SMBs Want Better Security. MSPs Struggle to Provide It

A look at the role MSPs play in securing SMBs and where they could use help themselves, as they deal with many of the same security issues

In May, I wrote a post that focused on the SMB struggle to recognize and deploy good security, according to a survey from Continuum. The issue, Brian Downey, senior product manager for Security at Continuum, told me then was that SMBs don’t have access to security expertise to provide the right levels of security protection.

Many SMBs rely on MSPs for the IT support and infrastructure, so it isn’t surprising they don’t have internal security expertise to turn to. You’d think that the security support would also be coming from MSPs, but that’s not the case. Why aren’t MSPs providing security expertise to SMBs?

The MSPs got their chance to answer that question through a companion survey released at Continuum’s recent Navigate 2019 conference. The skills gap plays a large role in the expertise limitation. But there is also a huge communications gap, as stated in the executive summary. “While both are aware of its need and importance, cybersecurity has introduced a new dynamic that blurs the line between expectations and responsibility. What’s more, most MSPs understand that if they can’t get cybersecurity right and properly protect their clients, they’re the ones that will be held accountable.”

Key Findings in the Study

It appears that MSPs aren’t getting cybersecurity right. The study found that 83% of MSPs admitted their clients suffered a cyberattack, and that 74% of the MSPs themselves were victims of a cyber incident. The reason behind the inability to provide good security is the same problem that most companies face: The skills gap impacts the security expertise an MSP has available, with 37% of respondents saying they can’t guarantee the right level of in-house expertise to address a cyberattack.

There are severe consequences on both sides for this inability to address cyberattacks on the MSP side. Too often, the SMB can’t survive a cyberattack. According to an AppRiver survey earlier this year, 7 in 10 SMBs in financial services and insurance industries said a cyberattack would put them out of business; nearly half of all businesses said the same. In fact, most think a cyberattack would be more likely to shut down operations than a fire or flood.

This impacts the MSP, which obviously loses a customer if that business closes its doors. If too many customers can’t defend themselves from hackers, the MSP may end up having to close its business, too. This is a serious problem, as MSPs more frequently are becoming the attack point for cybercriminals, who are using them as a way to get into end client systems. On top of that, 43% of MSPs believe they’d be held responsible if their client is the victim of a cyber incident, and 83% said those clients would take legal action.

The MSP Sescurity Disconnect

SMBs have figured out that security is important, that cybercriminals will—and are—targeting them. That has created a higher level of interest in security right now, and they are willing to open up their budgets for it. They also want their MSP to handle their cybersecurity needs.

However, Downey said there are a lot of assumptions surrounding cybersecurity and not a lot of conversations. The end client thinks the MSP will take care of security as part of its services, Downey told me, but MSPs aren’t confident they can provide that security. SMBs aren’t communicating about the type of security they need and MSPs aren’t communicating about what they can —and cannot—offer.

I asked Downey how SMBs know how to determine the “right” security for their business. After all, there is no one true way, no one-size-fits-all system, and a bad security fit can lead to a data breach or other incident. That’s part of the problem, he said. When companies are outsourcing their IT and don’t have in-house expertise, they don’t know what they right security system should entail. The problem is, thanks to the skills shortage, MSPs also don’t have the in-house expertise to provide that type of advice. Without having a security expert available, there is no one who can provide answers about the right type of security.

Continuum is trying to help close that gap. The company offered its first certification class at this conference, giving employees at MSPs training in security. The next step is to begin the conversation of what the MSP can confidently offer to the SMB and come up with solutions on ensuring the SMB gets the security systems they need.

But that certification will also help in-house, Downey noted. “You can’t protect your client if you can’t protect yourself,” he said. MSPs need to step up their security game, both for themselves and their clients. Opening up honestly about how the MSP can be a risk can also open the door for great opportunity.

Sue Poremba

Avatar photo

Sue Poremba

Sue Poremba is freelance writer based in central Pennsylvania. She's been writing about cybersecurity and technology trends since 2008.

sue-poremba has 271 posts and counting.See all posts by sue-poremba