WHETHER YOU WANT to hear it or not, your clients are taking a fine-tooth comb to their MSP agreements and weighing service cuts. Current economic pressures have companies tightening budgets across the board, and clients with no security expertise (they rely on you for that) are ready to inadvertently put their own safety—and yours—on the table.
My advice to my fellow MSPs: Get ahead of your clients’ budget concerns by prioritizing outreach and ensuring they understand the demonstrable cost-benefit value your services deliver.
Help Clients Understand What They’re Getting
Some MSPs might be content to serve as silent mercenaries and cut corners per client requests. However, now more than ever, you need to break from the ordinary and proactively earn your clients’ continued business through clear-as-day communication and nurtured trust. If you offer a thoughtfully assembled technology stack of comprehensive and complementary security systems at a fair cost, it’s a shame to lose business to a competitor that’s inferior in everything but their bid. That’s why it’s so important to educate each client on their security protections and the threats each tool addresses. Further, when you have these conversations, put away the acronyms and jargon and speak directly to the real-life risks and effective remediations your stack addresses.
Your badge of honor is the breadth of security concerns you lay to rest. Certainly, clients want to know how you alleviate their fears over ransomware—but that’s just the beginning. Having you as their MSP partner can mean that all their endpoints have thorough defenses against external attacks, their data is continually encrypted, and lost or stolen devices can revoke sensitive data before a breach occurs. It can mean assurance in meeting regulatory compliance (HIPAA, NIST, you name it) requirements to the letter, and expert support that takes the worry out of potential regulatory audits. Your safeguards might include training programs that teach and test the client’s employees in practicing good security hygiene and recognizing certain threats (such as phishing emails), while also detecting and thwarting insider risk. If your practice offers the ability to fly through cybersecurity insurance questionnaires—or specialized advantages such as CMMS equipment-tracking capabilities or ISO 27001 certification—clients with those needs ought to understand all that you achieve for them.
Develop Mutual Client-MSP Understanding—and Offer Clients Some Control
Make it a goal to help clients become informed stakeholders who actively participate in their security. Also, recognize that an informed partnership goes both ways: Do your homework and learn your client’s business practices so you can deliver the appropriate and most effective security protections for them.
In our case, we leverage BeachheadSecure (pictured left) for its RiskResponder capabilities, which allow us to set automatic and appropriate security responses to specific risk conditions. For example, a client with an open work-from-home policy could use geofencing-enabled rules to deny access to sensitive data from devices that aren’t at either the main office or the employee’s home. Risk responses can also warn users after a set number of failed logins and revoke the device’s access after further failed attempts. Just as important as the demonstrable high-security value of these protections themselves, this process promotes our clients’ active engagement with their own security and increases our own understanding of their needs. The net result is a closer client-MSP relationship.
We also provide DNS intercept via two different products; we don’t worry about the overlap in that protection as long as the solutions don’t interfere with each other. ProofPoint’s Attachment Defense Sandboxing allows us to push email messages to a safe environment where we then check the attachment for any type of payload used. Sandboxing of URLs found in emails are redirected to a sandbox environment so that users are safe-clicking on URLs embedded in emails. We also provide Zorus for web filtering and granular services to protect users in any working environment.
For clients with their own internal security teams, offering co-managed IT (CoMITs) is a compelling benefit. CoMITs gives these select clients change control over software you provide so that they can immediately and independently address security requirements while still operating within your safely restricted framework. Sharing management duties in this way often results in more closely entwined relationships and, naturally, greater retention of MSP services.
At the same time, economic pressures offer the opportunity to assess and address areas where clients’ usage of your resources needs to be more effective. It’s not uncommon for some clients to leverage your help desk in a way that becomes out of line with your initial expectations. For example, you may set costs with the understanding that a client will contact your team with issues a couple of times a week. Over time, though, you find that you’re fielding several handholding-level issues each day—such as employees losing passwords or needing basic IT help.
My recommendation is to provide those clients with free training and resources for developing more self-sufficient employees. Then reset the client’s understanding with a clear escalation path for employees to follow before engaging your help desk. Be clear that costs will increase if these measures aren’t followed. Where overly burdensome clients put you at risk of losing money, stick to your guns with cost incentives (or don’t be afraid to drop clients if appropriate).
Use Storytelling to Convey Security Benefits
From a client decision maker’s perspective, an MSP’s value is the ability to help them sleep well at night. Make it clear that if the company’s data doesn’t have a thoughtful set of layered measures assuring its security, they should be tossing and turning.
MSPs swap stunning stories about the surprising risks clients face all the time. If a client hesitates about addressing the risks of insider threats and implementing USB security, tell them about the mortgage company whose salesperson tried to steal the business’s entire customer database by copying it to a USB drive, with ambitions of starting a competing company. Because that mortgage company cut corners and didn’t have the right measures in place, its MSP partner could only capture screenshots of the rogue employee’s activity as he escaped with customers’ highly sensitive mortgage and tax documents. That company’s only recourse became a drawn-out lawsuit, which could have been avoided with comparatively quite affordable protections.
Finally, any client that doubts the importance of robust remote device and data access controls needs to hear the incredible story of the medical practice administrator who faked his own death and stole a work laptop to help start his new life. Because that laptop contained sensitive HIPAA-regulated health data, the company was insistent on locating the missing laptop while also mourning the colleague. In this case, the company did have robust MSP-provided tooling in place, which allowed the MSP to locate the ex-employee’s remote desert hiding place and assist the police…who found him living in an RV (also stolen), and successfully recovered the laptop.
Offering vivid tales such as these helps your clients visualize the scenarios they might face and understand the true value and peace of mind your security stack provides.
Let Clients Know Why Your Security Price Is Right
Both you and your clients face the pressures of a tough economy, and in most cases, can get through it better together. Allowing clients to nickel-and-dime you on your services is a recipe for security breaches and severe consequences for which you’re absolutely on the hook. Giving in to such demands can only hurt your business. By instead working closely with each client to proactively address their needs and nurture mutual understanding and trust, your relationships can continue to grow and thrive through the current economic upheaval and long after.
LUIS APONTE is the CEO of OneTech 360, a managed service provider with offices in New York, Pennsylvania, and Texas.