WHETHER YOU WANT to hear it or not, your clients are taking a fine-tooth comb to their MSP agreements and weighing service cuts. Current economic pressures have companies tightening budgets across the board, and clients with no security expertise (they rely on you for that) are ready to inadvertently put their own safety—and yours—on the table.
My advice to my fellow MSPs: Get ahead of your clients' budget concerns by prioritizing outreach and ensuring they understand the demonstrable cost-benefit value your services deliver.
Help Clients Understand What They're Getting
Some MSPs might be content to serve as silent mercenaries and cut corners per client requests. However, now more than ever, you need to break from the ordinary and proactively earn your clients' continued business through clear-as-day communication and nurtured trust. If you offer a thoughtfully assembled technology stack of comprehensive and complementary security systems at a fair cost, it's a shame to lose business to a competitor that's inferior in everything but their bid. That's why it's so important to educate each client on their security protections and the threats each tool addresses. Further, when you have these conversations, put away the acronyms and jargon and speak directly to the real-life risks and effective remediations your stack addresses.
Your badge of honor is the breadth of security concerns you lay to rest. Certainly, clients want to know how you alleviate their fears over ransomware—but that's just the beginning. Having you as their MSP partner can mean that all their endpoints have thorough defenses against external attacks, their data is continually encrypted, and lost or stolen devices can revoke sensitive data before a breach occurs. It can mean assurance in meeting regulatory compliance (HIPAA, NIST, you name it) requirements to the letter, and expert support that takes the worry out of potential regulatory audits. Your safeguards might include training programs that teach and test the client's employees in practicing good security hygiene and recognizing certain threats (such as phishing emails), while also detecting and thwarting insider risk. If your practice offers the ability to fly through cybersecurity insurance questionnaires—or specialized advantages such as CMMS equipment-tracking capabilities or ISO 27001 certification—clients with those needs ought to understand all that you achieve for them.
Develop Mutual Client-MSP Understanding—and Offer Clients Some Control
Make it a goal to help clients become informed stakeholders who actively participate in their security. Also, recognize that an informed partnership goes both ways: Do your homework and learn your client's business practices so you can deliver the appropriate and most effective security protections for them.
In our case, we leverage BeachheadSecure (pictured left) for its RiskResponder capabilities, which allow us to set automatic and appropriate security responses to specific risk conditions. For example, a client with an open work-from-home policy could use geofencing-enabled rules to deny access to sensitive data from devices that aren't at either the main office or the employee's home. Risk responses can also warn users after a set number of failed logins and revoke the device's access after further failed attempts. Just as important as the demonstrable high-security value of these protections themselves, this process promotes our clients' active engagement with their own security and increases our own understanding of their needs. The net result is a closer client-MSP relationship.
We also provide DNS intercept via two different products; we don't worry about the overlap in that protection as long as the solutions don’t interfere with each other. ProofPoint's Attachment Defense Sandboxing allows us to push email messages to a safe environment where we then check the attachment for any type of payload used. Sandboxing of URLs found in emails are redirected to a sandbox environment so that users are safe-clicking on URLs embedded in emails. We also provide Zorus for web filtering and granular services to protect users in any working environment.
For clients with their own internal security teams, offering co-managed IT (CoMITs) is a compelling benefit. CoMITs gives these select clients change control over software you provide so that they can immediately and independently address security requirements while still operating within your safely restricted framework. Sharing management duties in this way often results in more closely entwined relationships and, naturally, greater retention of MSP services.