How do businesses really feel about managed security service providers?

Revealing the pros and cons of MSPs.

What if a business’s security systems go down and the company doesn’t have the internal expertise to get things back up and running? As the threat landscape continues to evolve daily, that scenario is a realistic concern. With high-profile breaches increasing in number every day, and ransomware strains and advanced threats hitting the news almost daily, companies need to ensure they won’t be the next victim.

So, what’s the solution? One is to turn to a managed service provider with security services (MSSP) — a specialist provider that can ensure that a business’s IT security is as strong as possible.

Companies are getting the message: 60% of companies now understand the efficacy of managed security services, compared with 56% last year. Moreover, 42% of SMBs used managed security services in the last year, as did 51% of enterprises. These companies have already woken up to the fact that using a managed security service provider is in many instances an obvious solution to a company’s security requirements. But the stats also show us that not every company feels the same way — yet.

Worryingly for the managed security services market, figures from Kaspersky Lab’s latest annual IT Security Risks survey show that only 25% of businesses are planning to use MSSPs in 2018 to tackle their IT security challenges, indicating that some companies still need to be convinced of the benefits of working with managed security service providers.

Naturally, businesses need to weigh the pros and cons of using an MSSP, to establish whether this type of solution is effective — and appropriate — for them. The onus is therefore on MSSPs to convince businesses that they offer the right solutions. And to do that, they need to understand the many security challenges businesses face.
So, let’s take a look at the situation from the point of view of both SMBs and enterprises. What do they see as the pros and cons of working with MSSPs?

What’s making businesses wary of MSSPs?

Businesses cite four MSSP “turnoffs.” The first is the pricing, which 29% of enterprises feel is too high. Even more SMBs agreed, with 39% saying it would be a struggle to find or justify the budget for securing this support. These companies are probably the most in need of managed security services — they’re focusing more on business growth and in many cases minimally growing internal cybersecurity expertise. And some choose to believe they won’t become a target. IT Security Risks 2017

They say ignorance is bliss, but a hacked customer database, costly downtime, and customer losses are all far from blissful. It’s alarming that 19% of enterprises and 25% of SMBs somehow feel confident they won’t be the victim of a cyberattack. Smaller or newer businesses may think they’ll be overlooked in favor of bigger targets, but for these organizations, the resulting loss would be felt the most. By ignoring or minimizing cybersecurity, owners and managers emotionally tied to their company, and those without the deep pockets of their bigger competitors, risk their businesses outright.

For companies that are fully aware of what a cyberattack could mean for them and their customers, the cost is easier to swallow, but some — 32% of SMBs and 35% of enterprises — have trust issues when it comes to giving external providers access to their systems. Their reluctance is unsurprising, given the access these external companies need to do their jobs. Personal data, trade secrets, and payment information are all at stake, so a business needs to be able to trust the provider completely before handing over the keys to its kingdom.

That caution can be compounded by the notion that an MSSP may itself be exposed to a breach or have vulnerabilities. A rather unsettling idea!

Some organizations are not feeling the industrywide skills shortage as keenly as others. Some — 31% of SMBs and 37% of enterprises — feel they already have adequate in-house resources to bridge their IT security gaps. However, that isn’t a permanent solution; as IT security professionals become more highly-sought, they could be tempted away to higher-profile firms. An ongoing MSSP service contract, with strict service level agreements (SLAs), ensures coverage of a company’s security needs at all times.

What MSSPs can bring to the table

Despite their misgivings, businesses have plenty of good reasons to use MSSPs to fulfill their IT security requirements.

The first, and perhaps biggest, benefit to companies is budgetary. Most companies agree, with 54% of enterprises and 51% of SMBs viewing partnering with MSSPs as a way of cutting their security-related costs. For companies already spending extensively on full-time staff, rigorous protection measures, and staff training and awareness (a figure that grows with each new employee), using an MSSP could result in a reduction in up-front IT security costs. Rather than having to add to their capital expenditure, businesses can categorize security as an operational venture, making it easier to invest in security services — a vital consideration when the costs associated with suffering a breach can severely hurt a company’s bottom line and affect its forecasts.

For companies worried about their IT security strength, an SLA can provide a safety net, or security blanket. The desire to have someone accountable for security is strong, and 42% of SMBs and 43% of enterprises want to know that this vital component of their business is being handled by an external provider. It gives business owners and decision-makers peace of mind.

Outsourcing can also lead to a broader mind-set change when it comes to farming out other aspects of a business’s IT requirements. The various in-house resources and skills required to oversee IT can really add up, and being able to rely on external resources to handle other aspects of a company can help an organization rein in its spending. Indeed, 35% of the SMBs and 41% of the enterprises in our study are looking to outsource all of their IT, including security, to a third-party provider.

The most obvious advantage of using an MSSP, however, is that it can bridge a company’s IT security gap. In our study, 25% of enterprises and 28% of SMBs admitted they lack sufficient internal resources and expertise in IT security. Not having the right knowledge or staff leaves a business vulnerable, and sourcing the expertise from a third-party supplier can ensure that an organization’s needs are adequately covered.

Finding the balance

Weighing the pros against the cons is a difficult process for businesses, especially when it comes to keeping critical systems and highly sensitive information secure. The first job of an MSSP is to help with that process: understanding prospective clients’ concerns and demonstrating ways to overcome them. Only then will MSSPs be able to convince more businesses of the true benefits of their services, and help more companies avoid security problems in the future.

To help MSSPs in their mission to boost the security of more businesses around the world, Kaspersky Lab has developed a dedicated MSP Partner Program, designed to help managed security service providers increase sales revenue, reduce start-up costs, and get up and running quickly to win over new clients.
Our security portfolio for MSSPs includes flexible, powerful tools to monitor and manage protection for each client’s entire infrastructure, providing increased visibility for both MSSPs and their customers. Adding technology, training, and our technical support, we help MSSPs become a reliable security adviser and the first line of support for their customers.

All in all, we are here to enable MSPs and MSSPs to eradicate all of the downsides — and help out with all the upsides for them and their clients.