Managed service providers (MSPs) looking to minimize their cybersecurity risks might want to take notice of how many of their customers have cybersecurity insurance.
A survey of 500 small-to-medium enterprises (SMEs) conducted by Cowbell, a provider of cybersecurity insurance, finds only a third have made cyber insurance a core part of their cybersecurity strategy. However, 91 percent of the respondents that do have cyber insurance credited their provider with helping them avoid a potential incident.
How many businesses are highly prepared for a cyberattack?
Every MSP is all too aware of how much it costs them every time one of their customers has a cybersecurity incident. Invariably, each customer expects their MSP will devote resources to helping them recover.
The survey finds 50 percent of respondents have experienced a significant cybersecurity incident in the last 12 months, with it taking 3.4 weeks on average to recover. A full 39 percent admit it took them longer to recover than anticipated. 90 percent of those that experience a significant security incident also acknowledge it cost their organization a lot more than they expected as well. Further, a total of 81 percent of those respondents said they also experienced a drop in revenue in the wake of those attacks. More than a third (34 percent) said they would pay ransom to recover their data in the event of a ransomware attack.
Overall, the survey finds only 55 percent of respondents report they are highly prepared for a cyberattack.
MSPs must weigh the risk
MSPs generally encourage their customers to have a cybersecurity strategy but it’s clear there is still a significant percentage of customers that have yet to implement one. Theoretically, those customers represent an opportunity for MSPs to provide managed security services. The issue is that those organizations at this point have yet to implement a cybersecurity strategy may be more trouble than they’re worth to an MSP. It’s only a matter of time before those organizations become the latest in what has become a long list of organizations that have been victimized.
MSPs that provide IT services to those organizations are accepting a level of risk that might be nothing less than unacceptable. After all, the applications, and systems an MSP is being asked to manage, are invariably connected to the IT infrastructure the MSP relies on to drive the service it provides.
Worse yet, it’s likely a cyberattack might put those organizations out of business. An MSP might wake up one morning to discover their client can no longer pay their bills.
It’s always a difficult decision to turn away business during challenging economic times but it’s clear cyber insurance has become something of a barometer for whether MSPs should take on a client. Providers of cyber insurance have significantly increased the level of cybersecurity qualifications that need to in place before they will insure an organization.
MSPs have a lot more confidence in those organizations today than they might have a few short years ago when insurance policies were being taken out as an alternative to investing in cybersecurity. Insurance providers that found themselves making large payments to businesses that suffered cyberattacks have since learned a painful financial lesson.
MSPs, however, can benefit from the lessons carriers have learned by focusing their effort on clients that take cybersecurity seriously enough to qualify for an insurance policy. Anything short of that is now arguably little more than an invitation for disaster.
Photo: one photo / Shutterstock
