In case you were wondering, working with an MSP can lower your overall cyber risk profile. If you have been reading about how MSPs are at higher risk of being attacked and wonder how both of those statements can be true at the same time, you have come to the right place.
MSPs do lower risk. Period.
Now, for the rest of you cyber security consultants, cyber insurance gurus, and other self-proclaimed experts whose expertise extends to the managed services profession, you may be scratching your heads and thinking to yourselves, ‘I thought MSPs were risky.” We have addressed this so-called conflicting theory that MSPs could both be the cause of risk and responsible for lowering risk. I would like to address this issue and try to explain why this conflict may occur at times and why MSPs reduce risk for their managed services customers.
First, We Define MSP
In my professional opinion, the belief that MSPs both are risky and can reduce risk to their customers can be most easily explained as follows: most successful security events leading to data breaches do not happen to MSPs but instead to break/fix companies. Now, nobody likes to think of themselves as a break/fix or reactive IT company, but the reality is, there are a lot of these types of companies operating today.
While we cannot prohibit reactive IT companies from calling themselves MSPs, we can define their behavior and delineate between how they operate compared to how MSPs (we will define this below) operate. The distinction between these two IT provider business models is everything! If you do not understand this difference, you will never understand the world of managed services and the evolutionary IT service delivery path all providers must travel.
Proactive vs Reactive
It would be simplistic to define MSPs as proactive and break/fix companies as reactive. While a true statement, we need to examine the business landscape more closely to fully understand how reactive IT companies evolve into providers of managed services.
Break/fix companies often possess similar characteristics as MSPs, which does make the identification process much more difficult. Break/fix companies can have RMM and ticketing tools, they can utilize recurring billing models, they can even call some of their offerings “managed services.”
Even having all these elements at play does not mean you are an MSP. It is how you use these attributes, the skills of your people, and the processes you invent (yes, I said invent) which define you as either a reactive or a proactive IT provider.

