What should be included in a security bundle to customers?

Considering the idea of offering a “security bundle” to your MSP clients?

This article will cover the pros and cons of security bundles, how to describe security value to your clients, and what you can include in a security bundle to ensure you don’t open customer environments up to risk. Let’s get this extremely secure but no less fun party started!

Why offer a security bundle at all?

Start talking about security bundles to a room full of MSPs, and you’re likely to split the crowd. Many MSPs will tell you that a security bundle is a bad move, making the idea of security seem like an optional add-on to clients. Instead, MSPs should wrap security up with their overall services, and not allow clients to opt out. After all, security impacts everyone, and in today’s heightened threat landscape, needs to be table stakes for all service providers.

However, on the other side of the coin, security bundles are a great way of spelling out exactly what you offer your clients in terms of security value. Instead of just saying $X per month which includes monitoring, reporting, patch management, security… leaving security as just another item on the list, describing disparate tools and technologies as parts of a security bundle gives you a chance to show off what you offer.

On top of that, there’s no doubt that while some security functionality is must-have (think patch management or MFA for example), other third-party tools need to be agreed by the customer, especially if they are going to come at a premium. In an ideal world your whole customer roster would have every security technology on the market, but if they are £5/endpoint/month, it’s going to be tough not to make the tools optional and keep your business attracting ideal customers.

How to discuss a security bundle with prospective clients

What you can do however, is to use the security bundle conversation as a way to understand how serious your customer is about security and risk management, and also how likely they are to take your advice and follow your lead when you offer best-practices for their IT environment.

As you go through the items in your security bundle, emphasize what you feel is essential, and then what is optional depending on budget or specific industry. For example a highly regulated industry may need tighter data security or compliance tools. A sign of a great prospective client is one who takes your advice and listens to your caution when you’re having that all-important initial discovery.

Your security bundle is your own… but here are some options to consider:

Far be it from us to mandate what should be included in your security bundle! After all, no one knows your clients better than you. Make sure to thoroughly research the risks out there today in your niche or for your clients, and then look for solutions that integrate well and fill those gaps. However, since you asked, ideas for extra security tools and technologies include:

 1. EDR/XDR: Endpoint Detection and Response should include anti malware, anti spyware, and anti ransomware, including against zero-day attacks. Speak to your customer about features such as 72-hour ransomware rollback to protect data, or a DNS filtering module for web security. EDR for MSPs should also include the ability to create customized templates that you can easily copy and share across profiles, to make secure onboarding just part and parcel of your business as usual.

 2. Backup: Data security is non-negotiable, but offering the best backup solution means having answers to a lot more than “do you back up our data?” Think about how you minimize data bloat, keeping costs low for cloud storage, and offering multiple deployment methods to keep up with industry best practices.

 3. Security Awareness Training: Heard that famous IT security quote, that until the year 4067, 3 million percent of cloud security breaches will be down to human error? (Ok, it’s 2025, and 99%, but still.) Security Awareness Training (SAT) is a powerful value add which could include anything from phishing simulations to gamified learning for secure code practices for DevOps teams.

 4. Email security: The other way to combat phishing scams and user error, is to never let the content get in front of the employees or customers to begin with. Think about opting customers into email security technology, for example anomaly detection in inboxes, AI-powered incident response which acts quickly over signs of malicious intent, and full scanning and protection before an email even arrives.

  5. Sandboxes/firewalls: Another option could be to offer next-gen firewall services for your customers, where all traffic is scanned and checked for malware before it enters your network. Software firewalls take over where perimeter firewalls left off, securing hybrid and cloud environments against signs of intrusion or malicious intent. Intelligent solutions will allow you to set up access control to allow certain traffic and block others, based on roles, users, location, and more.

Thinking about a security bundle? It’s all about the value you can offer

It’s true that if customers say no to in-built security as part and parcel of your MSP service, they may be putting their heads in the sand to today’s risk landscape. They might also be seeing security as just another added cost, and not understanding the importance of what to them is bells and whistles rather than the main event. Especially for customers who work in a non-technical field, this isn’t necessarily their fault.

Create a list of all of your security tools and tech, and then look to describe them in one of three ways.

• Group 1: Essential, and part of the bundled monthly price. If there’s push back on these – you’re in trouble.
• Group 2: Recommended, and available for an added security bundle fee. Here you hope that prospects take your advice and are happy to sign up.
• Group 3: Optional but best-practice, and available at added cost. Talk them through their options, and revisit at a regular cadence.

This approach will help you to get a better understanding of where your prospect or customer is in terms of their cybersecurity knowledge and journey, and how happy they are to take your advice and support moving forward.

Looking for more cybersecurity top tips? Try this guide to small business cybersecurity.