Written by: MJ Shoer, LLC Founder and Principal Consultant
As MSPs, we understand the opportunity and responsibility we have in protecting our clients from cybercrime. However, many of my fellow MSPs struggle with how to take advantage of the opportunity cybersecurity presents without being purely opportunistic and selling our clients solutions they don’t truly need.
To further complicate matters, new threats and new technologies are constantly presenting themselves, so what worked yesterday might not work today. Plus, new and better solutions are frequently coming to market. Add that to the complexity of compliance and each client’s individual needs, budgets, and risk tolerance, and you’ve got quite a problem.
In an attempt to simplify, I wanted to define the minimum cybersecurity protections every MSP should be selling to their clients in their managed services offering. If you aren’t including these protections, I could easily argue that you’re being irresponsible to your clients and, therefore, should never allow a clients’ ignorance or cheapness to alter your recommendation. Here are the necessary protections:
End point protection like Cylance, Kaseya Antivirus, Sophos, or Webroot
Spam filtering, including sandboxing technology to trap malicious attachments and links, and spoofing protections like AppRiver, Mail Protector, Mimecast, and Sophos
A business-class firewall like Cisco, Sophos, or Watchguard that has rules for both inbound and outbound traffic
Ransomware proof backups like Acronis, Kaseya Unified Backup, StorageCraft, or Veeam
Two-factor authentication like AuthAnvil, Duo, OneLogin, or Yubikey’s to protect your business and your clients (just look at what recently happened to some fellow MSPs that were not using it)
I am committed to including this baseline of cybersecurity services because it will make selling more advanced services a lot simpler. By having this baseline for your clients, you will position yourself with authority on the topic and demonstrate your firm’s commitment to providing basic cybersecurity services to your clients. By including these services, you will be able to show your clients that they are safer by using their data. This will make the more complex discussions easier to engage in.
In a very short amount of time after installing these solutions, you should be able to produce some pretty compelling stats, especially related to email flow, about how real the threat to their infrastructure is. From here, engaging your client in a more focused discussion about IDS/IPS, web filtering, penetration and vulnerability testing, and more will be considerably easier and more productive, for both you and your client.
If your client is in a regulated industry, you must get them to invest in the technologies necessary to meet their compliance requirements. By including baseline cybersecurity services in your core managed services, you demonstrate your understanding of the importance of cybersecurity to their business. By having more advanced cybersecurity solutions geared to their compliance requirements, you create a level of trust and loyalty that will keep your client safe. Ultimately, this should lead to a long-term relationship that grows over time.
Finally, keep in mind that it may be best for you to partner with another firm that specializes in outsourced cybersecurity solutions for MSPs. Just as the landscape can be confusing and expensive for your client, it can be the same for you as an MSP. There is a healthy debate as to whether MSPs should become MSSPs, but that is a topic for another time. My point here is simply that if you do not have the cybersecurity experience and skills in-house, don’t be afraid to partner in order to provide the best service to your clients and ensure you get the sale instead of your competitor.