November 23, 2021
Tips to Consider when Expanding into Cybersecurity
For SMBs, the need for cybersecurity is growing fast. 43% of data breaches target SMBs, most SMBs will not be able to recover from a cyber attack, and 60% of SMBs don’t have a cybersecurity policy in place.
For many MSPs, cybersecurity is a phenomenal opportunity to add value for clients, and add revenue streams to their existing business operations. The good news is that you don’t have to be a cybersecurity expert to provide best-of-breed solutions. You just need to know the best practices and right products and strategies for effective, robust, and easy to manage cybersecurity.
For MSPs considering expanding into cybersecurity, we hope the following information, tips, and solutions will be of tremendous value.
Don’t do default
To MDR (Managed Detection and Response) or not to MDR? While many people view MDR as a silver bullet in a security stack, it fits a specific need, to alert you when an attacker has bypassed your other controls. For an MSP looking to sell into the cyber security space this is only a single point in the discussion. There is powerful monitoring available through RMM tools that allow you to monitor for unpatched systems, overly pervasive access permissions etc. Recovery is just as important as detection. While an MDR will allow excellent detection capabilities, for an organisation just getting into selling cyber, it is not a hard requirement.
In many cases, MSPs go straight to offering products, without working on the process first. While this might seem to be a good step in the short term, it can come back to bite you over the medium to long term. To build a robust cybersecurity process and business practice, you can consider the CIS controls model. You may want to start with IG1 (Implementation Group 1).
Getting started: What should your thought process be?
A shift in perspective
Typically, MSPs sell ready-made packages. In selling cybersecurity, you’ll have to be more flexible, and build different packages for different customers to augment the basic technology they already have in place. For instance, you’ll need to offer different solutions to a customer using Microsoft 365 Business Standard, compared to a customer using Microsoft 365 Business Premium.
The sales process is also slightly different than selling non-cybersecurity IT. It’s recommended to have a salesperson or a sales engineer who is knowledgeable about cybersecurity, who can answer customers’ questions and make recommendations. If no one on your team has this knowledge, we recommend training a team member first, before you start selling. In many cases, your vendors can help you train your sales team.
As we mentioned, having some basic knowledge or expertise in cybersecurity is essential for your success in this market—and you don’t necessarily have to hire an additional person for this. In many cases, you can find this expertise in-house within your team, or build someone up with this knowledge and skill. From here, you can expand this skill set based on your needs as your security business scales.
There are many structured ways in which someone from your team can be trained up. Certifications such as CISSP and CompTIA Security+ are great places to start, and help build your reputation as a cybersecurity service provider.
Many vendors train your employees on how to work with their solutions. A good vendor will also help prepare your sales team to position and sell their solutions. We recommend partnering with such vendors, at least to start. It’s a great way to upskill your team, hit the ground running and add to your credentials, without having to spend additional money. It’s also worth checking how much support you get from each technology vendor, as this can vary tremendously.
When it comes to having the skills and expertise within your team—especially if you want to add these quickly—there’s always the option of outsourcing. A virtual CISO can help with the transitional phase, for example in selecting the first products to offer, building the process, assessing your offering, and so on. Alternatively, if you work with an Incident Response provider, you can ask if your retainer can be used for consulting, training, and assessment of your offering. They will typically love to do that and you can save a few bucks.
Entering the cybersecurity industry doesn’t have to mean making a huge up-front investment. Yes, if you take the MDR path then some investment is required. But there are many other ways to offer cybersecurity that do not require such an investment. In fact, if you look closely at your current portfolio, there’s a good chance that you already have some cybersecurity offerings in place—you might just not have called it cybersecurity. For example, it’s likely that you already sell BCDR. Repositioning this as a security tool can help you position your business as a security solutions provider.
If you want to minimise your initial investment, it’s best to go with SaaS solutions with no major capex or commitment. This also enables you to start small with a few pilot customers, and grow from there.
What products to start with
Deciding which products to start with is another challenge. First, look at your current portfolio and check if there are already products you sell that can be considered security products (BCDR is a good one, as we mentioned before).
Next, we recommend following the CIS process. This gives you some basic direction in terms of where to start, allowing you to confidently talk security with your customers, and help them frame their risk appetite.
Assuming you want to expand your MSP’s offering to additional products, select products that are relatively light—easy to install, easy to use, products that have central management and use a SaaS model.
Another important point is to choose products that minimise human intervention. Ideally, you want your products working for you, and not the other way around. Here are a few examples:
- Have BCDR test the backups for you, instead of having someone on your team doing it. By deploying BCDR, you reduce the amount of manual work involved, and consequently reduce your overhead.
- A product like Datto SaaS Defense protects email and collaboration tools automatically, with no human touch and no overhead for setup or maintenance. It also saves human hours spent investigating threats—with one click you get results from a deep investigation, which is ready for you to share with your clients. So unlike other solutions, with SaaS Defense you don’t need to hire a SOC specialist.
- SaaS Protection: SaaS Protection offers a multi-layered approach when it comes to protecting against ransomware and other cyber threats. With 3x daily backup and point-in-time restores, MSPs can recover individual files or an entire application’s data from a backup snapshot taken prior to an attack—again, with zero human touch.
- With RMM you can leverage an extensive library of pre-built scripts, policies, and extensions, supported by Datto, to automate tasks such as ransomware detection that monitors and reduces the impact of crypto-ransomware.
Again, we can’t emphasise it enough: whichever product you choose, make sure that the training, support, and professional services you get with the product are what you should expect. For new entrants to the cybersecurity space, this is true even if it means you have to select a less capable product.
To further reduce overhead, select products that integrate with your current PSA. You’ll want product solutions to report to the portal you already use, the one that your employees are used to working with. This is infinitely better than managing many portals. And if you choose a single vendor for all your cybersecurity products, just make sure their security program is robust (and do a 3rd party due diligence exercise.)
Finally, trust us here, don’t be tempted to use free tools. Most free and open source tools will cost you hundreds of hours to manage, will let you down when you need them most, and often will not have the highest level of security in place. In many cases it’s just not worth it, as tempting as it may be.
This is a big part of selecting your product mix and strategy. When it comes to legal liability, you don’t want to take any chances, especially in the security space. Be crystal clear about your responsibilities when selling cybersecurity products and services, and ensure you’re not on the line if your client has a serious security issue.
Will my customers need it?
Striking out in a new direction will always come with an element of uncertainty. However, when it comes to cybersecurity, the demand is high and is expected to grow even more. Considering the current atmosphere—with daily headlines of data breaches, ransomware, phishing, and other threats hitting businesses—it’s pretty clear that everybody needs cybersecurity, especially SMBs.
Of course, when it comes to SMBs, budget can be an issue. In the past, because of this, smaller organisations were offered less effective cybersecurity products than large enterprises. Today however there are products available with enterprise-grade security solutions, built for the needs and budgets of SMBs.
As an MSP, you’re perfectly placed to deliver these solutions to SMBs.
One last tip for success
One last tip: as you’ve probably already heard, at Datto we encourage our MSP partners to first look at their own security, assess it, and validate that their business is secure before they sell security to others. This will provide you with the confidence and peace of mind to conquer the cybersecurity market for SMBs.
At Datto, we’re all about supporting MSPs. We have your back, and you’re always welcome to consult with our team, try our solutions, get training, or any other support we can offer. Visit here to learn more about Datto's tips for cybersecurity.
There are SMBs out there who need your support – good luck!