The Middle East escalation is already disrupting business-as-usual for managed services providers. Security teams are logging spikes in cyber activity. Drones are striking data center facilities, and some organizations are rerouting workloads and spinning up disaster recovery plans on the fly. This is not a drill. This is real life.
Imagine a scenario where physical infrastructure went down, cloud dependencies got stress-tested, and customers needed answers fast. Somewhere behind each of those outages was a managed services team fielding calls they had no answers for, because their upstream provider was still figuring out whether the building was structurally sound.
The attack surface is double-sided – physical and cyber. There’s the cyber threat – targeted, opportunistic, and often timed to moments of global instability. And there’s the infrastructure risk, the possibility that the data centers and cloud regions customers depend on are closer to a conflict zone than anyone thought to check.
Neither of those problems is going away anytime soon. Conflicts like this have historically driven surges in attacks across IT, financial, and government sectors worldwide. The targets are never predictable, nor is the timing.
So the real question for MSPs right now isn’t whether this affects them. It’s whether they have a disaster recovery plan for when it does. Because when a crisis occurs, customers will remember who was ready.
MSPs Are in the Blast Path
John Nellen
When attacks scale, managed services providers sit directly in the path. They hold privileged access across multiple customer environments, operate shared tooling, and maintain credentials that span accounts. That reach is the value proposition. It’s also the exposure.
John Nellen, CEO of Todyl, framed it simply: “Providers are often sitting right in the middle of it as trusted advisors who hold privileged access across dozens or even hundreds of client environments, running and maintaining security programs on the customer’s behalf, including organizations tied to critical infrastructure and broader supply chains.”
A single compromise in that model doesn’t stay contained. It moves. That is what turns one incident into something significant.
Andy Bensinger
Andy Bensinger, CTO of CyberFox, explained what makes the current threat environment different from a typical ransomware cycle.
“A successful breach doesn’t just impact the provider, it can have significant downstream effects across their entire client base. What’s especially concerning right now is that these attacks don’t appear to be financially motivated ransomware events, but rather destructive campaigns aimed at permanently deleting data and disrupting operations,” he said.
Destructive campaigns don’t end with a ransom negotiation. They end with customer data gone, systems offline, and a provider trying to explain what happened. That’s a different business conversation than a recovery invoice.
Detection Gaps Become Business Gaps
Kory Daniels
The timing can never be predicted for geopolitically motivated attacks. Neither do they announce themselves. They come up as patterns like credential probing, unusual lateral movement, access from locations that don’t fit – and spread across identity, network, and cloud. When teams have fragmented visibility, patterns emerge too late and impact becomes clear only when the damage is already done.
Kory Daniels, chief security and trust officer at LevelBlue, described what adequate readiness actually requires: “The reality is defending their own infrastructure while maintaining visibility and response readiness across dozens or even hundreds of client environments. That means ensuring monitoring is tuned to detect infrastructure and behaviors associated with Iranian threat actors and confirming escalation and response processes can move quickly.”
Alexandra Rose
Speed of response matters here as well in a direct business sense. The longer a compromise goes undetected across a multi-tenant environment, the wider the blast radius – and the harder the customer conversation becomes afterward.
Alexandra Rose, global head of government partnerships and director of CTU threat research at Sophos, highlighted a layer that catches many teams off guard. “Those noisy actions – DDoS attacks, website defacements. That can distract teams and sometimes hide more serious activity underneath,” she said.
High-volume, visible attacks consume analyst attention. What’s moving quietly underneath is often the actual threat. Providers whose detection isn’t correlated across systems are working with a partial picture during exactly the period when a complete one matters most.
Your DR Plan Has Not Been Tested for This!
Pascal GeenensAWS data center disruption in the UAE exposed something providers need to take seriously: resilience that works on paper doesn’t always work under pressure. Regional disruption – whether from kinetic attacks, power loss, or compounding failures – creates conditions most environments weren’t designed for.
Pascal Geenens, VP of cyber threat intelligence at Radware, explained the core problem: “When physical infrastructure is destroyed, failovers within the same region can be rendered useless.” His team’s 2026 Global Threat Analysis Report tracked a 168% surge in DDoS attacks and a 120% increase in application-layer attacks over the past year, largely driven by regional conflicts. For providers managing SLAs tied to uptime, that volume has direct contract implications.
Jonathan Knepher
Jonathan Knepher, VP of site reliability engineering at Forcepoint, said that many providers are still operating with an architectural gap they haven’t fully addressed: “Even N+1 resiliency at the physical datacenter block is insufficient to maintain availability.” If a provider’s cloud infrastructure, backup systems, and disaster recovery site all share regional dependencies – same power grid, same subsea cables – failover isn’t a recovery option. It’s another single point of failure.
For MSPs, the question is real. If customer workloads can’t move during a regional outage, what happens to SLAs, contracts, and the conversations with customers that follow?
Disaster Recovery as a Business Capability, Not a Document
Brian Harmison
Most MSPs have disaster recovery documentation. Fewer have tested whether it actually works under realistic conditions. That gap shows up fast when something breaks.
Brian Harmison, CEO of Corsica Technologies, is direct about what the current environment demands: “Resilience planning can’t be theoretical. MSPs should be stress-testing cloud architectures for multi-region failover, making sure DR runbooks are actually practiced, and ensuring security monitoring is tuned to catch anomalies early. This isn’t about reacting to any particular conflict. It’s about building the kind of operational foundation that holds up no matter what causes the disruption.”
The same Jonathan Knepher puts it simply, “Disaster recovery plans are only valid if they have been tested. Abstract plans aren’t enough.”
The business difference is measurable. Providers who have rehearsed recovery steps know who owns what, how long each step takes, and where the friction points are. Providers who haven’t found out during an incident do it in front of customers, under pressure, with the clock running.
Customer Communication is Key
David Byrnes
When disruptions hit, and even in general, customers don’t want general assurances. They want to know what’s affected, what’s protected, and what happens next. It all comes down to how a provider handles such conversations – during and after an event – this is what actually separates retained customers from lost ones.
David Byrnes, VP of Global Channels at Kiteworks, connects this to a broader positioning opportunity: “The MSPs that bring geopolitical risk, AI-driven risk, and data governance together under one unified approach will be the ones their clients trust when the next disruption hits.”
But this kind of trust is not built during an incident. The foundation starts with conversations that happen before anything goes wrong – explaining the resilience model, clarifying what recovery looks like, and setting realistic expectations for how communication will work or not when operations change or are affected.
Where MSPs Should Focus Now
Validate Cloud Failover, Don’t Assume it
Cross-region resilience needs to be tested under realistic conditions, not verified on paper. Map workload dependencies, identify where manual intervention is still required, and close those gaps. The 3-2-1 backup rule – three copies, two modalities, one off-site and offline – remains the practical standard. What matters now is whether those copies are actually tested and recoverable.
Treat Disaster Recovery as an Operational Practice
Frequent drills, documented ownership, and measured recovery times are what make DR a real capability rather than a compliance artifact. Bensinger makes a specific point that providers often skip: testing restores to confirm actual recovery point and recovery time objectives. If those tests haven’t run recently, that’s the gap to close first. For high-impact customer environments, air-gapped backups are worth evaluating seriously.
Run Combined Disruption Scenarios
Exercises that only model cyberattacks miss what the current environment is actually presenting. Simulating coordinated cyber activity alongside infrastructure disruption – simultaneously, not sequentially – is where providers find out where processes break and where ownership is unclear. Those findings are far less costly to address in a drill than in an active incident.
Build the Customer Communication Model Before it’s Needed
IT Providers that handle disruptions well aren’t improvising. They’ve already defined what they’ll communicate, how quickly, and through what channel.
Trust, access, and scale are what the managed services model is built on. When geopolitical events trigger both cyberattacks and infrastructure disruption at the same time, those same factors determine how much risk a provider is carrying and how ready they are when customers need them most.
For most MSPs, the deeper issue is planning. MSPs typically build continuity planning around security incidents, which assumes the underlying infrastructure stays stable. That assumption is harder to defend now. When a conflict zone takes out a data center or disrupts a major transit network, the fallout isn’t just a security event. It’s an availability problem, a contractual problem, and a customer confidence problem hitting all at once.
MSPs who treat geopolitical risk as something to prepare for, not just follow in the news, will be the ones who survive when frantic customers start calling.
Suparna Bhasin is senior managing editor for CyberRisk Alliance’s Channel Brands, including ChannelPro Network. She manages content development, sharpens editorial workflows, and ensures storytelling is tightly aligned with audience needs. With a background in technology, media, and education, she combines strategic insight with creative execution.
Images: R — stock.adobe.com, LinkedIn
