The cybersecurity challenge for MSPs helping SMBs, Part 2

In Part 1 of this article, Ricardo Villadiego from Lumu Technologies took us through the five principles of what Managed Service Providers (MSPs) should be looking to offer to small-to-medium businesses (SMBs) in terms of cybersecurity, as the threat profile for smaller businesses rises due to the greater numbers of bad actors around, and the relative ease of attacking smaller businesses than massive multinationals – who have long been apprised of the cybersecurity threat, and often have the means to combat it more effectively than SMBs do.

Those five principles, in brief, were:

• Network-level threat visibility
• Scalability of cybersecurity tools
• Response automation
• Flexible pricing
• And the human element

While we had him in the chair, we asked Ricardo to expand on these principles, to give us a deeper insight into the burden on MSPs – if not now, then soon – and to explain what failure to deliver these things would look like for a lot of MSPs.

THQ:

Why is network-level threat visibility so important in an MSP’s offering to SMBs?

RV:

The common denominator of every attack is that they have to use the network. Phishing is only effective if someone clicks a link. If someone clicks a link, those electrons are going through the network to the cable or to the spectrum. So all attacks have to use the network. That makes it a lot more efficient to monitor and identify threats at the network level. That’s why we’re very big believers in network visibility. You can rarely, or at least only with difficulty and cost, defend against something you can’t see. Getting full network-level threat visibility means you’ll see all the attacks that are trying to affect you and your company.

THQ:

So essentially, the network is the most effective and efficient level at which to tackle this whole thing – especially if you’re an SMB and don’t have unlimited detection budgets?

Absolutely, yes.

THQ:

In terms of scalability, you mentioned in Part 1 that you use a SaaS tool. Why? What’s the advantage for SMBs and the MSPs?

RV:

When you’re building a cybersecurity practice, you tend to look at how others have built their successful cybersecurity practices. But if you’re an MSP, you might have aspirations to deploy the same solutions that a large bank or a government organization has done, because it worked for them. But they did it that way because they have both the human resources and the cash resources to do it that way.

MSPs don’t have those resources, and SMBs certainly don’t. SaaS is quick to deploy – you can more or less say you want it today and get it deployed today. It’s also a lot cheaper, which makes it affordable for SMBs and MSPs. So we believe SaaS is the right way to go for organizations of that size – it delivers instant benefits and zero hassle.

THQ:

Almost reverse scalability? Don’t try and be Bank of America’s security solution, cut your suit according to your cloth, and don’t charge your SMB clients the earth for it?

RV:
Exactly – serve the needs of the customer in front of you, rather than the aspirations you have for future expansion. With us, if you open up an account, you start getting the benefit of that account today. I remember in the old days, if you wanted to have an email account with your own domain, they’d tell you you could have it in three or four weeks to do that. Nowadays, you get you your email account in minutes. It’s the same principle with an SaaS. You can go the old-fashioned way and build bespoke security if you have the time, the money, and the staff resources. It’ll probably take you about 16 months. Or you can go with an SaaS and it’ll take you a lot less money, relatively no staff time, and about 10 minutes of form-filling.

THQ:

We would personally love to see the pitch meeting where someone in the 21st century said “You can do that – it’ll take you 16 months.” Who, in 2022, knows what will happen in the next 16 months?

RV:

Exactly. 16 months in a market where adversaries are cannibalized by the second. It doesn’t make any sense to not use an SaaS solution if you’re an MSP serving the SMB market.

THQ:

What about response automation? What does that deliver that makes it with spending hard-earned cybersecurity dollars on?

RV:

Similarly to the SaaS example, if you’re a big company, you can have the staff and the financial resources to dedicate to monitoring and responding to suspicious circumstances personally. With SMBs – this is a question we often ask: “When was the last time that you changed your policies in your firewalls as a result of the attacks that you saw in your network?”

The answer is usually that they haven’t done that, because they may not have realized that they had to do it personally, or known that they could do it personally. It’s the human factor – SMBs certainly don’t have the time or the money to personally monitor the threats that are attacking them, and they often don’t have the know-how to update their protections in response to threats. So that’s the benefit of response automation – not only does it take care of the monitoring and response to threats for them, it allows us to empower them, to say “You can do this,” and build the understanding that there are things they can do for themselves.

That’s important. More often than not, SMBs believe that doing cybersecurity is very complex, and there are vendors who inspire “fools’ fears,” and make them think that they should never touch cybersecurity for themselves. The result of which is that they end up paying much more than they need to, in order that the vendors will take this “high level” concern off their shoulders. We empower both SMBs and MSPs with the confidence that they can do a good job of operating server security for themselves with the right tool.

THQ:

Why is the flexible pricing important enough to be one of your five cybersecurity headlines?

RV:

If you buy a cybersecurity tool and you get locked into a three-year contract, you’re essentially assuming that that technology is going to continue to evolve to help you tackle the problems that you’re going to face along a three-year period. That’s a hard assumption in a world that’s changing every day, so we recommend MSPs avoid that.

There are vendors out there that can serve their business model better, for instance by using monthly pricing. And the best vendors adapt to that model. The other thing to watch for is vendors that force MSPs to commit to a specific number of endpoints under management. And the ISPs don’t know if they’re going to have more endpoints tomorrow or less. So it’s important that the pricing is flexible enough so they can grow as they need, or scale down if they have issues and need to do so.

THQ:

So you advocate flexibility in both directions?

RV:

Absolutely – you should be free to scale up if your business is thriving, or down the next month if for instance you lose a large customer and don’t need the same level of service. Month-by-month pricing allows you to only pay for what you really need at any time.

THQ:

Let’s talk about the human element. You said it’s incumbent on MSPs to offer training to SMBs in essential cyberliteracy in the age of phishing and ransomware – don’t click this, check the context of that, etc. Is that not placing a heavy burden on MSPs when, after all, budgets everywhere are tightening?

RV:

The short answer is yes. It is. It is a heavy burden on the on the MSPs. But at the same time, it’s also a necessary reality. The reality is that 91% of the attacks that SMBs will encounter begin with a human interaction. 91% of phishing attacks start with a human clicking a clink. So training them not to do that should ultimately pay off in a reduction in the threat level, no?

That’s a thing we’re good at – providing the irrefutable evidence of where attacks originated in terms of getting into the systems. That translates as irrefutable evidence that they haven’t trained their staff well enough in the avoidance of cyberattack. Every MSP, every company, is building their user awareness campaigns. But it’s all about simulation. No one is coming back with data to say “these are the attacks, the real life attacks that your employees clicked on, that they should have not.” We help to put that information front and center. And decision-makers are good at making data-driven decisions when they have that data. So it helps make the MSPs more effective and conveys the value of investing in user awareness to the SMBs.

THQ:

You’ve said that unless MSPs adopt something like the five principles of cybersecurity help for SMBs, that MSPs could see up to 50% of SMBs turning away from them. Is there data to support that?

RV:

That’s a market assumption, but there is data to back it up, yes. There is evidence of 60% of small businesses failing after a critical cyberincident. The SMBs are the lifeblood on which the MSPs that serve them depend. If SMBs go bust after cyberattacks, the whole system begins to wither. So it’s fundamentally in the interests of the MSPs serving SMBs to help them with their cybersecurity. And if MSPs take responsibility for cybersecurity, and attacks get through anyway and destroy the SMB, the MSP will be dragged into the economic consequences of that.

THQ:

So is it fair to say that the market – and the rising cyberattack tide aimed at SMBS – will more or less dictate that MSPs serving the SMB community will be delivering entirely different levels of service a year or two from now to what they’ve done previously?

RV:

Yes, it’s fair to say that. There’s an increasing conviction among MSPs that if they don’t deploy the right server security capabilities, they’re going to be dragged into the problem, whether it’s their decision or not, so we’re seeing more MSPs understanding that they need to make sure that their customers are secure. How do we get MSPs to deploy the right cybersecurity capabilities? What is the cybersecurity standard they have and how can they extract the maximum value from that cybersecurity stack by detecting tracks using the network and responding to those threats in an automated fashion? Those are the next questions to address, and the five principles we’ve talked through are an attempt at an answer that MSPs can deliver to their SMB customers.