Increased risks mean SMEs must spend on security

Facing growing threats and becoming even more frequent targets for criminals, the channel’s key customer base needs to improve its level of protection if it is to thrive

This article can also be found in the Premium Editorial Download: MicroScope: MicroScope: Charging at SME security challenges

If there was a market where 70% of the companies expected to increase their budget spend by an average of 7%, it’s fair to say a lot of them would be very interested in that market – especially if they were planning to spend that extra budget on a particular technology or service.

That’s exactly what the recent State of the market report from N-able found, revealing that 70% of SMEs are planning to increase their security budget with an average rise of 7%, which “represents a solid opportunity for MSPs [managed service providers]”. It argues that the conversation is no longer about whether security is important, but where the money should be spent and how to make the most of it.

It’s easy to see why small and medium-sized enterprises (SMEs) are planning to spend more on security when you consider the results of the annual Business challenges survey of more than 1,000 SME owners by card payments specialist Takepayments. It found that 27% identified cyber security as the biggest threat to their business in 2022. The corresponding figure for 2021 was only 8%.

But while there’s no doubting the potential opportunity for MSPs, there are questions over how they (and vendors) deliver the best security to SMEs for their money that suits their purposes.

Daniel Marsh, Zyxel business development manager, says that the optimum approach would be to “offer each SME customer the security solution that best reduces the cost of ownership, while protecting them from the greatest range of threats online”.

“These solutions should enable SMEs to maintain access to centralised management and ‘always on’ monitoring, which enables vital rapid responses,” he says.

How easy is that? James Griffiths, co-founder of Cyber Security Associates, says customers are taking a closer look at the services being provided by MSPs as they seek to get the most value out of them. 

“This then puts more pressure on the MSPs to make sure their clients are getting the best use of their licensing,” he says, pointing out that some customers are “paying for a service, but aren’t really sure what they’re getting or what service levels are included”. 

By way of example, he says the company has talked to many clients who thought they had patch management included as part of their service: “Yet when the contract was looked into, they found it was an on-demand service, meaning the client wouldn’t be patched unless they requested it. Clearly, this poses a big security risk to the client.”

Bruce Hockin, channel director at Picus Security, believes MSPs need to focus on helping customers to better identify where they are weak. “Selling products and services without first helping clients to better understand the risks they face and maximise the value of existing security investments benefits nobody,” he says. 

He adds that MSPs will need to demonstrate the need for spending in the right areas and to show the value of the solutions they deliver if they want to be “successful at gaining customer trust and loyalty in the long term”.

According to Gregg Lalle, senior vice-president of international sales and strategy at ConnectWise, MSPs should concentrate on building a strong relationship with customers, adding: “Those that take the time to understand the ins and outs of their customers’ business needs will be able to offer detailed expert advice on which security services best suit them.” If they put the effort into building a customer-centric approach, MSPs will be able to have conversations with their clients where they can talk through different options. 

MSPs should also create detailed vulnerability reports to highlight the services or areas that are particular risks for customers, making it easy for SMEs to see where their priorities should be and why.

“This kind of report does take time and work to generate,” Lalle says, “but it should be seen as an investment, as it has huge value in getting SMEs to purchase the right services for them.”

Get the basics right

One thing MSPs and SME customers cannot complain about is a lack of choice. In the view of Greg Jones, Europe, Middle East and Africa (EMEA) business development director at Datto: “There are an amazing number of great technologies and services to help build security and cyber resiliency. MSPs and SMEs can purchase an endless number of products or services, including hardware, software or outsourced services. Much of the technology that was once only available for enterprise organisations is now accessible and affordable for SMEs.”

However, he warns that “rushing to buy such technology and services is not always the best approach’ when building cyber resiliency. MSPs and SMEs need to discover and identify gaps within their cyber resiliency plan and/or framework. They should start with people and move onto processes before looking into technology and services.

The range of choice may not be the panacea it appears, however, according to Quentyn Taylor, Canon EMEA product and information security and global incident response senior director.

“When it comes to meeting the needs of specific SMEs, the extensive product range offered by many MSPs can work both ways,” he says. “To deliver the best security services to these businesses, providers must put customers before product and avoid over-complication by suggesting services that would be of limited use to the customer in question.

“They should seek to establish an open and honest partnership, showing they understand their prospect’s business by assessing its risks and proposing a bespoke security solution,” he adds.

“Promising the latest and greatest in security means nothing if solutions are unaligned with the business’ real-world threat. SMEs need cost-effective and streamlined services from an MSP able to consistently meet and manage threats. Going back to basics is often best.”

This is a point that is wholeheartedly endorsed by Lee Wrall, director at MSP Everything Tech, who says the key element is “to get the basics right”. He speaks of taking on a customer recently that had machines that were more than nine years old.

At the moment, the problem is there are a lot of poor MSPs that are just not getting the basics right
Lee Wrall, Everything Tech

“Machines without anti-virus software, no IT policies, no strategy around technology. They had a really bad security vulnerability with no two-factor authentication, which is the absolute minimum of security these days,” he says. “At the moment, the problem is there are a lot of poor MSPs that are just not getting the basics right – in fact, they’re way off doing that.”

Wrall argues that training is an issue that is often overlooked. “There’s not enough emphasis on training at all in our industry,” he says, questioning whether anyone joining an SME is offered formal training on the systems they will be using.

“People join a business, are given a laptop and their email address, and off they go,” he adds. “That’s alright in some industries. But in others, businesses expect new starters to know Teams, VPNs [virtual private networks] and so on, but there’s no formal training offered. There needs to be a plan so when people join a business, they get regular training on software. It needs to be much better in the SME world.”

What about the potential shortfalls between what’s needed and what’s available or affordable for SMEs? Zyxel’s Marsh suggests that the biggest threat to an SME’s security can often come from misunderstandings about how important their network security actually is, adding that the blame lies with those MSPs or vendors that “won’t support the SMEs beyond the point of sale”.

SMEs aren’t keen to allocate budget to resources they aren’t paying attention to, which is a problem because a successful security solution requires little attention as it ensures business as usual. 

“Busy customers can become naive to the online threats their business is regularly managing and the costly disruption they’ve evaded,” Marsh says, adding that MSPs and vendors should automate regular security reports on a weekly or monthly basis to provide visibility around the type of attacks managed, when they took place, and the device or server they attempted to access. This will help customers to appreciate the value of network security to their business.

MSPs should also make sure they don’t neglect proper aftercare. “SMEs are some of the most dynamic and challenged companies and they need to be able to rely on their MSP to provide continued support and educate them on which relevant networking features and solutions will make their life easier,” Marsh says.

It’s not about scheduling monthly phone calls to try to sell the latest product release. It’s about understanding the business needs of each customer, whether it’s growing and needs to scale up, managing a transition to hybrid shared offices or part of a sector (such as education), or reshaping its IT strategy.

Know your client

Griffiths at Cyber Security Associates says it’s important for the customer to know what they are getting from the MSP. What services and support are included in the contract, and what level of expertise does the MSP have when it comes to cyber and information security? Most MSPs will not have any cyber security professionals working in-house, he says, adding: “Instead, they will rely on IT personnel to manage and maintain their ‘cyber’ products.”

He doesn’t mean firewall management or account management here, but in-depth analysis of events and not relying on automation to create alerts to respond to. “Unfortunately, most MSPs don’t have the resources to offer this service properly – and this is where MSSPs [managed security service providers] come into play,” he says.

“Knowing your client and understanding their actual issues is key. This may sound crazy, but so many MSPs will sell their customers something they don’t really need. This, in turn, means the client isn’t getting value for money, or even the correct services,” he adds.

Knowing your client and understanding their actual issues is key
James Griffiths, Cyber Security Associates

MSPs need to work closely with customers to identify the issues and services that would suit them. “No two clients are the same, and there isn’t a one-size-fits-all solution. Each client faces different risks and operates in different market verticals, so the MSP needs to understand this and adjust its services accordingly,” says Griffiths. 

In a more far-reaching intervention, Ashlyn McLean, vice-president of global partner experience for eSentire, says: “The traditional security vendor channel strategy does not work for MSPs. For example, we have seen that traditional tiering is less useful for partners and MSPs than it used to be.

“Instead, we map our partner engagement and productivity over time as this helps us understand the overall experience customers get when they work with our partners and how well that work fulfils their needs. We can then work with our partners to target customers in the way that best suits them and the MSP.”

McLean claims this approach highlights the different ways customers want to consume cyber security services, helping partners to deliver against those requests. “This drives more participation with partners, more success with customers and ultimately more revenue. This approach helps our MSPs better target SME customers in the right way,” she adds.

Providing a distributor perspective, Nick Bannister, vice-president sales for Arrow’s enterprise computing solutions business in the UK and Ireland, says: “More often than not, in-house security skillsets are limited and core security vendors have complex MSP channel programmes with inflexible pricing, making it difficult for MSPs to find a route to market.”

This is where distributors such as Arrow can help to address these issues with their own teams and programmes to offer support to MSPs. The Arrow MSP team can help with consultancy, pre-sales, lead generation, training and finance, underpinned by technical-know-how, “ultimately helping MSPs to go to market faster in a more sustainable way”, says Bannister.

Change the security approach

Sam Paris, vice-president of security and networking for Europe at Tech Data, points out that SMEs can be particularly vulnerable when it comes to cyber security. “They rarely have the size and scale to adequately shore up their security posture using in-house expertise. This is where MSPs have a huge opportunity to step in and offer different forms of cyber security as a service,” he says.

MSPs can “white label” cyber security services from preferred distributors to get them up and running with minimum investment. They can also offer help around training, certifications and financing. MSPs already providing services to SMEs can wrap security into them as an integral component with the help of distributors that provide security solutions.

“Ultimately, SMEs will rely more and more on MSPs and their expertise for successful cyber security protection. MSPs will in-turn look to leverage their distribution partners to lower barriers, costs and risks,” adds Paris.

ConnectWise’s Lalle cautions that MSPs need to be careful how they address the opportunity presented by the increase in investment in security by SMEs. “MSPs may expand too fast before they have their own house in order. MSPs that take on too much too fast may find their service standards start to slip – or worse, put themselves at risk of a security breach,” he says. 

This is not an idle fear. The N-able report found that 90% of MSPs had suffered a successful cyber attack of some sort in the past 18 months, and the same amount had seen an increase in the number of attacks they were preventing each month. On average, the number of attacks being prevented rose from six to 11.

Vendors can help by providing the products and know-how to ensure their security is top notch, says Lalle. They can also help MSPs get all the tech certifications they may need and ensure that they are meeting all compliance regulations as they expand their offerings.

There is something much more fundamental at play for Jason Kent, director at Open Seas. “This is all about education,” he argues. “Vendors, MSPs and MSSPs frequently come across as scary with their messaging to SMEs, playing on fears.”

He suggests a complete volte-face by the cyber security industry towards “becoming a source of calm moderated knowledge so that SME decision-makers can make informed decisions, with confidence, about their cyber security investment choices”.

Lisa Niekamp-Urwin, CEO at Tomorrow’s Technology Today, has the last word. “When I joined this MSP 20 years ago, I didn’t anticipate having a security engineer on staff full time,” she says. “Yet, here we are – it’s a huge priority. In today’s climate, the industry needs to step up its game. MSPs need to do their research, understand and listen to what is happening to their community, interrogate their stack and make sure there are no holes. And follow the golden rule – multi-factor authenticate everything.”

Read more about SME security

Read more on Antivirus Solutions and Services