MSPs Should Fire Clients that Won’t Invest in Cyber Protection Services

If you’re a managed service provider (MSP) in the business of providing IT services to small and medium businesses (SMBs), the threat of ransomware ranks high on your list of ongoing concerns. While massive ransomware attacks on large enterprises grab the biggest headlines, MSPs know that their smaller clients remain at the greatest risk: SMBs comprise 75% of all ransomware victims, according the U.S. Justice Department.

Consequently, most MSPs are busy trying to get their clients to subscribe to modern cybersecurity and data protection services–and well they should. Clients that don’t have basic cyber protection are a costly risk to MSPs for several reasons:

• They’re expensive to support, being much more likely to suffer cyberattacks that their MSP will spend profit-draining days and weeks in containment and recovery operations.
• Given the ability of many ransomware strains to spread beyond the initial target, they introduce increased cyber risk to every business in a client’s tech supply chain, including the MSP.
• If the client carries cyber insurance, its carrier may try to recover ransomware attack damages from the MSP–even if the SMB’s failure to invest in adequate defenses led to the breach.

The pressure on MSPs to upgrade such clients to more robust cyber protection services is clearly increasing. Yet many SMBs are reluctant to incur even modest upgrade costs. Present your client with a proposal for a services tier that includes anti-ransomware defenses, and they’re likely to raise some typical objections:

• “We thought we were already protected.” The client falsely hopes that a legacy antivirus solution that relies on signature matching to detect known malware is still adequate to counter the ransomware threat. (As every cybersecurity pro knows, it’s not–thanks in large part to the sheer volume of new iterations of ransomware that are generated daily, overwhelming signature-based defenses.)
• “We’re too small; our data isn’t valuable enough to target.” The reality is that cybercriminals cast a very wide net these days. Many threats are automated, making it trivially easy to strike at SMBs. Attackers also know that even small businesses, faced with the prospect of staying offline for days or weeks from a ransomware attack, are likely to pay up. So-called double-extortion tactics, in which the attacker steals data before triggering the encryption attacks and threatens to leak it online if the ransom isn’t paid, further ratchet up the pressure.
• “We have no budget for an upgrade.” This shortsighted notion ignores research from Cisco Systems that shows that one in five SMBs that suffer an attack will spend between $1 million to $2.5 million to recover from it. The contention that they can’t afford a modest increase in their monthly MSP charges to protect their business from an existential threat reflects a poor understanding of their risk environment.

In a world where cybercrime is spiraling upward–research firm Cybersecurity Ventures projects its global impact to reach $10.5T by 2025–MSPs should be increasingly reluctant to carry SMB clients that won’t make basic investments to reduce their cyber risk. Veteran MSP advisor Erick Simpson puts it in more blunt terms, encouraging MSPs to conduct what he calls “The Conversation,” in which the MSP gently lays out the case for why it’s no longer optional for the client to upgrade their cyber defenses–and seriously considers ending the relationship if the client refuses.  Click on Page 2 to continue reading…