In “The State of SMB Cybersecurity 2022” report, research firm Vanson Bourne reveals several SMB cybersecurity trends that translate into an excellent opportunity for MSPs. Attacks on SMBs are on the rise, and as a result, SMBs are starting to prioritize cybersecurity. Although SMBs have become reliant on MSPs for protection for some time, many aren’t sure if they will stick with their current provider. That’s not to say that they are removing MSPs from their cybersecurity strategy — rather, they are looking for the MSP that can provide “the right” solution, and they are willing to pay real money to someone who could. Winning cybersecurity now can be the first step to dominating the managed IT market later.
But what does it mean to provide “the right” solution? How can you do it? What do MSPs need to do in order to seize this opportunity? Before we can answer these questions, we have to understand the SMB cybersecurity problems first.
SMBs are more vulnerable than ever
The State of SMB Cybersecurity in 2022 report found that SMBs continue to suffer from cybersecurity incidents, and the trend is accelerating rapidly. In 2022, 76% of all SMBs said they were “negatively impacted” by cybersecurity attacks. That’s up from 62% in 2021, and 55% in 2020.
There are several reasons for the increase in attacks against SMBs, but the primary cause is the rapid digital transformation that SMBs are going through. Every time another business process becomes digitized, a little more risk is introduced into the equation. And lately, SMBs have been digitizing a lot of processes — and will continue to do so. The problem is that they had not really accounted for the added risk that goes along with digitization. As the use of software and networked devices that enable digitization increases, the threat surface grows, leaving more doors open to cyberattacks.
The business model and strategies of cybercriminals have also evolved, and this, combined with this increased threat surface, makes SMBs even more vulnerable. Cybercriminals like low-hanging fruit, and SMBs are relatively easy targets. Many SMBs don’t take basic steps to protect themselves. In the State of SMB Cybersecurity report, about half of SMBs didn’t use firewalls and antivirus solutions or provide security awareness training and education services to employees, and few had their own cybersecurity professionals on staff.
While cybercriminals have definitely pulled off some high-profile attacks of large organizations — like healthcare organizations and energy companies — that targeted core infrastructure, these attacks are sure to catch the attention of the government and law enforcement community. By attacking SMBs and staying away from organizations that deal with infrastructure that is vital to society, cybercriminals can continue to rake in huge profits while staying under the government’s radar. Not all crimes are equal.
You probably did not hear of DarkSide until the Colonial Pipeline attack, but they were raking in millions in (ill-gotten) profits for over a year before that. There are dozens of groups just like them that we have never heard of that bring in millions of dollars every month. They can do this relatively silently because they steal from Mom and Pop, not Jeff and Mark and Elon.
A sea change
Although SMBs haven’t been very cybersecurity focused in the past, they are starting to take it seriously. Having seen (or experienced firsthand) the damage that a cybersecurity incident can cause and realizing that everyone — even the little guy — is vulnerable, has caused them to act. The State of SMB Cybersecurity 2022 found 83% of SMBs are worried their business will be the target of an attack in the next six months, and 69% believe that an attack can put them out of business. In turn, SMBs have decided to take action, with 73% of SMBs having “reached a tipping point where cybersecurity concerns demand action,” and 78% saying they are “set to increase investment in cybersecurity in the next 12 months.” This is increasingly becoming a top-down directive, as 31% of respondents said that pressure to increase investment in cybersecurity came from the board or other high-level decision makers — more than double compared to last year’s results for the same question.
SMBs are starting to realize that they can’t just digitize a process—their strategy needs to be built around a strong cybersecurity posture. But doing so isn’t simple, especially for resource-strapped SMBs. According to The State of SMB Cybersecurity, 67% of SMBs said that they don’t have the in-house skills to properly deal with cybersecurity issues. They could try to find those skills, but it’s not a realistic choice for many. The cybersecurity labor market is very tight, with way more openings than qualified candidates to fill them. On top of that, SMBs don’t have enough work to justify a new hire — even if they could find and afford to keep someone around — but they still need someone around to make sure that this very critical job task is attended to.
As a result, SMBs have relied on MSPs to handle their cybersecurity needs. The report found that nine in 10 SMBs are currently using an MSP for cybersecurity. But this is nothing new — 74% of SMBs used MSPs for cybersecurity in 2020.
The SMB cybersecurity opportunity
SMBs are expected to allocate $90 billion in new managed IT spend through 2026, according to the SMB Opportunity for MSPs: 2021 – 2026 report. But competition for those dollars will be fierce. The report found that the number of MSPs that will offer cybersecurity solutions will grow by 70% to 80%.
This is what makes winning the cybersecurity battle so important to winning the managed IT war. The State of the Cybersecurity Report found that the number of SMBs that outsource all or most of their cybersecurity needs in the next five years will grow from 47% today to 54% by 2027, and that the ultimate goal for many SMBs is to outsource as much IT as possible. In other words, if you can win them over with cybersecurity now (and manage to keep them happy), you can rely on growing in those accounts year over year. This is a crucial point for your business, where you can build the platform atop which your IT will grow for years to come.
While many SMBs currently rely on MSPs for protection, they are not necessarily satisfied with the way things are going with their current MSP. According to The State of SMB Cybersecurity report, 88% of respondents said that they experienced at least one MSP-related challenge — such as a lack of trust in the provider or inadequate cybersecurity protections — and that 42% of SMBs plan on using a new MSP in the near future. But even if SMBs are pleased with their provider, 94% would switch to a new MSP if it offered “the right” cybersecurity solution, and they would be willing to pay prices that are 39% (on average) higher than they currently pay for cybersecurity.
For the foreseeable future, SMBs are going to play musical chairs with their MSPs — even when they’re more or less pleased with the services they are receiving — until they find a provider that has “the right” package, all the while pumping more and more money into cybersecurity spend.
The crux is, you have to offer “the right” package. This is a great opportunity if your cybersecurity practice is sound. It’s bad news if your practice is weak, and a signal that it’s time to step your game up.
“The right” cybersecurity solution
In a perfect world, “the right” cybersecurity solution provider would be one that prevents all cybersecurity incidents. But we don’t live in a perfect world and providing such a solution is impossible. In our imperfect world, the recipe for “the right’’ cybersecurity solutions provider is a mélange of tangible and intangible factors. In the SMB Cybersecurity Report, SMBs said confidence in the ability to respond to security incidents (54%), capabilities/certs (47%), trust in the MSP’s ability to deliver against the offering (46%) and confidence to minimize damage/loss (44%) were top factors in deciding if an MSP provider was “the right” one. MSPs will need a strong portfolio of cybersecurity solutions along with the talent required to protect clients, and make sure that clients trust and are confident in the MSPs ability to deliver on its end of the bargain and minimize the damage if something ever does go wrong.
SMBs are more vulnerable than ever. Many don’t have basic cybersecurity protections in place, and they are increasingly the target of attacks as cybercriminals look for easy targets that won’t make a lot of noise when attacked. SMBs are fed up with being a victim, are turning to MSPs for protection, and they are willing to pay a premium to anyone who can provide “the right” solution.
This is an outstanding opportunity for MSPs. SMBs are expected to spend a lot on managed IT and security in the coming decade, and winning the cybersecurity business now can help you dominate the managed IT space in the future.
John Schweizer is Vice President — Channels and Business Development, Connectwise. John has had tenured runs in key executive positions at office equipment giants like Alco Standard-IKON, Ricoh and most recently as the CEO of a Xerox owned company. He also had principal ownership in a dealership in San Diego. John currently serves as a member of the advisory board for the cybersecurity firm Fhoosh.