I want to start this week with a number that should stop every managed service provider in their tracks: 91.7%.

That is the share of global cybersecurity technology spending — $24.2 billion in a single quarter — that now flows through the channel. Not through direct enterprise purchases. Not through hyperscaler self-service portals. Through partners like you and me.

The data comes from Omdia, published this week, and it tells a story that is simultaneously encouraging and deeply sobering. The channel is more central to cybersecurity delivery than at any point in history. And yet, according to SonicWall's concurrent Cyber Protect Report, the organizations we serve are still falling prey to attacks that should have been stopped years ago.

The Weapon of Choice Has Changed

Here is the line from the SonicWall report that I keep coming back to: *"The stolen password, not the zero-day, is the attacker's weapon of choice."*

Think about what that means. After decades of security investment — next-generation firewalls, endpoint detection, threat intelligence platforms, SIEM deployments — the most effective attack vector in 2026 is a credential that someone reused, phished, or left exposed in a data breach database. Nation-state actors from China, Iran, and North Korea are not primarily exploiting sophisticated software vulnerabilities. They are logging in.

The ConnectWise 2026 MSP Threat Report, released this week, reinforces this picture with alarming specificity. Cybercriminals are increasingly bypassing software exploits entirely and going straight after identities. They are targeting the remote access infrastructure that MSPs depend on — RMM tools, PSA platforms, remote desktop gateways — because compromising an MSP gives them access to every client that MSP serves. One breach, hundreds of victims.

The Identity Attack Surface Is Exploding

The SonicWall data identifies identity, cloud, and credential compromise as accounting for 85% of actionable security alerts. Eighty-five percent. This is not a niche attack vector. It is the dominant attack surface, and it is one that most SMBs — and frankly, many MSPs — are not adequately protecting.

The specific failure modes are predictable and preventable:

Weak or reused passwords remain endemic despite years of awareness campaigns. Password managers are still not universally deployed. Multi-factor authentication is still not universally enforced. In 2026, this is not a technology problem — it is a discipline problem.

Over-permissive access is the silent killer. Users and service accounts accumulate permissions over time that far exceed what their roles require. When those accounts are compromised, attackers have broad lateral movement capability. Least-privilege access is a foundational security control that most organizations implement inconsistently at best.

Unpatched systems continue to provide footholds. Automated bots are now generating more than 36,000 vulnerability scans per second — scanning the entire internet, continuously, looking for known vulnerabilities. If you have an unpatched system exposed to the internet, it will be found.

What This Means for MSPs Specifically

I want to be direct with my fellow MSPs here, because I think we sometimes avoid uncomfortable conversations about our own exposure.

The same identity vulnerabilities that affect our clients affect our own operations. Our RMM platforms, our PSA systems, our remote access tools — these are high-value targets precisely because they provide access to our entire client base. A threat actor who compromises an MSP's administrative credentials does not get one victim. They get every client in the portfolio.

This means that the identity security standards we apply to our clients must be applied to ourselves first, and more rigorously. Every administrative account should have hardware-based MFA. Every remote access session should be logged and monitored. Every privileged action should require re-authentication. This is not paranoia — it is the baseline that the threat environment demands.

The $24 Billion Opportunity and Obligation

The Omdia data on channel cybersecurity spending is genuinely exciting. The channel's dominant role in security delivery is a massive opportunity for MSPs who can execute well. But it also represents an obligation.

When 91.7% of cybersecurity spend flows through partners, and SMBs are still experiencing 88% ransomware breach rates — more than double the rate at large enterprises — something is not working. The investment is flowing through the channel, but the outcomes are not materializing.

The MSPs who will win the next five years are not those who sell the most security products. They are those who deliver the most security outcomes. That distinction requires a fundamental shift in how we think about our role — from technology resellers to security outcome guarantors.

Start with identity. Enforce MFA everywhere, without exception. Implement privileged access management. Conduct regular access reviews. Monitor for credential exposure in breach databases. These are not advanced security capabilities — they are foundational ones. And in 2026, there is no excuse for not having them in place for every client you serve.

The stolen password is the attacker's weapon of choice. Make sure it is not available to them.