SMBs prioritize cybersecurity but many MSPs still can’t deliver

While a new ConnectWise survey shows most SMBs now consider it so important that more than 9 in 10 would change their MSP for the right cybersecurity solution, most still don’t really understand what the right solution for them is, and MSPs aren’t doing enough to help them learn.

A new survey commissioned by ConnectWise has found that cybersecurity is a top priority for MSPs, to the point where 91% would consider changing their service provider for the right cybersecurity solution. Most MSPs are still doing little to leverage that, however. For example, only 13% of SMBs have regular cybersecurity-related conversations with their MSP.

This report, conducted by Vanson Bourne for ConnectWise, is the second such annual endeavour, and the themes remain consistent from last year.

“It shows that year over year, the trends are consistent and the opportunity for MSPs in cybersecurity is massive,” said Jay Ryerse, CISSP, vice president of cybersecurity initiatives for ConnectWise. “I don’t know that MSPs see it that way, however. They still struggle with common concerns and objections that clients raise.”

SMBs are now largely aware of cybersecurity issues on at least a general level, and want the right solution in place to protect them. The survey found that more than three-quarters of respondents feared they will be the target of an attack in the next six months. That led 91% of SMBs to say they would consider using or moving to a new IT service provider if it offered the “right” cybersecurity solution. They will also pay up to 30% more to get the right solution.

“86% of SMBs saw cybersecurity as one of their top five priorities and almost 40% said it was their top priority,” Ryerse stressed. “That’s a huge opportunity for MSPs to have the right conversation, and implement the right cybersecurity.”

The problem, Ryerse said, is that most SMBs’ knowledge of cybersecurity is still at that very general level, and they need proactive channel partners to walk them through the issues.

“In talking with the SMBs, it’s clear that they don’t necessarily know what the right cybersecurity solution is,” he stated. “71% of SMBs have only foundational cybersecurity like firewall, and advanced endpoint protection is used by around 50%. I don’t think most clients really grasp the difference between legacy and next generation endpoint protection.”

Over half [52%] of SMBs surveyed agree they lack the in-house skills necessary to properly deal with security issues, but only 49% said they found more cybersecurity expertise as an added benefit of working with an MSP.

“For the half that doesn’t see a benefit there from working with their MSP, that means that their IT person on staff hasn’t had that conversation yet with their MSP,” Ryerse said.

In addition to that alarming point that only 13% of SMBs have regular cybersecurity-related conversations with their MSP, 29% of SMBs talk to their MSP about cybersecurity only after they have suffered an incident. 38% only do have these conversations when triggered by a quarterly business review, but most SMB don’t have the resources to do these reviews.

“Many MSPs have been reluctant to have these conversations with clients, because they are concerned that the customer may say to them that they should be doing that already,” Ryerse indicated.

Not having these conversations means MSPs leave money on the table, Ryerse said.

“The size of average ransomware payments went up to $178,000 last quarter, which is significant, but MSP who don’t have these discussions aren’t talking to customers about that,” he noted.

“This is why we invest to heavily in building out IT Nation Secure and our  certifications to deliver cybersecurity solutions,” Ryerse continued. “We have now put 5000 people through our certified training this year. That enables them to talk about conversations with current clients, to talk about ransomware and FUD. By the end of the day, we get the MSPs to see the real conversation is about risk.”

Ryerse said that better education and higher skills gives MSPs the ability to be more effective handling the talent gap, and the process where skilled employees leave for more money at larger MSPs.

“The talent gap is a huge issue at several levels, because those sub-150 person businesses also can’t afford to bring in talent. That’s why our certified courses are designed to elevate teams to provide higher paid services which allows them to pay techs more and retain talent. If we don’t all work together on this, MSPs will fall behind.”

Other trends addressed by the report include COVID-19, which showed that 79% of respondents fear their remote devices and employees are more vulnerable to a breach.

“They are aware of the risk and are willing to pay to defend against it,” Ryerse said. “MSPs who can respond to that will drive new revenue.”

One positive change in the data compared to last year was SMB’s view on who gets sued in the event of a cyberattack.

“This year, 56% of SMBs hold both themselves and provider to account, while last year it was only 39%,” Ryerse noted. “That’s a positive trend.”

Overall though, the key message of the report to MSPs is that they need to pick up their game on cybersecurity.

“This sends a clear message to many MSPs that they must raise their understanding across the entire cybersecurity discipline – from technical and customer service capabilities to training, automation, and the ability to manage growth – including the ability to oversee a constantly expanding attack surface,” the report stated.

The study was carried out between June and July 2020. It gathered information from 700 IT and business decision makers in organizations with between 10 and 1,000 employees who are involved in cybersecurity in their organization. 100 of the respondents were from Canada, with the rest being from the U.S. (300), the U.K. (150), and Australia and New Zealand (150)