SonicWall published its 2026 Cyber Protect Report in March with a deliberate reframe: rather than threat intelligence for its own sake, the report is built around actionable content for solution providers. The centrepiece is the seven deadly sins of SMB cybersecurity – seven predictable, preventable failure patterns drawn from real breach data.
The headline numbers are sobering: 88 percent of SMB breaches involve ransomware, more than double the enterprise rate, average dwell time sits at 181 days, and 85 percent of actionable alerts trace back to identity and credential compromise.
Michael Crean, senior vice president and general manager of managed security services at SonicWall, came to the company through the acquisition of Solutions Granted, the MSSP he built – one of the early pioneers of SOC-as-a-service for the MSP market. He’s direct about what the data means for partners: the seven sins aren’t just an SMB customer problem. They’re an MSP problem too.
His core argument is that mastering fundamentals – MFA, patching, privilege management – is non-negotiable, and owning the right tools doesn’t change that. You can have the same toolbox as your mechanic; that doesn’t make you a mechanic. On the MSP-to-MSSP question, his answer channels Yoda: do or do not, there is no try.
A month after the report’s release, Crean says partners have already been using the sins framework directly in customer conversations – which he describes as the whole point.
One postscript: his personal favourite of the seven sins is number five, cost-driven security decisions. His test – ask a room of MSPs how many bought the cheapest car on the lot. Nobody raises their hand. But too many of their customers are doing exactly that with cybersecurity.
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Spotify | Amazon Music | Android | iHeartRadio | Youtube Music | RSS
Read Full Transcript
Robert Dutt: Hello and welcome to In The Channel from ChannelBuzz.ca, bringing news and information to the Canadian IT channel community for the last sixteen years. I’m Robert Dutt, editor of ChannelBuzz.ca and your host for the show.
SonicWall has published annual threat research for years, but this year they did something different. They stopped calling it a threat report. The 2026 Cyber Protect Report reframes the conversation away from data for its own sake towards something MSPs can actually use – a set of tools and talking points for strategic conversations with customers. The hook they chose? The seven deadly sins of SMB cybersecurity. Seven predictable, preventable failures that show up in breach after breach.
My guest is Michael Crean, senior vice president and general manager of managed security services at SonicWall. Michael came to SonicWall through the acquisition of Solutions Granted, the MSSP he built and one of the early pioneers of SOC-as-a-service for the MSP market. Before that, nine years in the military. So when he talks about what MSPs are getting wrong on security, he’s speaking from a fairly unusual vantage point – inside the SOC, inside the vendor, inside the partner community itself.
The report had been out about a month when we sat down and I was curious what the actual conversation had looked like since launch. We got into that, the sins themselves, the 181-day dwell time that should make many MSPs uncomfortable, and what it really means to be or partner with a true MSSP.
Let’s get right into it. My chat with Michael Crean.
Michael, thanks for taking the time. I appreciate it.
Michael Crean: Absolutely, sir.
Robert Dutt: You called this report the Cyber Protect Report, not the threat report that you guys have been publishing for years. That seems like a deliberate choice. What are you trying to signal with that shift and who are you really talking to with this report?
Michael Crean: I think every other threat report just looks the same. It’s got some different colors, it’s got some different logos, but everybody talks about the same exact thing and it felt boring. It felt like, “Why do we have to fit into the same role as everyone else? Why can’t we do something different that’s purposeful and should be meaningful to people?” It actually gives them something to talk about – not just with themselves internally, but also to their customers. That was the reason we went down this path and decided to call it the Protect Report.
Robert Dutt: I’m guessing that also sets up why you went with the framing of those seven deadly sins – the seven predictable, preventable failures. I thought that was a really neat hook for it. When you look at that list, which one do you think most MSPs would be surprised to see themselves in? Not so much their customers, but themselves as MSPs?
Michael Crean: Number one – ignoring the fundamentals. I mean, it’s incredible the amount of times – because of the work that we do at the SonicWall Security Operations Centers and the amount of compromises that we’re brought in to participate in, investigate, help people with – that you just find it’s this overwhelming amount of: you had the right tools, you had the right tech, and you didn’t know what to do with it. Or you did and you just didn’t take the time to really learn how to ride the bike well. We had a compromise today where a customer of ours got hit with Akira [verify], a ransomware, and we thought we probably knew that the penetration point was the firewall, but we had to do some more investigation. And when we did the investigation, the amount of misconfiguration was staggering [verify]. You pay for all these security services, and they weren’t even enabled – IPS, IDS disabled – and they paid for them. So it’s just unfortunate. These are just, again, what we call ignoring the fundamentals.
Robert Dutt: Do you have any thoughts on what’s driving that? Is it a matter of, this is up and running, moving on to the next shiny thing, moving on to the next opportunity? What’s behind that?
Michael Crean: I think some of it is that MSPs have found themselves in this place of challenge where they have so much responsibility and customers are looking at them. And I heard this a long time ago when I was a child – the smart person is the person that says what they don’t know. I think a lot of people are fearful to show that side of, “I don’t know something.” But saying “I don’t know” doesn’t mean you don’t know and you’ll never know. It just means, “Hey, I don’t know that, but I’m going to go here and ask this person, or I’m going to go to this vendor and get more information, or I’m going to do some more research and come back to you with a really solid answer.” Instead, there’s this constant – I hate to use the word – but it feels like there’s this constant necessity of yes that we have to keep giving our customers. I prefer somebody to tell me, “Nope, I don’t know how to do that, but I’m going to give you a great contact so that you can get it done right.”
So I think that’s part of it. And then we, as manufacturers, we keep telling people all along the way, “Hey, buy my stuff, it fixes your problems. Just buy my stuff.” Well, I can go buy the same box of tools that my mechanic has, but that doesn’t mean I’m a mechanic and it obviously does not mean that my car is going to get fixed just because I’ve got the tools.
Robert Dutt: Can attest to that. Fortunately, not with great experience, but there’s a reason I do take my car to someone else to get looked at.
Michael Crean: Oh my goodness, you and me both. I want it done right. And as hard as I tend to drive my cars – because I have a thing for speed and adrenaline – I would actually like them to be as proper as they can be.
Robert Dutt: Well, especially given that it’s important, when you’re testing the limits shall we say, that the thing stays together while you’re doing so.
Michael Crean: Absolutely.
Robert Dutt: And back to that point, I think there’s also the factor of when you are presenting yourself – and most MSPs do – as the trusted advisor, the expert on this, who’s going to take care of all this, that creates an even greater disincentive to admitting, “You know what? I need to check on that. Let me find out more,” rather than saying, “Yeah, I got this.”
Michael Crean: I think it’s human nature, just in general. Because the moment you admit you don’t know something or you’re not certain, at that very moment in time, we just assume that to be a point of weakness. I believe through the military – I served for nine years – and being a CEO and founder for 22 years, what I really realized, and even when it came to my kids, sometimes when you just don’t know, it’s okay to say you don’t know, but I’m going to find out, or I’m going to figure it out, or we’re going to do it together and we’re both going to be better for it than we were when we started with the question.
Robert Dutt: Funny, that came up early in my journalism career too. My editor at the time would say, “Your job is not to know. Your job is to find the person who does.” Along the same lines, a little bit of a different lens. You said something that I quoted in the news piece we did on the release of the report: that the danger isn’t that AI isn’t working – it’s that we’re using it as an excuse not to do the things we already know we should. That’s a remarkably direct thing for a security vendor to say, and it touches on that eating-your-vegetables kind of advice. What are you seeing that made you include that line?
Michael Crean: It’s not what I’m seeing today. It’s what I’ve seen for the last 20 years in this industry. I mean, we went from deep packet inspection firewalls to next-generation firewalls. We got all of these extra added capabilities in the firewall, but then we got lazy on doing proper firewalling – controlling ports both inbound and outbound the way we used to do it – because we felt that we were overcompensating because we had so much power and capabilities. Then we went from signature-based AV to next-gen AV where we had these mathematical algorithms doing predictive analysis to understand whether a file is good or bad. Then we got EDR technologies helping us with the behaviour behind it. We just keep adding and adding and adding.
I see AI as nothing more than just another tool. But how good can a tool be when you’re not performing the fundamentals? It helps, but it just can’t – I don’t know if you’re a sports guy or not, but think about it. When you look at the best of the best, whoever that may be – I’m a hockey guy – I’ll call Alex Ovechkin today. The best of the best, the all-time goal scorer. He beat Wayne Gretzky, he took that last year. That man works hard and he works on the fundamentals. I love what AI can do for us – to help get rid of some of the tasks that we don’t want to do, that we hate to do, that we can use for automation and make things faster, help us find bugs in our code, and in a security operations center, get through just mounds of data quicker. But you still have to do the fundamentals and you have to do the right things. Because when you do the right things and then you add something like AI to it, the world becomes a much different place.
Robert Dutt: 88% of the SMB breaches you’re reporting on involved ransomware. That’s more than double the enterprise rate, if I’m remembering correctly. That’s a striking gap. What’s causing that? Do you see it as primarily resources, primarily end-user training, or something structural about how SMBs get attacked that’s different from enterprise?
Michael Crean: I think it’s a little bit of everything that you mentioned, but mostly what it is, is this perception of, “I’m too little. I don’t have anything valuable. Why would somebody want to attack me?” When these large threat actors are going after huge enterprises – Colonial Pipeline, JBS, some massive organization – those organizations have better tools, better resources, better people, and they probably have more maturity to respond when they start to notice an attack taking place.
When you think nobody’s ever going to break into your house, you may not lock your doors. You may not care about having the 70-pound German shepherd on watch when you’re not there. Because, I don’t have anything in my house of perceived value. But when you take that shotgun approach and you can knock down a hundred SMBs and get $10,000 out of each one, that’s a hell of a payday. It’s logical what we’re seeing right now. What it requires is that we all understand we have responsibility for the data that’s been entrusted to us – whether it’s customer data or supply chain data you’re responsible for because you’re supporting another vendor. The data we have is far more valuable than we give it credit for.
Robert Dutt: And I guess there might also be an element of the ability to fly under the radar – the opposite of security through obscurity – in that you make that hit on Colonial Pipeline and it’s front-page news everywhere. You hit a bunch of small businesses for ten grand each, it gets a lot less attention from media.
Michael Crean: I mean – I’m sure you’ve heard this, you’ve been doing this long enough – the idea around news and media: if it bleeds, it leads. And it’s not really sexy when you talk about a two-chair dental practice that gets hit with ransomware. And the two-chair dental practice doesn’t really want to talk about it either, because they’re a small community-based organization and it’s really damaging to how people potentially look at them. Whereas a Target, a Home Depot, a Lowe’s, whoever gets hit with ransomware – they’ve got the marketing machine, the attorneys, the dollars, the insurance. And at the end of the day, they’ll be as profitable, if not more profitable, a few quarters later.
Robert Dutt: The report surfaces the number of 181 days of dwell time. For an MSP who’s running monthly security reports, quarterly reviews, thinks they have things in order – that number has to sting. What does it require of an MSP’s operating model to address that?
Michael Crean: One, making sure that the investments you’ve made and the technologies you’ve decided to procure – the tools you’re going to use – make sure you’re well-trained on them and well-versed on the best practices so that you can get optimal outcomes. Patch management, man – I can’t tell you the amount of times we’ve seen… you talk about this 181 days, it comes down so many times to pure patch management. And the vast majority of manufacturers give you the patches for free. But we don’t think about it, we get distracted, we don’t see it as valuable as it really is. And it’s the really simple things. Again, it’s that number one – ignoring the fundamentals. Patching has been a fundamental thing we’ve talked about for so long.
And I also think that for an MSP that just magically adds the additional S and starts calling themselves an MSSP – don’t dabble in security. Either do or do not. Do not try. We’re going to throw a little Yoda in here for the day. And if you’re not going to be a real MSSP, partner with one. There are so many great organizations out there – I’ll say we’re a great organization to partner with, that’s how we go to market – but there are lots of others out there who are purpose-built for this. It’s like being the best doctor in the world but you’re not a surgeon. So you refer somebody to a surgeon to get that surgery done.
Robert Dutt: Your own background includes Solutions Granted – building out one of the first SOC-as-a-service models for MSPs before SonicWall acquired you. I’m curious, when you look back at your time on the other side, when you were the MSP – are there any of those sins you look at and go, “Hmm, that sounds awfully familiar”?
Michael Crean: Oh, absolutely. I will say I went through that transition – 22 years of being a VAR, to being a government contractor, to being an MSP – realizing I was a really crappy MSP. Not going to lie. My bedside manner wasn’t great. I wasn’t passionate about what I was doing. And I think that’s something that gets lost sometimes. I was super passionate about security – getting out of the military, transitioning away from that, getting into IT and the tech space. And when I found my way into this SOC-as-a-service MSP space, it’s where I found my passion and love again. And I think that means a lot. Don’t do it for the sake of doing it. I think we all have to keep the lights on and put food on the table and clothe our kids and find a way to retirement one day, but find some happiness in that too and be really passionate about what you’re doing. And you’ll probably find a lot of these seven deadly sins aren’t as deadly for you.
Robert Dutt: That’s one way of mitigating it, that’s for sure. The report is framed around protection outcomes and it’s explicitly aimed at giving MSPs the language to have strategic conversations with SMB decision-makers. But there’s a responsibility question underneath that. If the MSP is the last line of defense for most SMBs – and I think we’ve talked about this a little bit already – what does good actually look like? What’s the bar you have to reach before you either back off from security and/or partner with someone else who’s much more committed?
Michael Crean: I think, one, it’s a team effort. It isn’t just the MSP’s responsibility. The business owners, the decision-makers, the board, whoever you’re dealing with that’s making these decisions – they have to buy in. And if they don’t, well, then you’re at a disconnect. You’re bringing in a subject matter expert – the MSP – to help make them more secure, for survivability, for all the things they’re asking for to make sure they can operate at the highest levels possible, and then you don’t allow them to do their job. That’s a huge risk.
What I will say – and this is a hard lesson to learn, but one of the most valuable lessons to learn – is when you fire your first customer. Not get fired, but you actually fire your first customer because it wasn’t the right fit and the financial impact was going to hurt. It didn’t feel good. Nobody ever really wants to get fired or be fired. But when you do that, you start to mature. And inevitably, you also help that customer mature – because if they hear the same message from multiple people: “We’ve got to do patch management. Don’t tell me we can’t. We’re going to use MFA. We’re going to have a SOC monitoring this 24 hours a day, seven days a week, 365 days a year. We’re going to take away administrative privileges. We’re going to do the fundamentals. We’re going to make investments in tools and put the right people, process, and technology in place.” The outcomes really start to matter.
But it is a team sport. I can’t tell you – and I’m sure you’ve heard this – MSPs talking about, “I can’t get my customer to use MFA, so I got them to sign this indemnification clause.” How many MSPs are getting sued, and these indemnification clauses aren’t holding up? Because you’re the expert. If you believe it’s 100% the right thing to do, then if they don’t follow – you fire them.
Robert Dutt: It’s funny how often it comes down to that. I’ve heard that same sentiment from MSPs in the move towards, “This is what you have to take. It is not negotiable. It is the cost, as it were, of doing business with us.” I think that’s sage advice.
Michael Crean: We accept it from our surgeons, right? If I’ve got a bum knee and I need it fixed and I’m a little overweight and he knows I’m drinking a little too much bourbon or eating a little too much red meat and he wants me to lose ten pounds so that he can be successful – if I’m not doing my part, well, why does he want to do surgery on me?
Robert Dutt: Point taken. The report’s been out for a few weeks now. Curious – what’s the question you’re getting most from partners that you didn’t expect as they sit with this? What’s hit differently than you thought it might?
Michael Crean: I thought we were going to get more pushback on why we called it a Protect Report instead of a Threat Report. That really isn’t the question we’ve been getting. What’s been surprising to me is the commentary. The unsolicited emails, the LinkedIn requests, the comments – people have really enjoyed receiving a report that just wasn’t like everything else. There’s been a lot of commentary along the lines of, “I’m going to have this discussion and use these analogies and use these seven deadly sins to have conversations with my customers.” That’s what we were hoping for, but you never know when you go against the grain how well it’s going to hit. I think we got lucky.
Robert Dutt: It sounds very much like mission accomplished. I know it’s something that caught my attention and that I’ve heard out there as well. I look forward to seeing what comes next as you continue to reinvent what these kinds of reports do and what they look like. Michael, I thank you for taking the time to talk through this and to offer some advice.
Michael Crean: I appreciate your time as well, sir. Thanks a lot.
Robert Dutt: There you have it – Michael Crean from SonicWall.
I’d like to thank Michael for his time, and for a conversation that felt a little different from the usual vendor security briefing. His background – building Solutions Granted from scratch, running a real MSSP, operating inside a SOC, and now sitting on the vendor side – gives him a perspective that’s harder to find than you’d think among people who are now in vendor roles.
A few things will stay with me. The mechanic analogy – you can own the same box of tools, but that doesn’t make you a mechanic, and it doesn’t mean your car is going to get fixed. The surgeon line – if the patient won’t follow the pre-op advice, why are you doing the surgery? His answer on when an MSP reaches maturity – it’s the moment you fire your first customer who won’t implement MFA or basic patch management, even when it hurts. And the Ovechkin riff – even the greatest goal scorer in NHL history never stopped working on the fundamentals.
Now, after we stopped recording, Michael mentioned something he wished he’d worked into the interview, and I promised I’d pass it along. Of the seven deadly sins in the report, I asked which one is most personally interesting to him and he landed on sin number five – cost-driven security decisions. He illustrated it this way: he’d been speaking at a conference recently and asked how many in the room had bought a car in the last eighteen months. A lot of hands. Then he asked how many of them had bought the cheapest car on the lot. Not one hand went down. Because we think about safety ratings, about the features, about whether the thing will hold together when we need it to. But when it comes to cybersecurity, too many businesses just reach for the cheapest option. As Michael said himself, it’s a little strange to have a personal favourite deadly sin. But there you have it.
The 2026 Cyber Protect Report is well worth a look for any MSP or solution provider thinking about how to have a more strategic security conversation with their customers. Links in the show notes.
If you found this useful, follow or subscribe to In The Channel from ChannelBuzz.ca wherever you get your podcasts – you’ll find us on Apple Podcasts, Spotify, YouTube, and all the major directories. Ratings and reviews are always appreciated and genuinely help other people in the channel find the show.
Until next time, I’m Robert Dutt for ChannelBuzz.ca, and I’ll see you in the channel.
