What is the future of the MSP and Security?
That’s the subject of the latest Vanson Bourne report, commissioned by cybersecurity experts, Acronis, and released in conjunction with ChannelPro Magazine.
It’s also the subject of the presentation I delivered for an Acronis event in Schaffhausen, Switzerland in November 2021.
I spoke with a room full of Managed Service Providers (MSPs), vendors and industry experts.
However, as not everyone was able to join us in Switzerland, I thought I’d use this article to give you some of my insights into the findings of the report.
MSPs Speak: Cybersecurity and the future role of the MSP (2H’21)
The report MSPs Speak: Cybersecurity and the future role of the MSP (2H’21) highlights the results of a survey conducted by global technology research experts Vanson Bourne in conjunction with ChannelPro Magazine.
The survey respondents include 400+ MSPs, including:-
- 200 North American-based MSPs
- 100 MSPs based in EMEA
- 50 MSPs in the United Arab Emirates (UAE) and Saudi Arabia
- 50 MSPs in Australia and Singapore.
The majority of respondents had 10-99 employees, and 31-75 clients — so representative of the nimble MSPs who read this blog.
I’d encourage you to download the report as it gives some really interesting insights into the way the Managed Services marketplace is currently feeling.
The report is comprehensive, with a lot of information.
Therefore, in this article, I’ll highlight some of the key takeaways I’d like to share from the report.
MSPs are really worried about Cybersecurity
The report highlights that 97% of MSPs are concerned about the risk of themselves or clients suffering a cybersecurity breach in the next 12 months.
In my experience speaking with MSPs within The Tech Tribe and other communities, I’d say this finding is spot on.
IT businesses are having some very sleepless nights on how to keep their clients safe.
Furthermore, I’d suggest that we aren’t just worried about our clients.
In fact, I would recommend that this is a wake-up call for every MSP to start eating our own dog food.
Why MSPs need to eat their own dog food
Instead, we need to be actively using these cybersecurity tools within our own businesses!
I can’t tell you the number of MSPs I’ve observed who turn off MFA because it’s “inconvenient” (no, really!).
If we don’t follow cybersecurity best practices internally, how can we expect our clients to take these measures seriously?
Therefore, the “do as I say, no as a I do” mindset is no longer tenable.
As a result, MSPs need to hold themselves to high standards of cybersecurity and highlight the way to our clients.
Almost Half of Clients Don’t Trust MSPs
However, I know from direct experience working with MSPs that they take their clients security incredible seriously.
Therefore, this statistic points to a disconnect between the work MSPs are doing and what clients *think* MSPs are doing.
So, how can we fix this disconnect?
MSPs Need To Overcommunicate With Clients
The work I did with WMP included helping them communicate with the general public.
I quickly learned that the Police have a challenge very similar to IT businesses.
The Police, like MSPs, work incredibly hard behind the scenes to keep their clients (you and I, the general public) safe from threats.
However, the only time we ever really contact the Police is when something has gone wrong — a robbery, a theft, or something worse.
Nobody, in history, has ever phoned their local Police force and said “I just called to say thanks! My home has not been broken into today!”
Likewise, no client has ever phoned their MSP and said “Great job, the server hasn’t crashed today!”.
Therefore, the hard work that MSPs do to keep their clients safe isn’t noticed — it’s taken for granted.
It’s my opinion that MSPs need to be overcommunicating the work they do to clients.
On a daily basis, MSPs need to be highlighting the issues they are resolving to keep clients safe.
As a result, clients will understand that their MSPs aren’t just working for them when something goes wrong — the MSP is *always* working for them.
Trust Between Vendors and MSPs is Low
This is shocking, but not altogether surprising.
Given the cybersecurity attacks that vendors like SolarWinds and Kaseya have experienced, I can understand why MSPs are worried.
However, those isolated incidents apart, I believe that the vendor/MSP relationship is broken and needs to change.
As a result, vendors have got to work harder to demonstrate to MSPs that they have their backs.
Vendors — this doesn’t just mean extolling the virtues of the latest new tool you have to sell.
Instead, it means vendors keeping a direct line of communication open with MSPs to help them to keep their clients safe.
Many vendors are already doing a great job of this.
I’d like to see more vendors step up to this challenge.
How MSPs and Vendors Can Work Together
As a result, MSPs need to tell their vendors what they need in the way of vendor support to help them increase trust with their clients.
The MSP/Vendor relationship should be one of partnership.
Now — I fully appreciate that this opinion is going to open me to some very strong (OK – hateful!) comments.
Many MSPs have aggressively told me how I’m wrong, and how vendors don’t care about MSPs, and how Venture Capital funding has ruined the channel, and how vendors are driven to make a profit at any cost.
All I can say is this.
My experience working with vendors (both as an MSP owner, and now as an advisor) has not reflected that opinion.
It has been my experience that vendors *do* care about MSPs business, and will listen, if asked.
Vendors and MSPs need to come together to mitigate the Cybersecurity threats that small businesses are facing.
As a result, Vendors need to be making MSPs aware of the latest threats.
Plus, MSPs need to be educating their clients to how these threats affect them.
The Future of nimble MSPs is to rely on automation
The Vanson Bourne report highlights that the most nimble MSPs (1-4 staff) are struggling to protect their clients.
As a result of less resources, nimble MSPs are finding it increasingly difficult to defend against cyber attacks including:-
- Malware attack via download
- Distributed Denial of Service (DDOS)
- SQL injection
- Brute force credential
- Supply chain attacks
- Zero day exploits.
Having been a nimble MSP owner in a previous life, my advice to smaller MSPs here is this.
If you don’t have the staff to provide protection, utilise more tools.
I’m personally seeing the top nimble MSPs add 4-6 tools per year to help them keep their clients safe.
As a result of these tools, which can automate protection, nimble MSPs are able to lower their cost of support and increase their cybersecurity.
Consolidation of Disaster Recovery and Cybersecurity
A growing number of MSPs are consolidating their cybersecurity, backup and disaster recovery (BDR) services.
I totally understand why they are doing this.
While you can mitigate against cybercrime with cybersecurity tools, without a disaster recovery (DR) solution, you can never be fully confident of keeping a client safe.
For example, here’s an amazing insight into how one business owner dealt with a ransomware attack.
The article, Hackers tried to rob me of $15m. Here’s how I stopped them… highlights that while Langs Building Supplies in Queensland, Australia were hit with ransomware, CEO Matthew Day was confident of not having to pay the ransom.
Why? Because his business has a strong BDR solution in place that allowed them to roll-back to an immutable version of their data.
As a result, the business experienced downtime, but not catastrophic failure.
The lesson for MSPs here is simple.
Consolidating your Cybersecurity and Disaster Recovery offerings isn’t a nice to have, it’s now essential.
Furthermore, we need to be sharing our knowledge of how cybersecurity attacks are being perpetrated.
As cybersecurity expert Ian Thornton-Trump told me in our conversation about How to Navigate the Scary World of MSP Cybersecurity, “Listen to what’s being talked about, pay attention to how other businesses are getting hurt and don’t let that happen to your businesses.”
The future of the MSP and security is built on open dialogue, transparency and communication.
MSPs struggle to justify rising costs to clients
Another key element I took from the Vanson Bourne report is that MSPs are struggling to justify cost increases to clients.
Specifically, MSPs are implementing new Cybersecurity measures, but when they approach their clients to increase costs, clients are saying “Don’t we already pay you for this?”
One way to mitigate this challenge is to implement the Good/Better/Best Managed Services style-agreement and then update it regularly.
Nigel Moore (there’s that man again!) excellent book “Price, Package, Profit” explains this concept brilliantly.
What I’m seeing some MSPs do is to educate their clients that these packages are not set in stone.
As a result, each year (at least!) MSPs are increasing the prices of their packages, but offering additional cybersecurity measures to justify the increase.
For example, I know one MSP who name their packages with extensions of 2020, 2021, etc.
Therefore, when they speak to clients about price increases, they are doing so while introducing a “new” package each year.
This tactic enables the MSP to keep to modern cybersecurity standards without having a multitude of clients on differing packages.
Margins are Dropping for MSPs
Another challenge that the Vanson Bourne report highlighted is that most MSPs are struggling with increasing costs eroding their margins.
For example, look at the furore that Microsoft have experienced after increasing their M365 package prices for the first time in year!
The bottom line here is that we all expect price increases in business and life.
When the price of your electricity, gas or broadband rises, you may grumble, but it doesn’t come as a shock.
Therefore, your MSP clients will expect price increases.
As MSPs, you need to be increasing your prices regularly (see the the above section on justifying price increases to clients).
One of the fundamental tenants of Managed Services is to monitor your profitability, NOT your turnover.
If the cost of your tools increases, then pass those costs onto clients — don’t make assumptions about what clients will and won’t agree to pay.
The future of the MSP includes regular price increases, full stop.
The Future of the MSP and Selling Security Services
In fact, the MSPs featured in the report work with an average of four vendors for cybersecurity, backup and disaster recovery tools.
Going forward, 92% of MSPs in the survey said they were looking to consolidate their tools.
MSPs can benefit from working with fewer vendors, often utilising a single monitoring interface.
For instance, Acronis coined the term “Cyber Protection”, with an offering that delivers a cybersecurity, backup and DR solution within a single pane of glass.
As a result of working with fewer vendors, MSPs can realise:-
- Lower licensing costs
- Reduced training Costs
- Fewer costs in documentation and maintenance
Plus, I believe that you will also build a strong relationship with your vendors after consolidation and avoid finger pointing and arguments between vendors if a breach occurs.
The potential downside to consolidation is a risk of “all your eggs in one basket”.
However, I broadly agree with the reports findings that consolidation brings more benefits than it does weaknesses.
Consolidation Brings Automation Benefits
The Vanson Bourne report highlights that those MSPs who have consolidated their tools have also benefitted from increased automation.
As a result, when it comes to recovering from a cybersecurity breach or data loss incident, those MSPs who have automated have saved an average of 5 hours in recovery time.
That is impressive — especially given that the first question any client asks when they are notified of a breach is “How quickly can we be back up and running?”
The lesson here is clear — the future of the MSP and security needs to incorporate strong automation.
Automation, Automation, Automation
When it comes to automation, however, the challenge for MSPs is that not all vendors place nicely together.
API connectivity is still a challenge, and many tools do not interface effectively.
The takeaway for MSPs here is that if you are considering working with multiple vendors, understand the integration between their tools *and* the potential political divides between the vendor providers.
I’ve seen many an integration between vendor tools working one day, and then broken the next — with the vendors involved pointing fingers at one another for the failing.
Again, though, for nimble MSPs who might struggle to hire and retain great staff, automation is key.
The Future of the MSP – Artificial Intelligence
From my advisory work with a number of vendors, I can tell you that vendors are heavily investing in artificial intelligence (AI) and machine learning (ML).
AI/ML isn’t a future technology — it’s here now, and the automation AI brings is saving many MSPs man hours.
As a result, the future of the MSP is AI.
Therefore, when it comes to consolidating vendors, a simple question your MSP can ask vendors is “What’s your AI strategy?”.
The vendors answer will let you know whether they are thinking to the future, or stuck in a maintenance mindset.
When it comes to the future of the Managed Service Provider (MSP) and security, the Vanson Bourne report MSPs Speak: Cybersecurity and the future role of the MSP (2H’21) is a fascinating insight into how modern MSPs from across the world are thinking.
Cybersecurity, not surprisingly, is top of mind and MSPs have work to do in building trust with their clients.
However, vendors also need to work on their relationship with MSPs.
The Cybersecurity issue isn’t one that will be resolved in isolation — it will take the channel coming together to help defeat the cybercriminals.
If I were to summarise my key three takeaways from this report, they would be:-
- Overcommunicate with your clients (and talk to your vendors more!)
- Brand your Managed Service/Security packages and update them regularly
- Consider consolidating the vendor tools you use
However, I’d encourage you to download the Vanson Bourne report and come to your own conclusions.
What did you takeaway from the report?
As a result of the report, what changes are you looking to make in your IT solution provider or Managed Service Provider business?
Let me know in the comments below, or get in touch.