Contents:
Running an MSP is an awesome job. You get to work with super smart people, solve intellectually stimulating problems, and make a measurable, positive difference to your customers’ businesses. But no one’s saying it’s all a bed of roses. There are some MSP challenges you can face.
A 2024 survey carried out by MSP Success magazine found that 36% of MSP owners feel highly stressed, while 48% are moderately stressed. And one of the top causes of this stress is cybersecurity (just under a third selected this as a leading worry).
So, what are the main challenges around cybersecurity for MSPs? And how should you respond to them?
Expert Insight
In a recent Heimdal® webinar, we sat down with Nick Cavalancia, a former MSP owner and 4-time Microsoft MVP who now runs Conversational Geek (which has tons of amazing free resources for IT professionals).
In the webinar, Nick provided some super helpful insights and practical advice to help MSP owners tackle common security-related challenges. You can watch the full hour-long webinar for all the details, but we’ve included many of Nick’s tips and suggestions below.
3 Top Cybersecurity Challenges for MSPs
If you work for or run an MSP, we don’t need to tell you how challenging cybersecurity is today. With endless new threats and exploits, it’s no surprise that this is one of the main things that keep MSP owners awake at night.
In the run up to our webinar, we asked attendees from MSPs about their top cybersecurity challenges. We also drew on our own first hand experience, background research on security forums and reports by analysts like Gartner.
There are a lot of cybersecurity challenges facing MSPs. However, as we looked through a very long list of issues, we started to realize that they mainly fall into one of three categories:
- Customers: What customers expect from the relationship, how they behave, and their attitudes to security can cause real headaches for MSPs.
- Tools: Finding tools that allow you to manage your customers’ cybersecurity posture is challenging, as is learning and deploying them.
- Expertise: Getting access to cybersecurity expertise is challenging.
Let’s dig into these themes in more detail. We’ll also look at practical ideas from Nick that you can use to address them.
Related: MSP vs MSSP: What’s the difference?
Customers: How Clients Pose a Security Challenge to MSPs
An MSP’s customers are, of course, essential for business (and keeping them happy is a vital MSP KPI). But there’s no doubt that they can also pose serious problems when it comes to cybersecurity.
During the webinar, we ran a snap poll of the top challenges posed by customers. Here’s what our MSP attendees told us:
How to deal with customers who are resistant to investing in security?
As the above chart shows, the vast majority of MSPs find that customers are unwilling to invest in proper cybersecurity. Are they naive? Are they happy to take risks? Do they just not care?
Not exactly.
While it can be frustrating when clients don’t seem to appreciate the importance of security, Nick points out that: “we all have to acknowledge that selling cyber security services feels a little like a shakedown” If you’re asking customers to pay, say, $200 dollars per week, or else “something bad” might happen, it can feel like they’re being ripped off.
So, how can you convince them it’s worth the cost? Nick has some suggestions.
His first tactic is to show them the data about the risks of cyber breaches (our annual cybersecurity threat reports include a ton of credible statistics you can use). Nick acknowledges that this can sound like scare tactics – and it kind of is. But the aim is to educate businesses about the scale of the risk facing them.
If that doesn’t move them, then Nick also suggests asking “what would it look like if you were down for like three days…how long could you be without operations before you’re really financially hurting?”. Nothing focuses minds like money. Reminding people of the costs of lost productivity from a few days out due to ransomware can make the costs of preventative cybersecurity seem trivial.
If a client still isn’t convinced that they need protection, Nick advises indemnifying yourself. Create a contract that clearly shows that you recommended that they use cybersecurity services, but that they chose to decline them. This should keep you protected in case they do get breached and try to sue you (and it can happen, as this story of a California law firm suing its MSP shows).
Other MSP issues: How to market your MSP?
What to do when MSP customers demand too many permissions?
Very often MSPs set up solid security for their customers. But soon enough they’re getting complaints back. A member of the C-suite wants special admin rights. Someone wants permission to add printers to the network. Other people are angry about MFA or 2FA.
“It’s important to note they’re not asking for permissions, they’re asking to be productive” Nick reminds us.
When setting up security, MSPs need to find a balance between creating a completely open environment where people can do work fast, but where risk is high, versus a very restricted environment that’s secure, but where it’s hard to get stuff done.
So how do you deal with this challenge? Ultimately, this is more of a business-level discussion than a technical task.
It’s vital to talk to the business early, Nick says. During MSP customer onboarding, get a feel for how things work, what people need access to do, and what level of risk they’re comfortable with. It’s far better to talk to people before you roll out security measures, so they know what to expect, and understand why certain restrictions are being imposed.
There’s no doubt that you’ll still get some pushback after installing security measures like MFA or Zero Trust, Nick points out. But if you’ve already planned this with the business, it’s likely to go smoother.
Tools: choosing the right solutions for your needs
MSPs can’t offer security without access to proper tools. But as our webinar attendees pointed out in a snap poll, choosing MSP software isn’t easy.
How can MSPs deal with this tooling challenge?
There are countless cybersecurity point solutions on the market today that can help MSPs monitor and protect their customers’ environments and respond to threats. So how should you choose between them?
“Predictability breeds profitability is what I always say” says Nick, “especially when it comes to an MSP business”. For Nick, the most important thing is to find a tool that gives you a central dashboard where you’ll get most of the information you need to manage your customers’ environments. By having a single place for most security management, you avoid the learning curve of having too many tools or switching between multiple environments.
No security tool can do everything, Nick points out, but so long as you can get a solution that offers, say, 80% of the functionality you need in one place, then other point solutions can be brought on board for specific tasks. Heimdal®’s platform approach to security is helpful here.
From one unified platform, you get the tools you need to monitor customer environments and receive alerts. You can also control and deploy network security, monitor endpoints, roll out patches, implement PAM, secure emails, perform threat hunting and much more.
Learn more: What is a cybersecurity platform?
Expertise: access to skills in a competitive market
Keeping up to date with cybersecurity threats and best practice is challenging for any MSP – the threat landscape is continually changing.
What is more, if you want to offer your customers a quality service, you ideally need dedicated staff. But this is tough – cybersecurity experts command big salaries and attracting or retaining them can be tough.
How to deal with the security expertise shortage as an MSP?
“You don’t actually want the top talent” argues Nick. Instead, “you want the top outcome”.
According to Nick, rather than focusing all their energy on tracking the cyberthreat landscape and hiring expensive analysts themselves, MSPs should be focusing on the outcomes instead. Sometimes that will mean hiring staff to do the job. But other times, it makes sense for MSPs to outsource cybersecurity too.
By analogy, your customers outsource IT management to an MSP, since they don’t have the resources in-house. By the same token, it makes perfect sense for MSPs to outsource cybersecurity when they aren’t able to do it themselves.
While Nick is very much vendor neutral, solutions like Heimdal® MXDR provide the kind of service he describes.
With Heimdal® MXDR, our in-house SOC monitors and manages our extended detection and response solution for you and your clients 24/7. If any issues occur, we alert your team and support them with remediation.
What Are Your MSP’s Cybersecurity Challenges?
We’ve really only scratched the surface of the security challenges facing MSPs in this blog. But as Nick’s tips and advice show, there are answers to many of these problems – sometimes you just have to be creative.
Is your MSP facing specific cybersecurity challenges? We’d love to help. Contact us today for a no-pressure discussion about any issues you’re facing with MSP security.
Frequently Asked Questions
What are the most common cybersecurity challenges MSPs face?
Based on our research and conversations with industry partners, the three most common security challenges facing MSPs center around customer issues, cybersecurity tools and finding suitable expertise.
Can MSPs offer cybersecurity services?
Yes, many MSPs offer a variety of cybersecurity services. However, not all of them do – some restrict their offer to things like network management, helpdesk, software installation, hardware installation, storage and so on.
How can my MSP begin offering cybersecurity services?
If you are interested in offering cyber security services, that’s great news. The first place to start is to assess demand and need in your market. It’s also valuable to decide on cyber security frameworks and tools that you will use. You will need security expertise too – you can either hire analysts, or potentially outsource this to an expert partner.