Back to Resources
Critical Security Gap

Why Your MSP's Cybersecurity Promises May Be Empty: The 39%[2] Problem

18 min read
Updated October 2025
Security

Analysis of why 39%[2] of MSPs struggle to keep pace with cybersecurity requirements, how to audit whether your security controls actually exist, and what independent verification should include.

39%[2]
MSPs struggle to keep pace with security requirements
73%[1]
Organisations outsource IT security to MSPs
$4.45M[3]
Average cost of a data breach in 2024

The Dangerous Assumption

After 15+ years inside multiple Australian MSPs, I have witnessed a troubling pattern: clients assume their MSP is implementing the security controls they are paying for, when in reality, many controls exist only on paper.

With 73%[1] of organisations outsourcing IT security to MSPs, and research showing 39%[2] of MSPs struggle to keep pace with cybersecurity requirements, this creates a dangerous gap between promised and delivered security.

The average data breach now costs $4.45 million[3]. When your security controls do not actually exist, you are not just paying for nothing-you are exposing your business to catastrophic risk.

Why MSPs Fall Behind on Security

1. Skills Gap and Talent Shortage

The Problem: Cybersecurity evolves faster than MSPs can train staff or hire specialists.

The global cybersecurity skills shortage means qualified professionals command premium salaries. Most mid-market MSPs cannot afford dedicated security specialists, instead relying on generalist technicians with limited security training.

Insider Reality: In my experience across multiple MSPs, security training typically consisted of vendor webinars and product documentation. True security expertise-threat modeling, penetration testing, security architecture-was virtually non-existent among frontline technicians implementing controls.

2. Cost Pressure and Margin Compression

The Problem: Security tools and services reduce MSP profit margins.

Many MSPs operate on thin margins (15-20%). Enterprise-grade security tools (EDR, SIEM, vulnerability scanning, security awareness training) cost money. When clients resist price increases, MSPs face a choice: reduce margins or reduce security investments.

Security Cost Reality:

EDR Platform: $8-15 per endpoint/month (reduces margin by 40-60%)
SIEM/Log Management: $2,000-5,000/month minimum
Security Awareness Training: $3-8 per user/month
Vulnerability Scanning: $1,500-3,000/month

3. Complexity Overload

The Problem: Security requires orchestrating dozens of tools and processes.

Effective cybersecurity is not a single product but an integrated system: endpoint protection, network security, email filtering, backup verification, patch management, access controls, monitoring, incident response, and more.

Most MSPs excel at break-fix and reactive support. Security requires proactive, continuous management across interconnected systems-a fundamentally different operational model.

4. The Invisible Problem

The Problem: Security gaps are not visible until a breach occurs.

When email goes down, everyone knows. When backups fail, users complain. But when MFA is not enforced, logs are not monitored, or vulnerabilities are not patched-nothing appears broken. Until the breach.

Critical Insight: This invisibility means security often gets deprioritised in favour of visible service delivery. MSPs focus resources on what clients complain about, not what protects them.

How to Audit Your MSP's Security Controls

Do not take your MSP's word that security controls are in place. Here is how to verify:

Endpoint Protection Verification

What to ask for:

  • Screenshot of EDR console showing all endpoints with active protection
  • List of any endpoints showing as offline or unprotected
  • Evidence of real-time scanning (not just scheduled scans)
  • Threat detection reports from past 30 days

Red Flag: MSP cannot provide this data within 24 hours, or shows endpoints that have been offline for extended periods without investigation.

Multi-Factor Authentication (MFA) Verification

What to verify:

  • Report showing MFA enrollment status for ALL users (not just admins)
  • Evidence that MFA is enforced (cannot be bypassed)
  • Conditional access policies documentation
  • Process for handling MFA bypass requests

Test: Ask the MSP to create a test account without MFA and try to access company resources. If successful, MFA is not properly enforced.

Backup and Recovery Verification

Critical checks:

  • Evidence of successful backups in past 7 days (screenshots, not claims)
  • Documentation of most recent restore test with date and outcome
  • Evidence that backups are immutable and offline/air-gapped
  • Recovery time objective (RTO) and recovery point objective (RPO) documentation

Insider Warning: I have seen numerous MSPs claim backups were working when they had been failing silently for months. Demand proof, not promises.

Patch Management Verification

What to request:

  • Report showing patch compliance percentage across all systems
  • List of any systems more than 30 days behind on patches
  • Evidence of testing process before production deployment
  • Emergency patching process for critical vulnerabilities

Benchmark: Industry standard is 95%+ compliance within 30 days for critical patches. Anything below 90% indicates significant risk.

Security Monitoring and Response

Essential verification:

  • Evidence that security logs are being collected and retained
  • Documentation of security alerts generated in past 30 days
  • Process documentation for security incident response
  • Examples of how previous alerts were investigated and resolved

Critical Question: If a credential is compromised at 2 AM on Saturday, who receives the alert and what is the response time? If the answer is vague, monitoring is not adequate.

Independent Verification Framework

Do not rely solely on your MSP's self-reporting. Implement independent verification:

Quarterly Security Reviews

Engage independent security consultant to review:

  • • Configuration of all security tools and controls
  • • Effectiveness testing (attempt to bypass controls)
  • • Gap analysis against industry frameworks (NIST, CIS Controls)
  • • MSP security processes and documentation review

Third-Party Monitoring

Implement client-side visibility:

  • • External vulnerability scanning (separate from MSP)
  • • Uptime and availability monitoring from outside perspective
  • • Dark web monitoring for credential exposure
  • • Email security testing (phishing simulations)

Contractual Security SLAs

Require measurable security commitments:

ControlSLA Target
Patch Compliance95% within 30 days
Endpoint Protection100% coverage, 99% uptime
Backup Success Rate100% daily, tested quarterly
MFA Enforcement100% for all accounts
Security Alert ResponseCritical: 1 hour, High: 4 hours

The Bottom Line

With 73%[1] of organisations outsourcing security to MSPs, and 39%[2] of MSPs struggling to keep pace, assuming your security controls are in place is dangerous. The average breach costs $4.45 million[3]-far more than the cost of independent verification.

Trust, but verify. Demand evidence, not promises. Implement independent monitoring. Your business depends on the security controls you are paying for actually existing and working.

Schedule Security Audit

Research Sources

All statistics and research findings on this page are supported by authoritative sources. Behind the SLA is committed to evidence-based advisory and transparent methodology.

  1. [1]
    CompTIA. (2024). 2024 State of Cybersecurity Report. 73% of organisations outsource IT security to MSPsView Source
  2. [2]
    Kaseya. (2024). MSP Cybersecurity Benchmark Report. 39% of MSPs struggle to keep pace with cybersecurity requirementsView Source
  3. [3]
    IBM Security. (2024). Cost of a Data Breach Report. Average data breach cost: $4.45 millionView Source
  4. [4]
    Behind the SLA. Internal research: 15+ years MSP operations experience, 150+ security audits. Direct operational experience with MSP security implementation gaps
  5. [5]
    ISC2. (2024). Cybersecurity Workforce Study. Cybersecurity skills shortage and MSP talent challengesView Source

Methodology Note: Behind the SLA conducts independent research validation for all published statistics. Where proprietary research is cited, it is based on aggregated, anonymised data from client engagements spanning 15+ years of MSP industry experience. All external research sources are from peer-reviewed publications, recognised industry analysts (Gartner, Forrester, IDC), reputable market research firms, or Australian government bodies.