After running an MSP for years, I can say this confidently:
Most breaches don’t happen because security tools failed.
They happen because someone had more access than they should have.
When we bring on a new client and check their environment, this is one of the first things we look at. It almost never looks good.
What We Usually Find on Day One
Almost every tenant tells the same story:
- Too many Global Admins
- Admin rights granted “temporarily” and never removed
- Former employees still holding elevated roles
- Vendor accounts with full access “just in case.”
- Service accounts running with permissions nobody remembers approving
None of this feels dangerous day to day.
Until it suddenly is.
Why Attackers Love Admin Access
Attackers don’t need to be clever if you make things easy for them. With admin access, an attacker can:
- Disable security controls
- Create new admin accounts
- Turn off logging
- Access mailboxes, files, and backups
- Move laterally without resistance
At that point, the breach isn’t about if—it’s about how much damage. And (51% of Cyberattacks in the Managed Service Provider (MSP) Sector Lead to Unplanned Expenses to Fix Security Gaps, 2024), the uncomfortable truth?
MFA doesn’t save you if the compromised account is over-privileged.
“But We Trust Our Admins”
I hear this a lot. And I get it. Your admins are good people.
But breaches don’t target trust. They target credentials. All it takes is:
- One phishing email
- One reused password
- One MFA approval mistake
- One compromised device
When that happens, excess permissions turn a small incident into a full-scale outage.
Excess Admin Access Breaks the Blast Radius Rule
Good security design limits damage. Excess admin access does the opposite. It maximizes the blast radius. Instead of:
- One user account is affected
You get:
- Tenant-wide compromise
- Data exposure
- Business disruption
- Regulatory fallout
This is exactly why attackers prioritize admin roles first. (Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a US Critical Infrastructure Sector Organization, 2023)
Why MSPs See This Problem Before Anyone Else
Internal IT teams often inherit access models over the years. MSPs walk into environments fresh, and we see patterns clearly:
- Permissions are added faster than they’re removed
- No regular admin reviews
- No ownership of “who really needs what.”
- No emergency recovery planning
That’s not a criticism. It’s reality. Security debt accumulates quietly. (51% of Cyberattacks in the Managed Service Provider (MSP) Sector Lead to Unplanned Expenses to Fix Security Gaps, 2024)
The Fix Is Simple but Not Easy
Fixing excess admin access doesn’t require new tools.
It requires discipline. What we enforce by default:
- Least privilege access
- Role-based admin separation
- Time-bound admin access
- Regular admin reviews
- Break-glass accounts with strict controls
None of this is flashy.
All of it works.
Final Thought
If you remember one thing from this post, let it be this: Every unnecessary admin account is an open invitation to attackers. Reducing admin access won’t eliminate breaches, but it will dramatically reduce how severe they are. And as an MSP owner, I can tell you:
The cleanest environments are always the ones with the fewest admins.
Author
Jaspreet Singh
Author @ MSPinsights.ca
Founder & CEO, Accelerate IT Services Inc
References
(July 8, 2024). 51% of Cyberattacks in the Managed Service Provider (MSP) Sector Lead to Unplanned Expenses to Fix Security Gaps. Netwrix. https://www.netwrix.com/51-of-cyberattacks-in-the-msp-sector-lead-to-unplanned-expenses-to-fix-security-gaps.html
(October 4, 2023). Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a US Critical Infrastructure Sector Organization. CISA. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-326a
(July 8, 2024). 51% of Cyberattacks in the Managed Service Provider (MSP) Sector Lead to Unplanned Expenses to Fix Security Gaps. Netwrix. https://www.netwrix.com/51-of-cyberattacks-in-the-msp-sector-lead-to-unplanned-expenses-to-fix-security-gaps.html