As businesses of all sizes face a growing number of cyber threats, customers have come to expect that their managed services provider (MSP) will provide at least some level of IT security. After all, with stories like WannaCry, NotPetya attacks and the Equifax breach dominating today’s headlines, businesses are realizing that they need help to avoid becoming the next victim.
Despite this clear need for enhanced security, many MSPs still only offer basic security services, such as spam filtering and antivirus. To combat today’s sophisticated threats, MSPs need to add more robust security solutions to their technology stack. A well-rounded cybersecurity offering will help you better protect your clients, strengthen your relationships with them, and ultimately grow your business. Here are some steps you can take to strengthen your technology stack with security.
Did you know that only 15 percent of MSPs currently offer security services, but 62 percent are planning to add security services or expand their security offering in the next 12 months? There are plenty of opportunities that cybersecurity-as-a-service can provide, so now is the time for you to strengthen your offering and stay ahead of the competition. Let’s take a look at what you should include in your security offering as well as how you can sell it to clients.
What to Include in Your Cybersecurity Offering
Once you decide to add IT security to your managed services offering, you have to make some choices about what solutions you want to include and how to incorporate them with your other MSP offerings.
The most common security services currently offered are:
- Firewall and perimeter security
- Security help desk
- Data loss prevention
- Backup services
- Endpoint security and antivirus
These are all less sophisticated solutions with lower barriers to entry, which makes them a good place to start if you don’t currently offer any security services to your clients.
If you already offer basic security services, you’ll want to look into adding more comprehensive technologies, such as unified threat management, security policy management, incident response and remediation, security information and event management (SIEM), and cloud access services. According to The 2112 Group report, less than 10 percent of the service providers surveyed currently offer these types of services, which creates an opportunity for MSPs that are prepared to offer this type of service and go beyond network-level security.
Take a Layered Approach to IT Security
You’ll have to decide what mix of security services is right for your business and your clients, but taking a layered approach to security is critical. This means protecting multiple threat vectors (email, web applications, remote access, mobile, etc.), using layered controls to limit what can be accessed if a breach occurs, and having solid business continuity and disaster recovery plans in place so you can help clients recover quickly and easily if something does go wrong.
The recent Equifax data breach, which potentially exposed sensitive information of roughly 143 million American consumers, is a good example of why a multi-layered approach to security is so important. According to a company statement, the breach exploited a web application vulnerability to access certain files over a period between mid-May and the end of July. In an article from The New York Times about the breach, Avivah Litan, a fraud analyst from Gartner, pointed out that Equifax should have had layered controls in place to help limit damage from an attack like this.
Starting the Security-As-A-Service Conversation
One of the biggest challenges MSPs face when adding security services to their offering is figuring out when and how to talk to clients and prospects about it. According to The 2112 Group report, one-third of managed security service providers say that clients don’t approach them about IT security until after a security breach occurs, which is too late.
It’s better to take a proactive approach and reach out to clients and prospects about security services before they have a problem. This gives you time to have a real conversation with them about their security needs, the limitations of their IT environment, potential vulnerabilities, and any budget considerations. And, of course, it will give you a chance to get proper protection in place instead of attempting to clean up a disaster after the fact.
Often, taking an educational approach is a good way to start the security conversation, particularly with clients or prospects who seem more reluctant to add security services. This could mean writing blog posts, sharing security tips in your client newsletter, or even hosting a lunch-and-learn to educate end users about security best practices.
It will take time to choose the right security solution to add to your technology stack and get your clients to understand the importance of incorporating the services into their managed service agreement, but in the end, you’ll be strengthening your offering and providing better protection to your clients.
Barracuda MSP is a provider of security and data protection solutions for managed services providers. If you're interested in learning more, come visit our booth at Navigate 2017!