Managed Services, Security

Security + Your MSP: Are You Really Covered?

Chaz Hager May 19 2021

If you think all of your business’s cybersecurity needs are covered by your managed services provider, think again.

Managed services provide a variety of benefits to businesses that lower overall IT costs and provide some cybersecurity benefits. Note the word some and not all. When working with a managed services provider (MSP), it’s critical to understand what cybersecurity services will and will not be provided under your MSP agreement.

Security Services Typically Provided by MSPs

Setting up and managing networks inherently involves securing technology and access. Antivirus software and firewalls are often standard services included with managed services and technology.

Another of the most standard and beneficial security offerings of MSPs is patching. Device and application providers release hundreds of patches in a year. And keeping up with those patches, many of which include security, can be overwhelming for organizations and multiplied by the number of devices and applications they use. MSPs can ensure that security patches and bug fixes occur when they should, thereby providing a much-needed security function.

Many MSPs also include identity access management as a service which can help reduce the likelihood of unauthorized access to data. The MSP validates users’ credentials for accessing various types of data and even verifies whether access is still needed as employees change roles or leave the company. MSPs will also notify their client of access issues well before a business’s small, multi-tasking IT department might detect them.

Another way MSPs provide security is through best practices. One example is multi-factor authentication (MFA). MSPs were recommending MFA to their clients well before businesses were aware of its importance to security and widely adopting it broadly in their organizations.

MSPs can be great resources for information from best practices to technology. Businesses are often inundated by technology providers offering solutions to a myriad of problems. MSPs have extensive experience with products and issues, and access to knowledge resources, a business may not. They can help organizations make informed decisions about technology purchases that are based on best practices and the bigger picture rather than exclusive, individual situations a business might be facing.

MSPs May Not Provide Specialized Security Services

Businesses in the midst of cybersecurity events may find out they’ve made a critically uninformed assumption about their MSP when certain cybersecurity functions are not provided. For instance, an organization may assume that their MSP will not only alert them to a cyber breach but also find the root cause and correct the issue, while the MSP agreement may simply provide remote monitoring of network health and maintaining network access.


Security as a service is indeed a service some MSPs may provide for an additional cost. There are also managed security services providers (MSSPs) that provide specialized cybersecurity, including data forensics, which is often needed to determine the root cause and scale of breaches as well as remediation. An MSP may assist your MSSP by providing the logs to help the MSSP find the root cause and remediate the issue.

Man using tablet pc beside servers in data center

Like managed IT services, MSSPs enable businesses to outsource their cybersecurity operations to experts at a fraction of the cost involved in setting up and managing their own information security departments. MSSPs have specialized cybersecurity knowledge and handle hacking, phishing, and ransomware events daily while an individual business may only encounter a cyber event every few months.

Of course, MSSPs also offer services that prevent threats, including risk assessment, vulnerability scanning, penetration testing, and real-time analysis of networks, logs, and new developing threats.

Coverage for Cybersecurity Breaches

Another area that businesses may falsely assume their MSP agreement covers is coverage for damages resulting from cyber breaches. While reputable MSPs carry cybersecurity insurance, their coverage is typically for their business, not their clients’. Every business should carry cybersecurity insurance of their own.

Coverage is based on the organization’s individual risks and risk tolerance—often depending on the industry, type of data handled, size of the business, and security of the business environment. Yes, a business working with an MSP would likely have lower insurance rates, and a business with MSSP support would have even lower rates. According to Business Insurance's article, “The average cost of cyber liability insurance in the United States was $1,501 per year for $1 million in liability coverage, with a $10,000 deductible.”

By contrast, consider these costs of a data breach. According to this CSO Online article, “Nearly 40% of the average total cost of a data breach stem from lost business-–including increased customer turnover, lost revenue due to system downtime and the increasing cost of acquiring new business due to diminished reputation-–increasing from $1.42 million in the 2019 study to $1.52 million in the 2020 study.”

Understanding what security services are provided under your MSP agreement can help you select among MSPs and prevent any expensive surprises should a cyber breach occur. And even if your MSP doesn’t offer MSSP services, they can recommend reputable MSSPs and cyber insurance carriers for your needs.

For topics to cover with your potential MSP to ensure you're covered, see our checklist, “6 Security Topics to Cover with Your MSP to Make Sure You're Actually Covered. Q.”

Managed IT Services

6 Security Topics to Cover with Your MSP

to Make Sure You're Actually Covered

Download Your Checklist Now

Take a Page from Our Playbook

Latest Posts