Common MSP Cybersecurity Mistakes

Managed IT service providers are finding themselves at a crossroads. Cybersecurity incidents are impacting small to midsize businesses (SMBs) more and more, making business-as-usual uncomfortable for MSPs.

Just how big is the risk to small businesses? According to the 2017 Verizon Data Breach Investigation Report, 61% of breaches targeted SMBs, up from the previous year’s 53%.¹ These cyber attacks cost small businesses anywhere from $84,000 to $148,000.² And 60% of small businesses go out of business within six months of such an attack.³

SMBs are waking up to the fact that traditional perimeter-focused defenses–such as firewalls and signature-based endpoint protection like anti-virus–are simply not enough to protect against modern cyber threats.

“Advanced targeted attacks are easily bypassing traditional firewalls and signature-based prevention mechanisms. All organizations should now assume that they are in a state of continuous compromise.

Gartner, Designing an Adaptive Security Architecture for Protection from Advanced Attacks

As such, managed security services offer MSPs an effective means to both protect revenue by further entrenching their services into customer environments and expand revenue by adding in-demand cybersecurity capabilities without overhead or risk.

Where Do Many MSPs Go Wrong?

As MSPs scramble to fill the cybersecurity gap for SMBs, they are discovering challenges. Here are five common MSP cybersecurity mistakes and how to avoid them:

1. Delivering tools instead of solutions. The cybersecurity technology marketplace is enormous, and so the sheer volume of tools deployed could result in a messy, inefficient tech stack marred by both unnecessary overlap and vulnerable gaps in security coverage. Instead, consider solutions that consolidate core defense-in-depth capabilities like centralized log management, event monitoring, endpoint protection, network- and host-based intrusion detection, threat intelligence, and even deception. While there is no silver bullet for cybersecurity, take a holistic look at your strategy and minimize the number of disparate parts.

2. Selecting partners that don’t provide managed service. The fastest and most effective way to add cybersecurity is for an MSP to partner with a managed security solution provider that can become an extension of their team. Selecting a monolithic cybersecurity tech company that is not in the business of “service” is often a mismatch relationship for MSPs that greatly value SLAs and need to augment their own staff with cybersecurity expertise.

3. Providing a one-size-fits-all solution. Flexibility is important when considering how to package or bundle managed security solutions. Each customer will have a varying level of acceptable risk and may not want continuous, daily or weekly monitoring, but rather only critical endpoints put within scope. MSPs can achieve this through a Co-Managed SIEM, which allows the customer, MSP staff and SIEM provider to work in concert.

4. Taking an “If I build it, they will buy” mentality. Cybersecurity is crucial, right? Yes, we know that. But many SMB customers don’t. If marketing and selling cybersecurity were easy, we wouldn’t see so many data breach headlines in the news. MSPs must put careful thought and resources into marketing their cybersecurity services, starting with their current base.

 5. “Techsplaining” to SMB customers. Having a sales strategy is one thing; having an effective sales strategy is another. As IT professionals, MSPs too often want to expound on the technical capabilities, feature sets and breakthrough innovations in the solution, and think the business value will be quite evident. In such cases, the customer becomes frustrated and the MSP loses relevance. MSPs should be prepared to answer questions such as:

“I’m not a target. Why do I need to spend more on cybersecurity?” In this case, focus on business risk and put it in terms they understand–money. In addition, explain that cybercrime isn’t necessarily personal, its opportunistic.

“What’s wrong with my firewall and anti-virus?” In this case, explain that cyber threats come from all different angles and are constantly ramping up their game. Introduce them to the defense-in-depth concept. A set-it-and-forget-it cybersecurity plan is not only useless, it’s considered negligent by the fact that data protection regulations typically cite the need for active monitoring and management.

MSP Cybersecurity Checklist

In short, to counter these pitfalls in successfully developing, selling, and delivering your managed security services, consider the following:

1. Develop a unified cybersecurity solution that fuses together technology, people, and process.
2. Partner with service-minded cybersecurity providers that can help you meet SLAs.
3. Create a “Crawl. Walk. Run” model to ease customers into advanced threat protection.
4. Prepare a well-thought-out sales strategy to effectively communicate to your base.
5. Speak your customers’ language and ensure your pitch addresses business goals.

If you’re ready to transition successfully to a managed security service provider, use this checklist as a guide and watch out for the common mistakes.

Aaron Branson is Vice President of Marketing for EventTracker, a provider of Managed SIEM and SOC solutions, where he is responsible for business growth and cybersecurity evangelization.

This guest blog is part of a Channel Futures sponsorship.

_Sources

_{1 Verizon Data Breach Investigation Report}

_{2 The Guardian}

_{3 Internet Privacy in the Digital Age, Champlain College}