Damberger about how to identify truly secure ProAV and UCC service providers.

As UCC, AV and digital signage environments grow more complex, many companies rely on MSPs for efficiency and scalability. However, this outsourcing also creates new risks. “If a service provider is compromised, attackers can potentially access multiple customer environments at once,” says Damberger. This multiplier effect makes MSPs highly attractive for ransomware groups and espionage actors. At the same time, they operate critical systems containing valuable data – from communication metadata to technical operational insights.

Multi-layered security is essential

MVC Videra  – born from a merger of German integrator MVC and Finnish telco subsidiary Elsa Videra – addresses these risks with a multi-layered approach combining technical and organizational measures. Infrastructure is strictly segmented using tenant separation, firewalls, VLANs and VRFs, while access is encrypted and continuously monitored.

Equally important are governance structures: role-based access, clearly defined permissions, audit logs and regular security audits. “We control exactly who can access what, and when,” Damberger explains.

Key attack vectors

Current threats include phishing, compromised admin accounts, ransomware and DDoS attacks. Phishing in particular remains a major entry point, as hacked mailboxes provide valuable context for further attacks.

Admin accounts pose the greatest risk and must be protected with phishing-resistant MFA, such as passkeys or hardware tokens. In UCC environments, telephony-related threats – including SIP misuse and attacks on public interfaces – are also increasing. Availability remains critical, making DDoS a serious concern.

Transparency over promises

For customers, security must be verifiable. “Availability promises are not enough,” says Damberger. MSPs should clearly demonstrate how they separate customer environments, manage access, handle vulnerabilities and ensure secure backups and incident response. Transparency is the decisive factor.

Certifications such as ISO 27001, 27017, 27018 or TISAX are useful indicators but not sufficient on their own. “They don’t replace a look at how security is actually implemented,” he adds.

European infrastructure gaining importance

Data sovereignty is becoming a key decision factor. Many companies seek GDPR-compliant alternatives to global cloud providers. MVC Videra operates its own infrastructure in Frankfurt and Finland, ensuring full control within the European legal framework and geo-redundant resilience across both sites.

Security in practice

Cyber resilience relies on consistent principles: least-privilege admin access, no shared accounts, full logging and strict network separation. Customer environments are isolated from each other using dedicated network structures and controlled connections.

Vulnerability management is continuous, with daily evaluation of security advisories and regular scans. Backup strategies go beyond standard approaches, combining dedicated systems, cross-site replication and offline storage. Regular recovery testing ensures resilience in real scenarios.

A common misconception and what to look for

One of the biggest mistakes companies make is assuming MSPs are inherently secure. “Security doesn’t come automatically with professional IT operations,” Damberger stresses. It must be embedded in architecture, processes and company culture.

When selecting a provider, IT decision-makers should focus on demonstrability. A trustworthy MSP can clearly explain its security architecture and openly answer critical questions.

“Certifications help, but they don’t replace technical discussion,” Damberger concludes. “What matters is proven security in practice.”