Cybercriminals today aren’t just targeting Fortune 500s. With nearly half of all cyber breaches affecting organizations with less than 1,000 employees, small to mid-sized enterprises have now emerged as a growing target. In fact, 87% of small businesses today say they have customer data that could be jeopardized in a cyber attack.
Due to their smaller size, it’s harder for these organizations to address the rising threat. One in four organizations say they don’t have the skilled personnel to implement even basic protections. Growing businesses are also confronted by the sheer complexity and volume of security tools that are currently available on the market. When faced with too many choices—some of which already overlap or conflict with existing capabilities—businesses all too often struggle to identify a select list of solutions they need to build resilience.
The good news is safeguarding against these attacks isn’t impossible. Companies are now turning to MSPs for guidance that extends beyond product recommendations. Many SMBs don’t need yet another security tool. What they really need is the clarity provided by proven frameworks like the CIS (Center for Internet Security) Critical Security Controls and outcome-driven strategies that will substantially reduce their risk exposure.
Businesses, big or small, must move the conversation beyond which products to buy or cost justification and toward why they matter, what’s at risk and how they align with business objectives.
Here are three things that every organization must prioritize in developing their security strategy, and how MSPs can help.
- A security tech stack driven by strategy, not trends.
One of the biggest risks in cybersecurity today is misalignment between what tools promise, what MSPs deliver and what clients actually need. Without someone to connect the dots and uncover blind spots even security stacks with best in class technology can be overbuilt and underutilized.
This is especially dangerous when businesses have low security maturity. Making hasty purchases of advanced tools and implementing them without any foundational controls in place can be disastrous, creating more trouble than it’s worth. From increased operational overhead to exposure of unaddressed gaps, teams can be hit with various issues (and costs) that arise as a direct result of tool adoption. This can even end up breeding internal mistrust, discouraging leadership from incorporating future security recommendations, which could become a crucial setback in the fight against rising threats.
On the other end of the spectrum, the implementation of advanced tools may create a misplaced sense of confidence. Adding solutions simply because they’re new leaves teams with too many tools, many of which already overlap or are unnecessary for protection. Security can become “performative” rather than functional; an expensive stack of tools that looks impressive on paper but fails to meaningfully deter, detect or respond to threats.
Not to mention, having too many tools—or tools that are improperly configured—could actually increase risk exposure rather than reduce it. Every new tool comes with its own set of unique vulnerabilities that affect an organization’s overall security infrastructure, potentially revealing new gaps that cybercriminals could easily take advantage of.
Personalized programs created with business outcomes in mind will be necessary to break this cycle. A MSP partner could leverage their expertise to audit the security tools an organization uses to see what they could declutter. Rather than simply recommending a list of tools because they’re trendy, a strategic MSP should be able to evaluate a client’s security infrastructure in its entirety, then nail down priorities based on emerging threats, compliance requirements and internal workflows—optimizing a selection of handpicked solutions that not only work well together, but also leave narrower gaps behind.
- A security program they can rely on—and actually understand.
Cybersecurity is already an incredibly technical, complicated topic. It should never be intentionally convoluted. I often compare a security strategy to buying a car. Modern vehicles are a serious monetary investment, and are built using thousands of parts, advanced electronics and layered safety systems. But despite this complexity, no one purchases a car just because a dealer tells them, “Trust me, you need it.” Buyers carefully research their options, compare models, identify specific features, weigh the trade-offs and choose what best fits their driving needs.
Security should be no different. Offerings must be explained in a way that makes sense, tied to real risks and priorities and justified by clear outcomes.
This is where established frameworks like CIS Critical Security Controls can be helpful. The CIS Controls explain what specific technical safeguards do in plain language, and tie each to an observable business outcome (such as cost savings from preventing a data leak), which enable MSPs to explain why investing in a security strategy is important. CIS Controls like vulnerability management (7), secure configuration of hardware and software (4) and email filtering (9.1), for example, aren’t products that organizations can purchase with a click of a button. They’re components of a defense strategy. When applied in context, these controls make the security program comprehensible to organizations, helping them map out security priorities to real threats. They can more easily understand what the risks are, how their organization is being protected and, most importantly, where their money is going and why.
This framework-driven approach enables MSPs to lead with structure, creating space for businesses to have more thoughtful conversations with them around what they need to elevate their security. Instead of asking surface-level questions like, “Do you want DNS filtering?” companies should look for questions from MSPs like, “Do your employees know how to spot phishing links?” And rather than, “Let’s buy X platform,” the conversation should shift to, “How do we minimize downtime if you’re hit with ransomware?”
The most effective MSPs focus on what truly matters to their clients—not only the security threats that keep them up at night, but also the motivations that bring them back to work each day. The goal for an MSP is to earn enough trust to say, “Let us handle the security concerns so you can get back to doing what you do best.”
- A community with access to real-time threat intelligence
Businesses often don’t know what they don’t know about security, which is why it’s critical for both them and their MSPs to be on the lookout for new knowledge about threats and protections on an ongoing basis. Fortunately, there are communities, training and educational resources designed to help organizations learn from proven approaches that have already been tested in environments like their own. This shared knowledge can provide fresh perspectives and solutions that go beyond what internal teams might develop alone.
And growing companies should expect that their MSP partners are doing the same to best protect them. There are new MSP-enabled networks, such as Sherweb’s CyberMSP Community, that offer real-time threat updates and facilitate peer exchanges. They serve as dynamic hubs where MSPs share threat intelligence, fueling faster, more informed responses to cyber risks. It prevents MSPs from trying to solve complex threats in a vacuum, and results in better protection for their clients.
For example, a mid-sized healthcare provider that regularly engages in workshops and threat-sharing forums can obtain early warnings about threats that might go otherwise unnoticed. Take a phishing campaign that targets healthcare providers and insurers with the intention to steal sensitive information. An organization connected to an active, close-knit MSP community will receive prompt alerts long before the attack infiltrates their network. They can also rely on informed peers and experts who grasp the unique nuances of security challenges specific to their industry. They enable businesses with the opportunity to respond proactively, whether by updating email filters or investing in additional phishing training for employees. Knowing the right actions to take at the right time can mean the difference between thwarting an attack and facing a costly breach.
Cyber threats evolve too quickly for individual organizations to manage alone. Businesses can’t afford to operate in isolation when it comes to transforming their security strategies to accommodate rapidly changing priorities. Teams can effectively shift their security initiatives from a static checklist of tools to an adaptable defense strategy with collective intelligence.
The goal shouldn’t be to compile the largest stack. Instead, it should be to develop a unified security system that reduces tool redundancy, demonstrates value as a revenue protector and emphasizes strategic CIS Controls for comprehensive organizational impact. Technology is important, but it’s just one component of the equation–people and processes complete the picture. By focusing on the overarching outcomes instead of buying the next popular tool, MSPs can become business partners essential to growing companies that want to enhance their security strategy but are uncertain of where to begin.
About the Author
Roddy Bergeron is the Cybersecurity Technical Fellow at Sherweb, the technology and service provider that equips nearly 8,000 MSPs with everything they need to run and scale their offerings. Bergeron’s career has taken various paths including government auditing, nonprofit work, public/private partnerships with the State of Louisiana, managed security, vCISO and compliance programs.
To learn more about Roddy’s work with Sherweb, check out our website: https://www.sherweb.com/
