If there was a market where 70 percent of the companies expected to increase their budget spend by an average of 7 percent, it’s fair to say a lot of them would be very interested in that market – especially if they were planning to spend that extra budget on a particular technology or service.
That’s exactly what the recent State of the market report from N-able found, revealing that 70 percent of SMEs are planning to increase their security budget with an average rise of 7 percent, which “represents a solid opportunity for managed service providers (MSPs)”. It argues that the conversation is no longer about whether security is important, but where the money should be spent and how to make the most of it.
It’s easy to see why SMEs are planning to spend more on security when you consider the results of the annual Business challenges survey of more than 1,000 SME owners by card payments specialist Takepayments. It found that 27 percent identified cyber security as the biggest threat to their business in 2022. The corresponding figure for 2021 was only 8 percent.
But while there’s no doubting the potential opportunity for MSPs, there are questions over how they (and vendors) deliver the best security to SMEs for their money that suits their purposes.
Daniel Marsh, Zyxel business development manager, said that the optimum approach would be to “offer each SME customer the security solution that best reduces the cost of ownership, while protecting them from the greatest range of threats online”.
“These solutions should enable SMEs to maintain access to centralised management and ‘always on’ monitoring, which enables vital rapid responses,” he said.
How easy is that? James Griffiths, co-founder of Cyber Security Associates, noted that customers are taking a closer look at the services being provided by MSPs as they seek to get the most value out of them.
“This then puts more pressure on the MSPs to make sure their clients are getting the best use of their licensing,” he said, pointing out that some customers are “paying for a service, but aren’t really sure what they’re getting or what service levels are included”.
According to Gregg Lalle, senior vice-president of international sales and strategy at ConnectWise, MSPs should concentrate on building a strong relationship with customers, adding: “Those that take the time to understand the ins and outs of their customers’ business needs will be able to offer detailed expert advice on which security services best suit them.” If they put the effort into building a customer-centric approach, MSPs will be able to have conversations with their clients where they can talk through different options.
MSPs should also create detailed vulnerability reports to highlight the services or areas that are particular risks for customers, making it easy for SMEs to see where their priorities should be and why.
“This kind of report does take time and work to generate,” Lalle said, “but it should be seen as an investment, as it has huge value in getting SMEs to purchase the right services for them.”
Get the basics right
One thing MSPs and SME customers cannot complain about is a lack of choice. In the view of Greg Jones, Europe, Middle East and Africa (EMEA) business development director at Datto: “There are an amazing number of great technologies and services to help build security and cyber resiliency. MSPs and SMEs can purchase an endless number of products or services, including hardware, software or outsourced services. Much of the technology that was once only available for enterprise organisations is now accessible and affordable for SMEs.”
However, he warned that “rushing to buy such technology and services is not always the best approach’ when building cyber resiliency. MSPs and SMEs need to discover and identify gaps within their cyber resiliency plan and/or framework. They should start with people and move onto processes before looking into technology and services.
The range of choice may not be the panacea it appears, however, according to Quentyn Taylor, Canon EMEA product and information security and global incident response senior director. “When it comes to meeting the needs of specific SMEs, the extensive product range offered by many MSPs can work both ways,” he said. “To deliver the best security services to these businesses, providers must put customers before product and avoid over-complication by suggesting services that would be of limited use to the customer in question.”
MSPs should also make sure they don’t neglect proper aftercare. SMEs are some of the most dynamic and challenged companies and they need to be able to rely on their MSP to provide continued support and educate them on which relevant networking features and solutions will make their life easier.
Know your client
Griffiths at Cyber Security Associates said it’s important for the customer to know what they are getting from the MSP. What services and support are included in the contract, and what level of expertise does the MSP have when it comes to cyber and information security? Most MSPs will not have any cyber security professionals working in-house, he said, adding: “Instead, they will rely on IT personnel to manage and maintain their ‘cyber’ products.”
He doesn’t mean firewall management or account management here, but in-depth analysis of events and not relying on automation to create alerts to respond to. “Unfortunately, most MSPs don’t have the resources to offer this service properly – and this is where MSSPs (managed security service providers) come into play,” he said.
“Knowing your client and understanding their actual issues is key. This may sound crazy, but so many MSPs will sell their customers something they don’t really need. This, in turn, means the client isn’t getting value for money, or even the correct services,” Griffiths added.
MSPs need to work closely with customers to identify the issues and services that would suit them. “No two clients are the same, and there isn’t a one-size-fits-all solution. Each client faces different risks and operates in different market verticals, so the MSP needs to understand this and adjust its services accordingly,” he said.
Change the security approach
Sam Paris, vice-president of security and networking for Europe at Tech Data, pointed out that SMEs can be particularly vulnerable when it comes to cyber security. “They rarely have the size and scale to adequately shore up their security posture using in-house expertise. This is where MSPs have a huge opportunity to step in and offer different forms of cyber security as a service,” he said.
MSPs can “white label” cyber security services from preferred distributors to get them up and running with minimum investment. They can also offer help around training, certifications and financing. MSPs already providing services to SMEs can wrap security into them as an integral component with the help of distributors that provide security solutions.
“Ultimately, SMEs will rely more and more on MSPs and their expertise for successful cyber security protection. MSPs will in-turn look to leverage their distribution partners to lower barriers, costs and risks,” added Paris.
ConnectWise’s Lalle cautioned that MSPs need to be careful how they address the opportunity presented by the increase in investment in security by SMEs. “MSPs may expand too fast before they have their own house in order. MSPs that take on too much too fast may find their service standards start to slip – or worse, put themselves at risk of a security breach,” he said.
This is not an idle fear. The N-able report found that 90 percent of MSPs had suffered a successful cyber-attack of some sort in the past 18 months, and the same amount had seen an increase in the number of attacks they were preventing each month. On average, the number of attacks being prevented rose from six to 11.
Lisa Niekamp-Urwin, CEO at Tomorrow’s Technology Today, has the last word. “When I joined this MSP 20 years ago, I didn’t anticipate having a security engineer on staff full time,” he said. “Yet here we are – it’s a huge priority. In today’s climate, the industry needs to step up its game. MSPs need to do their research, understand and listen to what is happening to their community, interrogate their stack and make sure there are no holes. And follow the golden rule – multi-factor authenticates everything.”