Small and medium-sized enterprises (SMEs) are just as vulnerable to cyberattacks as a Fortune 500 company. According to the U.S. Chamber, a majority (60 percent) of small businesses say cybersecurity threats, including phishing, malware, and ransomware, are a top concern. Still, many small businesses don’t bother putting a cybersecurity plan in place until after an incident.
During 2020 and 2021, data breaches at small businesses jumped 152 percent compared to the previous two years. According to RiskRecon, a Mastercard company that assesses companies’ cybersecurity risk. This figure is twice as high as among larger companies in the same period.
Rob Batters, Director of Technical and Managed Services at an IT consultancy, cites data from RiskRecon, a Mastercard company that assesses companies’ cybersecurity risk. “During 2020 and 2021, data breaches at small businesses jumped 152 percent compared to the previous two years. This figure is twice as high as it was among larger companies in the same period,” he states.
Batters shares that small businesses are attractive to hackers precisely because of their size. “SMEs are particularly enticing to cybercriminals because many SMEs hesitate to invest in strong defenses, focusing instead on day-to-day operations and assuming they’re unlikely to be targeted,” Batters explains.
He adds that this hesitation leaves critical vulnerabilities exposed, making SMEs highly attractive targets. Conveying these points to SMEs should make it easier for managed service providers (MSPs) to sell cybersecurity services. It’s a win for everyone.
Cybersecurity as a competitive advantage
Meanwhile, Mithilesh Ramaswamy, a senior engineer, says that MSPs should “focus on empowerment over fear” when selling cybersecurity services to SMEs. “Emphasize how your services give owners control over their operations and peace of mind, rather than focusing on the chaos a breach might cause,” Ramaswamy states, adding that an MSP should “celebrate preparedness” and highlight the idea of being proactive and staying ahead of threats as a sign of a responsible and forward-thinking business.
Cam Roberson, vice president at a cloud-based data security platform, shares that instead of pushing generic security packages, MSPs can demonstrate more specific value through sample assessment reports, contrast their comprehensive approach against basic checklists, and frame security as a competitive advantage that clients can showcase to their customers.
“MSPs can back this up by showing how they implement these same practices,” says Roberson. “They should emphasize that while annual audits or basic compliance may feel sufficient, modern threats require continuous, holistic protection. MSPs likely don’t need a reminder that many small businesses are optimistic about their current cybersecurity until concrete evidence of gaps is shown.”
Roberson adds, “Using framework-based assessments to provide this reality check while offering clear solutions that will better position MSPs to sell better and faster.”
Simplicity is a key
David Ratner, CEO of a cybersecurity company, echoes others, saying “Selling cybersecurity services to small businesses requires making the solution value proposition as easy to understand as possible and making the solution simple to deploy and install. Making the solution integrate with the rest of the stack so that the entire stack functions as ‘one solution’ is an idea versus forcing the small business to learn a new management interface or process. Ideally, the new solution being inserted is ‘set it and forget it’ or managed by an already-existing and known interface that it integrates with.”
Ratner explains that one example of this would be deploying protective Domain Name System (DNS) integrated with and managed through the existing Endpoint Detection & Response (EDR) solution, adding that finally — and perhaps most importantly — selling to small businesses requires understanding how they purchase and manage their overall stack. He shares that “Increasingly, small businesses are relying on MSPs and managed security services providers (MSSPs) to provide their IT and cybersecurity needs. Asking the small business for an introduction to their MSP/MSSP is a great way to get a qualified introduction and a leg-up on the selling process, as the MSP/MSSP now knows that at least one of their customers is interested in the solution and sees value.”
Focus on benefits for the win
Eddy Abou-Nehme, Owner and Director of Operations at Canadian IT solutions provider says that MSPs should focus on benefits rather than fear when selling cybersecurity services.
“Share relatable, real-world examples from their industry, and explain the business impact of a data breach without drowning them in tech jargon,” Abou-Nehme suggests while also saying that an MSP should position itself as a partner in their success, not just someone trying to sell a product.
“A good way to do this is by offering a free security assessment or consultation to open the door, it’s an easy way to show value upfront and uncover risks they didn’t know they had,” Abou-Nehme says.
Small businesses face significant cybersecurity risks, and many remain unprepared until it’s too late. This is a unique opportunity for MSPs to offer tailored, proactive cybersecurity solutions. These solutions not only protect businesses but also provide peace of mind. MSPs can guide small businesses through the complexities of cybersecurity by focusing on clear value propositions, easy-to-deploy solutions, and strong partnerships. Remember, it’s not about selling fear—it’s about empowering businesses to stay ahead of threats and operate securely in an increasingly digital world.
Photo: PeopleImages Yuri A / Shutterstock
