How MSPs can communicate the ROI of cyber security to your clients

Toby Nangle, global partnership and channel lead at Field Effect

Many business owners still believe they’re too small to be on a cyber criminal’s radar. They may also think that investing in a proper defence is unnecessary, especially since they’ve already gone this long without experiencing a security incident. 

The truth is cyber security is often an unsung hero—when it’s working, you won’t notice it. The lack of measurable, tangible results makes it hard to prove cyber security’s true value. 

If you’re trying to prove cyber security’s return on investment (ROI) to your clients, there are a few areas to focus on:

  • The cost of a data breach, including indirect costs such as reputation damage.
  • The cost and difficulty of acquiring cyber security experts.
  • The savings from outsourcing security to a qualified provider—you.

Outsourcing cyber security to an experienced MSP eliminates the need to hire in-house experts, reduces the likelihood of experiencing a data breach, and ensures the company can respond and recover faster should an incident occur. By focusing on these elements, your clients will better understand the value of cyber security and the savings they’ll realize with a managed security service.

Keep reading to learn everything you need to know about the cost of breaches and expertise, and how to use that information to communicate the ROI of managed security to your clients.

Data breaches can result in catastrophic damages

Breaches are less a matter of “if” and more of “when,” even for the smallest of businesses. This is because every business, regardless of size, has something a threat actor wants—trade secrets, the personally identifiable information (PII) of customers and employees, financial records, supply chain data, and much more. 

The aftermath of a breach can be debilitating, too. In 2021, the global average cost of a data breach exceeded $4 million for the first time. This total includes direct costs (e.g., incident response) and indirect costs (e.g., reputation damage), and both can affect a company’s bottom line for a long time—especially for victim organizations that don’t take effective cyber security precautions.

Let’s dive deeper into the costs making up that $4 million figure. 

Incident response

Upon discovering an incident, the victim organization needs to respond immediately to reduce damage and begin recovery. These initial costs can skyrocket while the company:

  • Quarantines compromised hardware and software
  • Analyzes activity logs
  • Documents the findings
  • Fixes the vulnerability (or vulnerabilities) that caused the breach
  • Repairs or replaces infected systems
  • Notifies affected parties (depending on regulatory requirements)
  • Implements security improvements

Each step in the initial data breach response can take days, weeks, or even months. Depending on the severity and complexity of the breach, the company may even need to hire a dedicated incident response team which has its own costs.

Compromised data

Customer PII is the most expensive and commonly compromised data in a breach. Threat actors can use PII to take out loans, credit cards, or passports in the victim’s name. It can also be used to blackmail the victim for money or something else of value.

Beyond PII, threat actors may also steal intellectual property (IP). Up to 90% of a company’s value comes from its IP, which is why cyber crime groups get propositioned to steal and turn over IP. Lost patents, trademarks, copyrights, and trade secrets can easily threaten a company’s future.


Total ransomware payments are soaring. According to the United States Treasury Department, the first half of 2021 saw $590 million in ransomware-related payment activity. This figure eclipses the $416 million recorded for all of 2020.

Despite continuous pleas from governments and law enforcement agencies to not pay ransoms, more than 60% of organizations said they would consider paying ransom in the event of an attack. In many cases, paying the ransom is cheaper and quicker than investigating the incident, replacing infected hardware, and getting back to business. Plus, for organizations that don’t have proper recovery plans in place, paying ransom might be their only option. 

However, meeting a criminal’s demands doesn’t always work out. In 2021, the Colonial Pipeline paid hackers nearly $4.5 million in cryptocurrency in exchange for a decrypting tool that would restore its network. Unfortunately, the tool was reportedly “so slow” that the organization began also using its own data backups to restore operations. 

Lost business and reputation damage

Lost business is the costliest part of a breach for many—making up nearly 40% of the average total. It’s more than just missed sales due to system downtime, though. Lost business could also include: 

  • Cancelled contracts with third parties or other business partners
  • Activities to minimize customer loss, like hosting an appreciation sale
  • Lost customers due to broken trust
  • Higher costs to acquire new customers, including new marketing campaigns

Public perception changes drastically after an incident. Even a single data breach can damage the victim organization’s reputation and negatively affect their ability to acquire and retain business. In fact, one study found that 62% of Americans would stop buying from a brand for several months following an attack. 

Legal and regulatory penalties

Legal costs vary depending on industry, location, incident details (including the size of the breach and what was compromised), and the company’s initial response.

The company may need to hire a legal team, PR firm, or crisis communications agency to speak to stakeholders, customers, and the general public. There’s also the possibility of individual or class action lawsuits.

As for regulatory non-compliance, strictly regulated industries like healthcare and finance inevitably pay more in penalties. Those in strictly regulated countries will also see more significant penalties. Take, for example, the General Data Protection Regulation (GDPR) in the European Union. Among various other requirements, the GDPR requires that organizations disclose any breaches involving personal data within 72 hours or risk non-compliance. 

Non-compliance penalties can vary greatly. Canadian organizations may be fined up to $100,000 under the Personal Information Protection and Electronic Documents Act (PIPEDA). Businesses that don’t meet GDPR requirements could face fines up to €10 million or as much as 2% of the annual worldwide turnover of the previous financial year.

Cyber security expertise is costly

When communicating ROI to customers, clarify that outsourcing managed security is significantly more cost-effective than hiring an internal cyber security team for an in-house defence that operates around the clock. 

In the past, securing a company meant investing in an antivirus license, putting up a firewall, and telling staff to use strong passwords. The IT team would handle any cyber security issues as part of their regular workday.

Today, cyber security requires far more specialized technology and training to defend modern businesses. Antivirus software is being augmented (or totally replaced) with advanced solutions that secure the whole IT infrastructure, including endpoints, cloud services, and networks.

It’s not just buying the technology and letting it run, either—someone must take the role of configuring, integrating, and operating every tool.

Though a lot of this expertise can be developed in a classroom, the rate at which attacks evolve and change means that a lot of learning still takes place on-the-job. This makes cyber security a highly demanding job requiring staff to be at the top of their game. In fact, one report found that 51% of cyber security professionals miss sleep due to job stress and challenges.

Managing all this, plus the complexity of today’s technology, puts expertise at a premium. Hiring an internal security team often requires a larger IT budget than many of your clients and prospects will have.

Even with financial capacity, however, the demand for cyber security talent is far greater than supply. ISC found that there is still a gap of almost three million positions and estimates that the cyber security workforce must grow 65% to “effectively defend organizations’ critical assets.”

Offloading cyber security to an MSP just makes sense

Comparing the costs of breaches and dedicated resources to the cost of your managed security offering is the best way to communicate ROI to clients and prospects. Your service solves their skills and budget gap and guarantees the peace of mind your clients deserve. 

The only question left is how to take your managed cyber security service to the next level so that you can give your clients the defence and support they want. Many MSPs are starting to set up their managed security service and, if you want to stand out among the competition, there are certain features and services you may want to deliver. 

Find out what those services are in this free whitepaper, How MSPs can take managed cyber security to the next level.