COLUMN: Why MSPs Have To Fight Apathy And Become Cybersecurity Pack Rats
CRN Executive Editor Jennifer Follett says diligent documentation can make or break a MSP’s cyber resilience efforts.
What do you think MSPs see as the No. 1 barrier to selling cybersecurity solutions in today’s environment?
It’s not the complexity of security products. It’s not staffing issues. It’s not even customer budget constraints.
It’s apathy—customer apathy toward cyber risks.
That’s according to research presented by Kaseya at the Xchange March 2025 conference, hosted by CRN parent The Channel Company, which said that 49 percent of survey respondents selected customer apathy as a top barrier to cybersecurity sales. That was far ahead of the No. 2 choice, complexity of cybersecurity products, at 38 percent.
People are just so bludgeoned by the constant barrage of data breaches, ransomware attacks and warnings about ever-escalating cyber risk that they are becoming numb to it all.
I see it in myself when yet another missive arrives in the mail notifying me that my data might have been compromised in the latest breach of (insert name of health/financial/consumer services provider here). I’m not even outraged anymore, I just sigh and stick the letter in a file folder.
But make no mistake about it: Apathy is a pitfall that MSPs absolutely have to avoid themselves, particularly when it comes to building up cyber resilience through diligent documentation.
That thread—the importance of MSPs documenting everything from security solution decisions to cybersecurity events and activities to customer risk acceptance—ran throughout the conference.
“Logs are cheaper than lawyers,” said Brittany Deaton, senior sales engineer at Sophos, in one of the pithier lines on the topic delivered from the XChange stage. Drawing on her years of experience working in incident response, Deaton told the audience that the key to minimizing liability in a case where a customer does get breached is being able to establish whether or not the bad actors were actually able to steal information.
“If you have data that proves that you don’t have exfiltration, you’re going to be in a really good situation,” said Deaton, while recommending that solution providers “deploy your sensors everywhere.” “The more data you have, the easier it is for us to put the pieces together, and if we can prove that [there was] no exfiltration of data, it’s a lot cheaper to manage that situation,” Deaton said.
Bruce McCully, chief security officer at Galactic Advisors, delivered this sobering statistic during his keynote: “Today, on your way here, you were 17 times more likely to have a ransomware event than get pulled over by a police officer for speeding. And how many of you speed?”
As the impact and likelihood of ransomware attacks rise, so too does the risk exposure of MSPs, he said.
“At some point, someone will break through your defenses, and when they do, you want to have reasonable explanations for the decisions you made when you went through and built this [solution] out,” McCully said.
Documentation becomes increasingly important as cyber insurance companies become more stringent. Forty-four percent of cyber insurance claims are denied, and failure to document preventative measures is one of the contributing factors, McCully said.
It’s also important to document the times when a customer does not heed the MSP’s cybersecurity advice, he said.
“Recommend the solutions they need; if they don’t move forward, document their poor decisions. And if you have clients with cyber insurance, ask yourself if you will be the one on the hook if they have an event.”
The key takeaway is this: MSPs need to become pack rats when it comes to keeping logs of what’s going on in their customer environments, documenting preventative measures taken to protect themselves and their customers and tracking the instances where customers elect not to implement the recommended security posture.
While it might seem tedious, it’s something MSPs need to remain vigilant about.
Because guess who’s not apathetic about cyber risk: the bad actors who are coming for you and your customers.
