How to prove security's worth (without fear mongering)?

Howdy y’all,

We’re a 5-man MSP that mostly supports SMBs and non-profits; a mix of accounting and medical offices, transport industry, educational, and religious non-profits. I.e., organizations that often don’t have that much spare capital at hand. We’ve built things to match our customers’ budgets but that can only go so far when looking at the writing on the wall - identity attacks, port scanning, password cracking, etc. I see countless ways these issues can be mitigated but most -if not all- of them involve raising costs for customers.

So therein lies the question: What methods of cost-benefit analysis do you deploy/convey to your customers for more-costly security features (e.g. M365 Business Premium licenses, Bitwarden, Mimecast/IRONSCALES, Meraki security/syslog licensing)?

You can throw wuzah into that mix. It’s a powerful XDR and SIEM. They will help with security at a low cost. Or however much you want to charge them for that service.

I would estimate the cost of a recovery and how long it would take to complete it. If they are down for a week they still have to pay employees who most likely won’t be doing much without a computer. So things like lost revenue, cost of services to recover, and pay to employees adds up quick.

Minimal good security at a good price point for the endpoints is Huntress and Windows Defender. M365 Business Premium licenses, Bitwarden, Mimecast are all good choices, but also making sure you have the conditional access policies properly set to avoid the potential for session token stealing.

I also have a post here covering ou Client Defense Matrix: The MSP Stack We Use to Defend Our Clients

Suricata or Snort on the firewalls? Step it up to ZenArmor? Zenarmor is supposed to give “next generation” firewall to things like pfsense and opnsense, a fairly young company (2017).