New ConnectWise survey shows continuing disconnect between MSPs and SMBs on cybersecurity

The third annual Vanson Bourne study prepared for ConnectWise finds that SMBs would pay a third more for an IT service provider who can offer the ‘right’ solution, but that many MSPs still find it hard to communicate what the SMB needs to hear.

Jay Ryerse, vice president of cybersecurity initiatives for ConnectWise

Today, as the virtual part of the ConnectWise IT Nation Secure kicks off [the event is a hybrid one this year, and on-prem training at the event in Orlando took place yesterday] ConnectWise released the third annual survey prepared for them by Vanson Bourne. The report, Cybersecurity in an Era of Competing Priorities: The State of SMB Cybersecurity in 2021, found that SMBs believe they are challenged to find an MSP or TSP that can protect them from rising cybersecurity threats. Most would consider moving to a new IT service provider with the ‘right’ solution, and would pay on average 34% more for that service provider. For MSPs, that’s the good news. The bad news is that they still don’t do a good job communicating the business proposition that the SMB wants to hear.

The study found that cyberattacks against SMBs increased in number in 2020, and cost the SMB more money. 32% of SMBs suffered a cybersecurity attack in the past 12 months, up from 25% in last year’s survey. The financial costs of an attack averaged $104,296, almost double the $53,987 figure reported in 2019.

Given this, the study found that 92% of SMB organizations would consider using or moving to a new IT service provider if they offered the ‘right’ solution, and that they would pay on average 34% more for it. What complicates this is poor communication between SMBs and their MSPs about cybersecurity needs. Only 7% of organizations had cybersecurity-specific conversations as a matter of course – down from 13% in 2020.

“When we did the first report two years ago, we found this issue, and thought, well, it could be a one-timer,” said Jay Ryerse, CISSP, vice president of cybersecurity initiatives for ConnectWise. “We saw it last year, and thought it might be a trend. Three years makes it a strong trend line. SMBs don’t believe they are having a security conversation with their MSPs. MSPs believe they are having a conversation, but it’s likely the wrong one.”

The issue, Ryerse said, is that while SMBs aren’t that interested in the newest technology, but in reducing their risk, and want the conversation to be about the business decision. 93% of the MSPs, according to this survey, aren’t having this cybersecurity conversation, but rather another one about FUD and ransomware email compromise. The business owner doesn’t connect the dots to helping them run their business, and how the MSP can make it easier to align to business needs.”

Ryerse noted that this isn’t the problem of 20 years ago, when many VARs were tech-focused and incapable of moving beyond feeds and speeds to discuss business value.

“MSPs today are capable of having a conversation around products and technology, but the inability to link to business objectives specifically is a common theme,” he said. “How many MSPs have a dedicated cybersecurity person assigned? It’s typically 10% or less. And from a sales perspective, the MSP’s concern is telling client their current cybersecurity package doesn’t have the protection they need today.”

Organizations like ConnectWise play a key role in overcoming these issues, Ryerse said.

“MSPs lean on companies like us to help provide them with the knowledge, training and certifications,” he stated. “Through our acquisitions of security companies, we have taken leadership positions in the security to give MSPs the knowledge they need to have the right cyber conversations.

“We need to do things like help them build confidence in their presentations,” Ryerse stressed. “For example, in the assessment of risk, in the event of a cyber attack, and what do you bring back first, the MSP needs to emphasize the priority is finance – the accounting and business applications that generate revenue. All data is not created equal. Seven-year old tax records aren’t nearly as important. They need to show the customer how they can protect the most important assets first. By going through this kind of exercise with the customer, the MSP can help them get them to buy in that this is the right solution.”

The study also found that cybersecurity got less attention in an environment of competing priorities, specifically the focus on remote work. Protecting against cybersecurity attacks fell from being a top three priority in 49% of organizations in 2020, to 44% in 2021. 75% of SMBs agrees their organization is less secure due to the added complexity of a remote workforce, and only 35% said their organization is very well protected against remote devices and employees being breached.

“38% still consider cybersecurity a top priority, but how much of the workforce is never returning to the office creates competing priorities,” Ryerse said.