All resources
Guide · Cybersecurity

MSP cybersecurity: the 39% problem

39% of MSPs cite keeping up with cybersecurity as their biggest day-to-day challenge. When breach costs hit $4.44M globally, the gap between marketing and capability needs scrutiny.

14 min readPublished 22 Sept 2025Updated 17 Oct 2025

The capability gap

39% of MSPs cite keeping up with cybersecurity as their biggest day-to-day challenge[2], even as 81% of organisations rate it a high priority[1]. The gap matters: when breaches hit, the cost averages $4.44 million globally and takes 241 days to identify and contain[3].

33% of organisations lack resources to adequately staff their security teams[5]. The MSP is supposed to fill that gap, but if the MSP itself is struggling, the gap just gets relocated, not closed.

What MSPs commonly oversell

  • EDR/XDR coverage, labelled as deployed, but exclusions and offline endpoints not disclosed
  • Patching SLAs, quoted in days, but critical-asset segmentation not in scope
  • Identity hygiene, privileged access reviews quoted quarterly, executed annually if at all
  • Backup verification, tested for restoration on production-similar systems, not just file-existence checks
  • Incident response, quoted but never tabletop-tested against a realistic scenario
  • "Enterprise-grade security", used freely, despite only 61% of MSPs maintaining ISO 27001 or SOC 2

What independent validation looks like

Independent validation is not a penetration test (which tests controls that you assume exist). It is the verification that controls exist in the first place, function as described, and are being maintained as the contract requires. From direct operational experience inside MSPs, the gap between contracted and delivered security is rarely small[4].

If your MSP cannot produce an audit trail of last quarter's privileged access reviews, you do not have an oversight problem. You have an assurance problem.
Research sources

Evidence-based, transparently sourced.

All statistics and research findings on this page are supported by authoritative sources. Behind The SLA is committed to evidence-based advisory and transparent methodology.

  1. [1]
    CompTIA. (2024). State of Cybersecurity Report
    81% rate cybersecurity as high priority; only 7% have fully implemented AI in security operations
  2. [2]
    Kaseya. (2024). MSP Benchmark Survey
    39% of MSPs struggle to keep pace with cybersecurity requirements
  3. [3]
    IBM Security. (2024). Cost of a Data Breach Report
    Average global data breach cost: $4.44 million (US: $10.22 million); 241 days average to identify and contain
  4. [4]
    Behind The SLA. (2025). Direct operational experience with MSP security implementation gaps
  5. [5]
    ISC2. (2024). Cybersecurity Workforce Study
    33% of organisations lack resources to adequately staff security teams; 28% have integrated AI tools into operations

Methodology Note: Behind The SLA conducts independent research validation for all published statistics. Where proprietary research is cited, it is based on aggregated, anonymised data from client engagements spanning 15+ years of MSP industry experience.

Want this applied to your organisation?

An independent advisory conversation costs nothing, and clarifies whether what you have read here is relevant to where you actually are.

Schedule a conversation