Cybrain - stock.adobe.com
Small and medium-sized enterprises (SMEs) have become increasingly vulnerable to cyber attacks. To try to improve their protection, a large number have engaged managed service providers (MSPs) to help with their security – but many appear to be unhappy with the service they receive.
That view is reinforced by the the latest State of SMB cybersecurity report from ConnectWise, which found that 94% of SMEs would “consider using or moving to a new MSP if it offered the ‘right’ cyber security solution”. As many as 42% already planned to ditch their current MSP in the near future and a similar number would pay a premium of up to 39% to a new MSP that is able to provide the right cyber security solution.
This suggests there is very little room for complacency from MSPs and that they need to do a lot more to provide the right cyber security solutions to existing SME customers. But what can they do to improve their services and what do SME customers need from MSPs? Most important of all, do MSPs have the capability to provide the “right” cyber security service for SMEs – and can they do it at a price SMEs can afford?
Richard Staynings, chief security strategist at Cyler, sums up the state of play for most SMEs, pointing to their “lack of knowledge, visibility and understanding of the cyber threats facing them”.
He adds: “If the SME has no CISO [chief information security officer], there will likely be no one educating the CEO, board or company owners of the threats and dangers. As a result, security is not seen as important and therefore security budgets will be undersized for defence and the magnitude of the risks to the continuance of the business chronically underestimated.”
As a consequence, SMEs lack the people, processes and technologies to defend against cyber adversaries. While that sounds like a cue for MSPs, many SMEs complain that they “can’t justify the expense”. Staynings says this is down to a failure to understand the costs of cyber security expertise. But it is also because managed security service providers (MSSPs) and MSPs “tend to oversize their services, expecting the worst, and thereby aren’t able to price their services attractively enough for some SMEs to secure new business”.
Jamie Akhtar, CEO and co-founder of CyberSmart, makes a similar point, saying: “Many products offered by MSPs, from standard antivirus tools to complex, mid-market and enterprise solutions, are overkill for SMEs, both in need and cost. MSPs need to provide solutions tailored to SMEs, providing only what they need at a price they can afford.”
Akhtar says they should focus on people, processes and technology, adding: “Bringing in a set of sophisticated tools but failing to educate employees or clearly establish best practices can leave huge gaps in an organisation’s security.”
Terry Greer-King, vice-president for Europe, the Middle East and Africa (EMEA) and Asia-Pacific and Japan (APJ) at SonicWall, says the biggest thing MSPs can do for SME customers is to simplify their security offering.
“Most people in security see the complexity of it, but an SME needs to be protected from the complexity,” he says. The main point is to ensure the SME is protected “at all levels”, says Greer-King, but MSPs “can typically get too into the weeds, particularly towards the trend of increasingly complex breaches and growing expertise from bad actors”.
Terry Greer-King, SonicWall
He believes the best thing MSPs can do for SMEs “is basically, no news – no news insinuates that there has been no breach”.
Greer-King says: “When there is a breach, actionable intelligence is the most important thing SME customers need. There needs to be a clear, step-by-step actionable guide for SMEs that ensures they can implement solutions quickly and effectively, thus educating them in the process.”
Daniel Hurel, EMEA vice-president for cyber security and next-gen solutions at Westcon, says the expanding cyber attack surface means SMEs “are firmly in the crosshairs of cyber criminals – and have never been more vulnerable”. Their willingness to increase investment in cyber security is “a big opportunity for MSPs, but to fully maximise on it, they need to rethink how they serve this customer segment”, he says.
SMEs are looking for flexible, scalable solutions that can be deployed quickly and bundled with value-added support, says Hurel. The ability to turn capabilities on and off, expand or reduce the number of covered devices, and options to upgrade to more sophisticated forms of protection without going through an arduous integration process are all attractive options for them. “MSPs that can meet these needs are already at an advantage,” he points out.
By partnering with distributors, MSPs can build on their capabilities and tailor solutions, says Hurel. “A shared approach makes the most sense, operationally and financially, for MSPs and their customers. MSPs can benefit from offerings like flexible subscriptions, consumption billing and aggregated licence discounts while simultaneously saving SMEs from the need to make large upfront investments,” he says.
A flexible payment solution gives customers choices without the worry of running into cashflow problems in the future, he adds.
But Hurel stresses that managing this shift in operating model to offer customers value-added services is “no overnight job”. He says: “It is a complicated process that involves rethinking business structures, from financing to billing policies. When done right, MSPs can reaffirm their value in the industry and generate long-term customer loyalty by deepening their relationship with SMEs”.
Philip Sansom, director business development and alliances at Barracuda MSP, describes MSPs as “one of the pillars of protection for SMEs and they need to ensure they are implementing basic cyber hygiene for them”. He adds: “MSPs need to be well-informed and well-prepared in order to stay on top of the new cyber security requirements and be able to make customers feel confident that they have the right skillset and processes in place.”
Sansom says MSPs need to scrutinise the vendors they are working with and make sure they “understand them completely”, adding: “When an MSP understands the solutions it uses, it can sell them more effectively.” This also helps to develop and strengthen the trust that an SME feels for the MSP, he says. “Trust will forever be the largest part of success.”
Strengthening the relationship between MSP and SME is paramount, says Sansom. “We know the channel is no longer safe from the potential threat of a cyber attack and is now dealing with global criminal operations that are driving ransomware and similar types of attacks to all sizes of businesses, at differing scales,” he adds. “MSPs need to take responsibility for making sure SMEs are in the best position to protect themselves and their customers.”
Steven Wood, EMEA and Asia-Pacific (APAC) director at OpenText Security Solutions, notes that SMEs “are more frequent targets for cyber criminals and account for most criminal activities”. MSPs themselves are clear targets, he says, because if they are breached, it provides hackers with “a great way to infiltrate many SME businesses with malware and other nefarious tactics, techniques and procedures quickly and all at once”. Wood warns that “breaching an MSP provides a formidable beachhead to breaching the SMEs themselves”.
SMEs expect MSPs to continuously evolve to help them overcome data protection and security issues caused by “the endless creativity of cyber criminals”, says Wood, adding that although there is “no silver bullet”, cyber security is “a shared responsibility, so it is imperative MSPs are transparent and clear in communicating with clients about the services that can be provided for their business and where exposures may arise as threats evolve”.
Steven Wood, OpenText Security Solutions
In that context, it is important to look at some of the basics that need to be addressed to make a business more secure. Naveen Kaushik, cyber sales director at Content+Cloud, says SMEs need to “ensure employees are aware of the part they play in protecting the organisation from cyber threats”. Training programmes and phishing assessments are key in today’s climate, he says, with phishing attacks increasing by 200-300% after Russia’s invasion of Ukraine.
“Ensuring employees are aware of cyber risks is a key step in reducing cyber security incidents, so this should be an integral part of any cyber security offering from MSPs,” says Kaushik.
Caleb Mills, chief technology officer (CTO) at Doherty Associates, believes it is important not to over-emphasise the cyber security dangers. “SMEs need less ‘fear and doubt’ driven by cyber security horror stories. They need good advice about where they are exposed and a measured conversation about their risk appetite. They need to know about the risks they don’t know they’re taking,” he says.
“Often, cyber security is only one aspect of technological change needed and should be taken in the wider context of improving IT operating models and support hybrid working, digitisation and compliance as well.”
Mark Oakton, security director and consulting CISO at Infosec Partners, observes that SMEs are increasingly considered “soft” targets by hackers, so they are right to “redouble their focus on finding the best partners to help them build an effective security framework”. This probably means more than just deploying firewalls and the latest antivirus software “believing that is enough to keep out the bad guys, which, as non-security specialists, is what most MSPs can offer”, he says.
Oakton adds that poorly configured and maintained systems, digital transformation and increased numbers of employees working from home “are all leading to the creation of new vulnerabilities that SMEs have to think about before choosing a new supplier”.
As others have noted, SMEs do not have the resources to employ their own in-house team of security experts, but Oakton makes the point that neither do most MSPs, because they “do not have the essential specialist expertise and skills to be able to provide the right level of ongoing support to the IT team post-deployment”. He adds: “This is why, I suspect, that many SMEs are not satisfied with their current partnership arrangements.”
Able to recommend the right solution
This is where MSSPs come in because they are, by definition, security specialists and able to recommend the right solution to fit the SME’s operational requirements within budgetary constraints.
“With the focus on detection, prevention and response to a successful attack, MSSPs are better placed than a generalist MSP to deliver what an SME needs to keep one step ahead of the hackers at the right price point,” says Oakton.
He is not the only one to make that argument. Rick Jones, CEO and co-founder of DigitalXRAID, agrees that the reason SMEs are often unsatisfied with the cyber security services of MSPs is because they are choosing MSPs rather than MSSPs to protect IT infrastructure.
“In short, traditional MSPs are not geared up to provide the highly specialist services an MSSP can provide,” he says. “MSPs are trying to take a slice of a very specialist market, and they often can’t fulfil it.”
James Griffiths, founder and technical director at Cyber Security Associates, agrees that many MSPs don’t have the skills or resources to provide a true cyber security service for SMEs. For example, clients will expect 24/7/365 monitoring, but most MSPs are not set up to operate at that level of requirement.
“We have seen a large number of MSPs realise they can’t do this on their own, so they have started to partner with specialist MSSPs to deliver the service and show clients that they have a trusted partner that can deliver the specialist cyber services they may require,” says Griffiths. “Normally, the MSP will be a reseller of the MSSP services and make a margin on that without having to have the large overheads. This allows the MSP to stay competitive for SMEs as well as not dilute its existing IT support services.”
Naveen Kaushik, Content+Cloud
But Oakton raises an interesting point about “a potential conflict of interest” in the operations of a combined MSP/MSSP, with the MSP component focused on keeping things running and ensuring traffic can pass quickly, while the MSSP is focused on protection and the restriction of traffic flows.
“Many enterprises have chosen to use a security-specific MSSP and to separate the responsibility for general IT and cyber security activities,” he says. “It may be that, over time, the SME market will follow suit.”
So can MSPs provide the “right” cyber security service for SMEs? SonicWall’s Greer-King thinks so. “Yes, for sure,” he says. “This comes back round to managing complexity, but this time it is behind the scenes in the back office, working to present that in a unified and easy-to-understand solution. That is what it comes down to. The capabilities are there and not having the technology isn’t the problem.”
Greer-King says there has to be a “move away from continuously implementing more technology to no end”. He adds: “We have to get to the root of the issue of people lacking knowledge. In this climate, guaranteeing security 100% can no longer exist, but MSPs can protect them from the complexity.”
Content+Cloud’s Kaushik agrees that MSPs have the capability to provide the right cyber security services for SMEs, “but the technology, price point and service need to be, and remain, applicable to the SME”, he says. “There are a lot of services applicable to enterprises and mid-market organisations that SMEs simply do not need.”
From a vendor perspective, it would be beneficial to have more SME-specific product sets, says Kaushik. “If there are products that offer enterprise-level security in a way that SMEs can consume, at a price point suitable to their sector, available to MSPs, then SMEs can have cyber security services that really work for them.”