The cybersecurity challenge for MSPs helping SMBs, Part 1

Lumu Technologies teach us the Fivefold Way of SMB cybersecurity.
10 November 2022

Who protects the small and medium businesses? MSPs if they know what’s good for them.

With increasing numbers of bad actors looking for ‘market share’ of the business-hacking landscape, the cybersecurity threat is stretching far beyond the ‘big companies’ whose attacks make the news. Small-to-medium businesses (SMBs) are increasingly just as likely to be attacked by ransomware or phishing – but are significantly less able to absorb the losses that come with those attacks. Unable to deploy their own robust cybersecurity strategy within their smaller budgets, SMBs are increasingly turning to Managed Service Providers (MSPs) to help keep themselves safe from the growing cyberthreat.

But many MSPs are not yet equipped to provide the robust cybersecurity options that SMBs need, and a new report from cybersecurity experts Lumu Technologies predicts that unless MSPs can get their act together on delivering that cyberprotection, they could see up to 50% of SMBs turning away from them – with the MSPs potentially going out of business in the process.

We sat down with Ricardo Villadiego from Lumu to examine what MSPs needed to deliver for SMBs in this time of rising cybercrisis.

Survival of the Cybersentinels


So what is it that MSPs need to do to help SMBs survive, and so to survive themselves?

MSPs serve small businesses, and the small businesses typically have a cybersecurity stack that includes a firewall, an email security tool, and an endpoint security tool. And those three things work well together – until they don’t, and then something bad is happening. So we recommend five steps that we create for MSPs.

First, you need to ensure your SMB customers have server-level threat visibility, so that you can react effectively as and when threats are trying to get in.

Second, ensure the scalability of the tools that you deploy. We have a SaaS tool, because SaaS is very effective for MSPs. It means they don’t have to invest in hardware, everything is controlled on our back end, and they can get the most value out of the tool.

Third, we recommend response automation for SMBs. The point of that is that SMBs are what they are – relatively small. That means unlike larger companies, they don’t have the resources, either financial or in terms of staff, to monitor things constantly. Response automation means they don’t have to – it’s efficient, it’s effective, and doesn’t cost the world. Response automation allows SMBs to maximize the resources they do have, which means they can punch above their weight in terms of the cybersecurity they have if they use response automation. Instead of the team having to investigate every potential threat, the automated response can detect and respond to threats constantly and automatically. It’s just good SMB business sense. If you’re an MSP and you’re not offering response automation to your SMB customers – why not?

Getting flexible

Fourth, we recommend making sure you can get – and offer – flexible pricing.

The point of that is that there are lots of traditional vendors out there, trying to do things their traditional way. And that means usually roping MSPs into long-term contracts – 24 months, 36 months or more.

That’s making a very big assumption – that the conditions and cyberthreats 24 or 36 months from now will be the same as they are today. Everyone reading this will know that’s just not likely to be the case. Cyberthreats ebb and flow, old ones die off, new ones spring up. Ideally, you should be able to get scalable pricing month by month too – when you need more, if you have more assets to protect, scale up. If you have a bad couple of months, scale back down, so you get the right level of protection for the right price for you.

And then there’s the human element.

Enter, the human

The human element is an odd one, because it’s probably the point of most significant vulnerability in any system. It certainly introduces the most noise into the system. And yet you can’t just solve it with technology.

What we mean by the human element is training. There should be a responsibility on MSPs that offer cybersecurity solutions to SMBs to deliver the training those small businesses need to mitigate the human element.


You mean, to teach them not to open links in emails, check for the context of senders, not be pressurized into doing the wrong thing by the seemingly urgent tone of a request, and so on.


Exactly – there’s a lot of that kind of training out there, but it’s always surprising the way people in the situation rationalize the mistakes they make, so training remains important, so the human beings in the SMB become part of the defense, rather than part of the attack, as is still too often the case. SMBs still need to have the network-level visibility, so that when an employee does fall into the sort of social engineering trap that’s all too common these days, it can be picked up and dealt with quickly, but by delivering the training, MSPs can hopefully minimize the frequency of staff being caught unawares by phishing or scamming.


In Part 2 of this article, we’ll delve deeper into the five central headlines of what MSPs need to offer their SMB clients – and we’ll get to grips with the shocking statistic that 50% of SMBs look likely to abandon MSPs unless they actively offer these cybersecurity services.