Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
Welcome back to the MSP Security Playbook, the podcast that helps MSPs cut through the noise, eliminate inefficiencies, and build stronger, more profitable security businesses. I’m your host, Jacob Hazelbaker, business development representative at Heimdal Security, an industry-leading unified and AI-powered cybersecurity solutions provider.
Today, I’m diving into a critical topic: the future of MSPs and what you need to do to stay ahead as the role of the MSP continues to evolve. Staying relevant means thinking beyond traditional IT support and moving toward automation, business consulting, and strategic advisory.
We’ve got a packed episode lined up for you, including our threat briefing, where Adam Pilton will share some of the latest news from the cybersecurity world today.
We also have our MSP playbook, where we’ll be joined by Mr. Nigel Moore, founder of the Tech Tribe. You may have heard of it if you’re an MSP, especially. Nigel’s helped thousands of MSPs around the world scale smarter, and he’s here to share what top-performing MSPs are doing differently and where the industry is heading.
Then we will jump into the play-by-play while I break down some of the key takeaways from the conversation with Mr. Nigel Moore and what it could mean for your business.
And finally, in the MSP Hot Seat, we’re answering a listener-submitted question about leaping from technical support to strategic consulting with insight from our Heimdal experts.
It’s a high-value episode, so grab your coffee and let’s get into it.
Threat briefing with Adam Pilton
Adam Pilton: Thank you, Jacob. And hello, guys. My name is Adam Pilton. I’m a cybersecurity advisor here at Heimdal, and here are the cyber threats MSPs should care about this week.
Attackers are targeting 13 commonly used routers, and many are still in production environments. A new FBI alert warns that 13 specific router models used in small offices, home offices, and hybrid work environments are under active exploitation.
These routers are being targeted using known unpatched vulnerabilities, and in many cases, the devices are end-of-life, meaning no security updates are coming. Once compromised, attackers can gain remote access, intercept traffic, install malware, and potentially pivot deeper into the networks, all without being noticed.
Now, this isn’t an overplayed risk. These routers are widely used and there’s a good chance at least one of your clients has them deployed right now, and we’ve seen this coming. Network devices, including routers, firewalls, VPN appliances remain prime targets. Vendors like Fortinet, Cisco, and Palo Alto experienced significant vulnerabilities exploited throughout 2024, and this trend is expected to continue.
In fact, at the start of this year, a botnet composed of approximately 13,000 hijacked MikroTik routers was uncovered, highlighting just how scalable and dangerous these comprises can be.
Why should 13,000 hijacked MikroTik routers matter to MSPs?
First, unmanaged infrastructure equals silent risk. Routers often fall outside your RMM and patching tools, which means they go unmonitored; with no logs, no alerts, and attackers know that.
Second, this is a big deal for compliance heavy verticals like finance and healthcare. A single weak link, like an old router, can expose sensitive data or create a breach scenario.
Third, and maybe most importantly, client trust is at stake. If a bad actor jumps from a compromised home router into a business network, it’s your stack that looks like it’s failed.
MSPs are trusted to protect the environment end-to-end. Even the pieces clients forget now. And finally, we mustn’t forget you. MSPs are a target too. MSPs manage access across clients, which makes your infrastructure incredibly attractive to threat actors. This isn’t just about clients, it’s about your own exposure.
So, here are three concrete things you should do right now
- Number one, audit all routers in use, especially at remote sites and home offices. Cross references with the FBI’s list. And if you find end-of-life devices, plan to replace, not patch. But please make sure routers are logged and tracked like every other asset.
- Two. Disable remote administration as per the FBI’s advice. If it’s not needed, disable it and remove this attack vector.
- And three, educate your clients. Explain why routers matter. Recommend secure supportive models and strong admin credentials. Reinforce the basics, including firmware, updates, password hygiene, and network segmentation.
And of course, if you’re a Heimdal customer already using the Threat Hunting Action Center, DNS Security solutions, or simply our Endpoint Detection and Response, you’ve already got layer protection in place against threats like this from DNS base, blocking to lateral movement detection and endpoint hardening. But all tools work best when paired with action.
Make sure you’ve addressed the steps we’ve discussed. Order your devices, check your logs, talk to your clients. And make sure your defenses are complete, not just assumed. And with that, that’s our threat brief done. Back to you Jacob!
Nigel Moore on the “Break-Fix to Business Advisor” MSP journey
Jacob Hazelbaker: Welcome Mr. Nigel Moore of The Tech Tribe. How are you today, sir?
Nigel Moore: I’m very well, thank you. How are you, Jacob?
J. H: Oh, I’m great. I got my third cup of coffee today. I can’t complain. Thank you so much for your time. It’s an honor to meet you. I’ve heard so much about your work through the Tech Tribe and I’m really excited to chat with you today.
And you’ve been doing this for a long, long time.
So, something I really wanted to ask you was – because you’ve seen it evolve over the years – how would you say that the MSP landscape as a whole has changed over the course of your professional life?
The MSP business is people helping other people with technology
N. M: It’s funny, it’s changed dramatically, but not at all, if that makes sense.
Like we’ve obviously gone through transitions of break/fix to managed services, and cloud, and AI pouring in. And all sorts of tool set maturities and tech stack maturities like you wouldn’t believe in cybersecurity. It just completely blown our entire industry apart. All those changes are massive when you look at it, but at the core, it just comes down to businesses of people helping other people with technology.
And that core thing just hasn’t changed that whole way. It’s just the tech around the outside that changes. The business, the delivery of it changes, but at the core of the whole thing, when you peel all the layers back, it’s just still people helping people. It’s people helping small businesses and just figuring out, taking all that technical weight off their shoulders so they can go and focus on being the best lawyers, accountants, doctors, architects, whatever it happens to be that they do.
So, the core of it is the same, but holy heck has it changed a heck of a lot over time – I’ve probably been in it for 20 something years now, 20 plus years now. And it certainly changed, that’s for sure. This industry changes like no other industry I’ve ever been involved with, none changes as fast as ours does.
And that’s a challenge in and unto itself. But it’s also the exciting part of it for all of us that have got this red shiny object syndrome where we love seeing all this new stuff and get excited about it.
The MSP industry is a great industry to be in for people like us that love that variety, that change, and the never-ending updates and new things to play with.
J. H: To be open with you, that’s exactly why I got into cybersecurity. Just because I knew I wanted a job where I could go into it not having a clue what I was going to face today, or even what I’d be doing tomorrow or next year. So, I love it.
N. M: I think you’re in the right industry.
The level one IT support is not where the value is in the MSP industry
J. H: And it’s interesting that you mentioned the break/fix part because one of the MSPs I chatted with a few weeks ago, he mentioned something that really stuck with me. He said he’s found this past year or two that a lot of his clients are needing more and more basic troubleshooting help and things like that. And the way he framed it was he thought “Well, maybe over these last many years, the younger generations that are coming into the workforce they are extremely good with technology. They grew up with technology that generally worked pretty well. Whereas some of the older, more seasoned people in the field, they dealt with dial-up internet networks that kind of worked but were not so great half the time.
So, I was also just curious what is your take on that, the troubleshooting break/fix part versus how that’s changed over time?
N. M: Generationally, you’ve got these people, like my kids -who are too young to be in the workforce yet – but there’s these young people joining the workforce that, as you say, have grown up with technology being a main part of their lives versus us. We grew up with no technology to start off with for many, many years. And we talk about technology getting simpler and more reliable over time. But the reality is I’ve still not seen that anywhere out there in the world. The reason being is that there’s so much technology out there that needs to be integrated and connected and updated and talking to each other and whatnot. The layers of complexity just keep stacking on and stacking on and stacking on. And so, there are issues that happen. Lots and lots and lots and there’s all these different types of issues. And even for these people that grew up in the native technology world, these issues still happen. Especially around technology stacks and cybersecurity stacks and connectivity, and all those sorts of things, and secure access, and all that sort of stuff.
Issues pop up all the time. And these native technology generations, whatever you call them, Gen Zs – or I don’t know what generations line up with what age groups – they still need the help of seasoned experts that understand that whole backend stuff in there.
And sure, it probably gets rid of the basics. Like if you look across the MSP landscape as a whole and you look at the number of printer issues that might be getting raised nowadays, or Outlook troubleshooting issues or whatever that are getting raised out nowadays, they’re probably lowering over time, as you’re getting these digital native people start coming into workforces. Because they can troubleshoot all that stuff on their own. Plus, obviously, with the rise of AI and LLMs, the people start asking the questions to the LLM versus asking the questions to their IT support to start off with. And that means getting rid of a bunch of that level one stuff in there.
But we’ve all known for the last decade that the level one IT support is not where the value is in our industry. It’s not where you make your money.
It’s one of those things that’s just got to be done because you’ve got to provide. If you’re providing IT support to someone, you’ve got to do the level one nasty stuff.
But if that could all disappear via people talking to AI and LLMs it would be for the better. That means you can take all those steps further up the value chain and start focusing more on the business side of things. Which is where the real value is, and the real money lies. And the real impact that you can have with your clients is there.
So, I think it’s a good thing. I think it’s just continually morphing and changing. And these digital people that grew up with digital technology all around them are scary sometimes.
I look at my kids and I’m like “holy moly, you guys, like at your age, I can’t imagine what sort of technology skills you are going to have at the age of 18 when you’ve reached there just because you are light years ahead of the way my brain thought.” And we are teaching our kids things like systems thinking and understanding coding, not because we want them to be coders, but just so that they can understand them. Like if they’re know statements and logic loops and all that sorts of things.
And when I was their age, I had no clue whatsoever about how any mental models worked or any of that sort of stuff worked. Our kids at eight, nine, and ten and eleven and whatnot have got pretty good grasps of it.
And I hope that all that comes out to play in awesome traits and awesome skills as they bring themselves out to the workforce and start figuring out how they’re going to contribute to society.
Defining the Nimble MSP
J. H: What would be a way for an MSP to reevaluate how they see themselves? As what they are now versus how they could be?
N. M: I’ll frame it in a way that probably relates to most of the MSPs that I work with that we call Nimble MSPs.
The Nimble MSP to me is the smaller MSPs. So, typically on the size of one to 20 staff. And we typically operate in that space. Most MSPs that come into The Tech Tribe are in that kind of space. They’re mostly founder led, and founder owner in there. Typically, most of those founder owners have built the business up based on referrals often to that point in time.
And they’re typically the CTO in the business. They’re guiding the tech stack. They’re also the sales and marketing person. They’re also the person doing the hiring and sometimes still the service delivery manager in there and whatnot.
And I think if I would be giving that advice of, hey neuroplasticity, like things are changing and morphing all the time, so what can you do in your MSP to kind of make it morph and change, what’s the biggest thing you’ve gotta work on yourself? Is that to get from that MSP where you are the only person on the leadership team, and you’ve got a team of doers underneath you, to that next phase where you’ve got a team of leaders in the business is that you gotta take that big shift, which is a monumental shift from being a founder-led person to being a true CEO of a business. Like the true leader of the business. Where you work on things like vision and mission and values and all those vague things that most people look at and go “ah, like we don’t need a vision, a mission and values and stuff for our MSP. We just need to fix computers and do cybersecurity.”
As you’re going through, as lots of MSPs get to that kind of ceiling that they’re bunting up against where they’re unable to grow their leadership team., and I’ve certainly had this myself a few times over the years as I’ve built businesses. Is that just realizing that you’ve gone through that’s got you from zero to one to where you are now. You, your whole world has changed and everything’s changed, and you, you’ve got a complete different set of beliefs to what you had. Then you’ve gotta do the same thing again.
You’ve gotta reinvent again. Just like Madonna, like the queen of reinvention in there. You’ve gotta reinvent yourself completely. Again, from being a scrappy startup founder that’s in the weeds, doing stuff all day, every day, and kind of in control of every single decision in your business to stepping up to be a CEO, that’s enabling a team of leadership people around you. People that you’re pushing decisions to, and pushing outcomes and trusting on them and providing them the vision, and the frameworks, and the boundaries, and everything to go and operate in. So that the business can go from that one to two phase or one to five phase or whatever you want it to be.
What got you where you are won’t get you to where you want to go next
And I think when you look at it from that space of neuroplasticity that everything can change and everything can morph. I think you gotta look at it from that perspective and realize that everything has to morph, everything has to change. If you wanna get through that next peak of your business or that next phase of your business, what got you to where you are, as the old saying, is not gonna get you to where you want to go in that next phase.
You’ve gotta blow the whole lot up and figure out, mash it all together and figure out who you’ve gotta be and who, what the business has gotta be for that next phase.
How can we better help our clients leverage AI to become faster, better, more innovative
J. H: That’s really fascinating. That’s something I actually never thought about. So, I’m really curious now if as MSPs change and technology changes how do you see AI and automation impacting MSPs especially?
N. M: No idea. I’m kidding. I’ve got some ideas, but holy crap that changes every single day. You can’t parallel it directly with the impact that cloud had in our business. But there’s a few common pieces that do parallel a little bit in there. Certain parts of an MSP’s job are now becoming easier.
As we talked about before, there’s layers to the service delivery, that an MSP delivers to their clients. There are layers from “Hey, I’ve gotta fix an Outlook issue” at layer one all the way up to high level business continuity consulting and business process improvement planning and VCIO and all that sort of stuff at the top tier.
And as industries commoditize and mature, like the MSP industry has been really rapidly over the last five to 10 years, you’ve gotta be cognizant and intentional about taking steps up that value ladder to focusing on the stuff that’s at the top, like the VCIOs and the business process consulting and the business continuity planning and all those sorts of high level things.
And to me, AI is just another step that’s in that rung, right? Or it’s just another area in those steps out there in all these small businesses out there. Like, especially the ones that aren’t digital natives. There are tens of millions of businesses that didn’t grow up with technology. They’re not comfortable with AI. Sure, they might be able to talk to an LLM to have some basic conversations, but they’re not comfortable engineering a process in their business that’s gonna be reliant on AI and that’s a massive opportunity for MSPs that understand this stuff conceptually.
They understand the security implications of it. They understand the business continuity implications of it. They understand the risk implications of it. And so, to me, it’s another one of those things that MSPs need to be shining massive spotlights on.
Coming in and figuring out how can we help our clients get better at AI just because it’s the same conversation we had before. How can we help our clients better leverage cloud? How can we help our clients better use and protect themselves with cybersecurity? How can we better help our clients leverage AI to become faster, better, more innovative, more profitable and all those sorts of things. To me, it’s just another leverage point that MSPs need to focus on.
Don’t try to boil the ocean by trying to learn every single LLM and AI tool out there
But holy crap, it’s changing so dramatically and so fast at the moment that it’s kind of hard to figure out “hey, which area should I focus on first?”
As an MSP, I’ve got all these different things that are coming to me. If I was an MSP in those shoes, what I would be doing is just looking across my client base and to figuring out and talking to my clients and figuring out what challenges they’ve got going on at the moment and what problems they’ve got going on at the moment that are bleeding neck painful.
Costly problems and figuring out and sitting down with me and my team and figuring out “Hey, how can we learn how to leverage AI to help these clients with these pain points and do that consulting in there and build projects in there and align with AI vendors so that we become preferred partners, so that we can go in?” Just like we aligned with the Microsoft Stack or the Google Stack or whatever.
Now let’s figure out what AI stacks we’re gonna align with in here so that we can start to spin up some services and spin up some consulting and spin up some stuff, to go and help our clients with that stuff as well. And not try to boil the ocean by trying to learn every single bloody LLM out there and every single AI tool out there.
Like going and just figuring out what. What pain points our clients, uh, are having at the moment around this sort of stuff, or what pain points in general they’re having and then figuring out what, what sort of stack out there and what sort of tools out there we can leverage to go and help them solve that.
And how do I price that in there? It’s gonna be one of the challenges at the moment.
Listen, but literally listen
J. H: What I find so fascinating in my discussion with you today is that so many of the skills and advice you have for MSPs seem not to only just be technical skills, but soft skills. You mentioned MSPs chatting with their clients to find their pain points, doing discovery calls with the client, seeing what it is they’re really concerned about.
It sounds like a lot of the skill sets are related to really good active listening skills, maybe some sales skills. So, on the point of soft skills for MSPs, what’s one bit of advice you have for them?
N. M: You just hit the nail on the head. Listen, but literally listen.
But to listen, you’ve gotta set yourself up to be in the spaces, to be able to have them talking to you. And I know a lot of, a lot of MSPs, me included for many years, used to run this process like the QBR process. The quarterly business review process, where we would get all of the technical crappy reports out of our ticketing systems and our antivirus tools and our backup tools, and we’d go to our client. We’d go “Hey, Mr. Drum’s client, look at all these.” Every quarter we’d sit, and we’d go “look at all these awesome, amazing backup reports and technical reports and patching reports .” Client’s eyes would glaze over, and they’d be bored out of their brains, and they would never book in their next quarterly business review.
That’s how I used to run them until I learned the right way to do it, which we now teach in The Tech Tribe. But that’s that space, that quarterly review. We don’t do them quarterly or we don’t suggest you do them quarterly. Now we suggest we call them technology business reviews, and we have a specific agenda that you go through in them.
And the cadence is based really on the client’s needs. Some clients would love to have some sort of business review with their MSP. I’ve even seen it every two weeks, but like every month there’s a kind of common one. Every two months is a common one. Every three months is a common one.
Sometimes you only need to have your sit down, catch up with some clients once a year in there. But that intentional technology business review space is a great space to sit down and not send them any reports about bloody backups and any virus patching and all that sort of crap. But to sit down and ask pain points and talk to ’em about their pain points.
Like what are the things that they’re challenging them at the moment, and then just sit there and open your two damn ears and listen. It’s as the old saying goes – you were given one mouth and two ears for a reason. Use the two ears and just sit there and listen and ask lots and lots of leading questions and lots of why’s.
Like when they come up with something and they say, “oh, we’re having a problem with this.” The next question should be why? Like, why are you having that problem? Ah, well because this over here is doing that, but why is that doing that? And the asking why a lot and being that kind of active listener is such an amazing way to number one, uncover problems and challenges, and number two – build incredible trust with your clients to the point where they will more than happily go and hand off entire due diligence processes to you because they know that you care. And they know that you’ve got that level of curiosity and inquisitiveness, if that’s even a word, to be able to dive into their pain points and their challenges so deep that you’d be able to solve them in there.
And so, that soft skill of just listening, setting up intentional spaces to be able to be with all of your clients as often as possible to listen is huge. It is massive.
Lock in time in your calendar to figure out how the next layer of success looks like for you
J. H: I love your perspective on there and especially when you mentioned being able to talk to their own pain points. That seems to make such a difference.
For the sake of an MSP’s profitability and success in the next five years, what kind of advice would you give them so that they’re on the right track to being profitable and successful in five years?
N. M: I would say that you’ve gotta be making sure that wherever you are in your journey, you’re setting aside some sort of intentional time, either on your own or with your team, or your leadership team to sit down, ideally, minimum on a quarterly basis, and do that reflection and looking forward process. So that you’re reflecting on what’s worked well in the last quarter or the last time period.
What hasn’t worked well, what lessons have you learned? And then setting your goals, and your targets, and your directions for the next three months and the next six months, and the next year and the next three years in there as well.
Lots of MSPs follow the entrepreneurial operating system model, the EOS model, from Gino Wickman’s Traction book, which is a great framework to follow.
Because success means many different things to so many different people. But if you don’t know what your version of success is and you haven’t outlined it down on some sort of paper or some sort of tangible thing, then you’re never gonna get there. Right? And you’re not gonna know if you did anyway.
So, to me, I’d be just recommending if you don’t have some sort of time outside the business, if you’re in the grind and all day, every day you’re turning up solving issues, you don’t have some sort of space or time to do it, step up. Get yourself up to that 20,000-foot view and just do it once every quarter.
That intentional time is just huge. If you don’t have it at the moment create it today. Figure out, lock in a time in your calendar today to go and spend a day away from the business or even a Saturday away from the business.
Just spend that time and reflection and future thought and figure out what that next layer of success looks like for you.
J. H: That’s a really great point. That’s way too easy to get into the grind of just, you know, doing a day-to-day task and keeping up with what you gotta do instead of focusing on where you want to be. I love that you hit on that.
Mr. Nigel Moore, it’s been a pleasure chatting with you. I really enjoyed you sharing your, not just practical advice, but your own operating system.
And I love that you’re passing that on to The Tech Tribe and also through the volunteer work you’re doing. Thank you, sir, it’s been a real pleasure chatting with you today.
N. M: Thank you for having me on and listening to my rants. I can rant on about these things forever and a day, as you can tell.
What does your MSP role and day to day look like?
That was a very fantastic conversation with Mr. Nigel Moore. I think the main thing that stuck with me from that conversation, was how he described the progression of MSPs. So, I was really curious, if you’re an MSP owner, what does your role look like? What does your day to day look like over time?
Would it be different from year to year? I would imagine it would be, as your MSP evolves and changes, especially as your business grows. And I thought this was absolutely fascinating because as you grow your MSP, as your business expands, you’ll find that your day-to-day tasks are very different. Your role as an owner as CEO, even of this MSP changes based on how mature at what stage your MSP is at right now.
That really stuck with me. I thought that was fascinating. Another piece I really love from my conversation was basically describing not only neuroplasticity, but how you see your own business. In effect, we kind of came up with a funny term, MSP plasticity. You wanna see you as not how you are today alone, but as how you could be in the future.
And so, he described his business the same way. Essentially, if you only see your MSP through the lens of as it is today, then that might be a little bit limiting on what your MSP could be tomorrow. So, it’s good to see your business as a set of general guidances, as general directions in which you’d like to go, instead of only focusing on the here and now.
I thought that was very interesting to always try to look into future.
Dive into the MSP hot seat. From break/fix to consulting work
And finally, now for the MSP hot seat, and this seat is hot. This question is one that I had to think about for a bit. It is from an MSP, and it says “We’ve been providing IT support for years, but we’re struggling to transition into consulting. Where do we start?”
I find this as a career path that a lot of MSPs find themselves on.
They start, as Mr. Nigel Moore and I were chatting about, from break/fix operations. A lot of MSPs, that’s where they start. Computer’s broken – you gotta fix it. That’s pretty much the business model early on, and especially in the early days of MSPs. But moving away from simply providing IT support, break/fix, to actually consulting work.
That’s a whole other game, and I find that really interesting because your mindset goes from “okay, gimme a problem that I need to solve to suddenly” to “okay, I’m gonna proactively, not just reactively, but proactively, help your business.”
A lot of times that comes down to helping businesses meet their compliances that they have to meet.
For example, let’s say you’re an MSP, you have a lot of clients in the healthcare sector, maybe some dentist offices. And you’ve gotta help them meet HIPAA compliance. That’s an interesting challenge because you’re no longer doing simple IT support. You’re no longer fixing computers.
Now you’re saying, “Hey, I’m proactively thinking about this thing that’s really, really struggling in your organization.” In this case, HIPAA compliance.
And just say, “okay, I can help you with A, B, and C. We can encrypt local hard drives, get some BitLocker keys set up, we can proactively think about email security.”
These are really good things, and that’s what we found is MSPs. As they evolved over time, especially as they evolved into a more mature business, that transition to a consulting kind of role is key. Because then not only are you fixing computers, not only are you providing general IT support, but you are an invaluable asset to your clients, beyond just fixing things.
So, I think that’s key for any MSP that wants to grow beyond.
Simply providing IT support and get into more of that consulting role, that guidance role for your customers.
That’s a wrap on this episode of MSP Security Playbook. Thanks for spending part of your day with us.
If you found today’s insights helpful, be sure to follow the show on your favorite podcast platform and leave us a review. It helps other MSPs find the playbook and level up their security game.
Got a question you want us to tackle in the MSP Hot Seat or a topic you’d like to hear more about? Drop us a line. We’d love to hear from you. Until next time, stay sharp, stay secure, and keep building the future of your MSP business.
