Why MSPs need to educate their customers about cybersecurity – NOW


Eric Rockwell, former MSP, founder of InovoIT and industry thought leader delivered a CompTIA webinar recently on the theme of ‘How to become MSP 2.0: The path to profitable managed security services’.

In a presentation that was chock-full of practical advice for MSPs embarking on this journey, one thing came through very clearly: the need to educate customers on the difference between the information technology (IT) services delivered by MSPs and information security (IS) services provided by MSSPs. In particular, who is responsible for what – and where does the buck stop in the event of an incident.

Why is this so important?

Today everyone is a potential target

The number of reported data breaches in the United States alone has risen exponentially from 157 million in 2005 to 1.579 billion in 2017– and it is on track to reach 2.5 billion by the end of 2018.

Furthermore, some 58 percent of malware attack victims are categorised as small businesses – the typical MSP customer base. One of the reasons for this is that malware attacks are now automated and so target anyone who is exposed.


The upshot is that while security has always been a problem,  modern cybersecurity cannot be done in the same way it was ten or even five years ago. Cybersecurity techniques have had to evolve to meet increasingly sophisticated threats. Traditional detection tools such as anti-virus and firewalls, typically part of the MSP armoury, are no longer enough.

A worrying misconception: our MSP is taking care of cybersecurity

Unfortunately, many SMBs assume that as their MSP is already responsible for IT services – then that covers IS services too. If you don’t make it absolutely clear who is responsible for what, in the event of a security incident you, the MSP, may be held accountable.

This is why it is so important to educate your customers, because in doing so you are also protecting your own business.

In the recent email phishing attacks that focused on Microsoft Office 365, phishers found a way to bypass Microsoft security protections and harvest user credentials. As an MSP, if you are managing a customer’s Office server, they may believe that all aspects of Office 365 security are your responsibility too.

It is so important to make customers aware of the potential risks from cybercrime – and you can use this opportunity to lead into the discussion of who is responsible for what; to spell out the different responsibilities/roles of an MSP and an MSSP.

As it helps to know the base line, start by asking your customers (and yourself if you have not already been through this process) the following seven questions. The response to question number 4 – “Who is ultimately responsible for security” – could be particularly illuminating (and worrying!).


MSPs and MSSPs look at things – differently

Eric highlighted a fundamental difference in approach between MSPs and MSSPs. Generally speaking, MSPs like to make everything available and highly functional – to turn on features and give users access to everything they may need. This is at the heart of the MSP offering.

The MSSP on the other hand identifies what is absolutely needed to get things done in the business– and turns everything else off.

In other words it’s a difference in philosophy between one-off ‘blacklisting’ of what shouldn’t be there to ‘whitelisting’ what is needed to operate the business, with policies and procedures to ensure everyone is clear as to what they should and shouldn’t be doing.

He summarised the different responsibilities of the MSP and the MSSP using the following chart.

information-technology-information-security-chartThe challenge for you, the MSP, is to make your customers aware that security is a totally different ball-game now; to help them to identify where the risks are coming from, what should be in place – and crucially, where responsibility for each aspect of IS lies.

Eric has developed a framework to handle this process. It is known as: ARM – Assess, Remediate, Manage.


He recommends starting with an IT security assessment (chargeable) to measure the level of effective IS policies and procedures in place – and to identify where policies are informal or non-existent. The assessment should also measure how tools are configured to enforce controls and how information is reported back to the business.

This provides valuable insights into customers’ risk exposure. The results can also be quantified to deliver a security maturity level (SML) score. Eric ran through the scoring system he has developed, based on the NIST Cyber Security Framework, to measure where the customer sits on a scale of 0 to 5, as shown below. It is a concept that can be easily understood by business executives.

security maturity level score

In summary

Irrespective of how far along the MSSP road you want to travel, the education of customers as to the difference between MSP and MSSP responsibilities is a worthwhile exercise in itself as it could save you considerable grief in the event of a security incident for which you could be held accountable.

The advantage of the paid assessment is that you gain insight into your customers’ risk exposure – and on the back of this, the opportunity to deliver valuable remediation services, take on a more strategic role – and derive additional MRR from the ongoing management of security services.

Listen to Eric’s webinar in full by going to CompTIA’s webinars on demand

Contact us or chat now to find out how we can help you manage your current services while you focus on the route to becoming ‘MSP 2.0’.



Share on Facebook
Share on Twitter
Share on LinkedIn