I said something on stage at XChange last week that made a lot of people in the room uncomfortable.
"Your smallest clients are your biggest risk."
Not your enterprise accounts. Not the ones with complex environments and demanding SLAs. The small ones. The 10-person firm. The 16-person office. The ones you quietly skip over when the security conversation comes up because you already know what they're going to say.
"We don't have the budget."
CRN picked up the talk and published a piece on it. I want to go deeper here because this is a conversation most MSPs are avoiding, and that avoidance is where the liability lives.
The Three Reasons You Skip the Small Client
Let's be honest about why this happens.
Reason one: you don't want them to leave. You know they're price-sensitive. You're already worried they think you're too expensive. The last thing you want to do is walk in with a security recommendation that adds to their monthly bill. So you don't bring it up. You tell yourself you'll get to it later. Later never comes.
Reason two: your team doesn't think it's worth the effort. The math doesn't feel right. A 12-person client isn't going to generate the same revenue as a 150-person account. So the recommendation doesn't get made. Not because anyone decided it was a bad idea. It just never made it to the top of the list.
Reason three: you made a financial decision on their behalf. This is the one that should keep you up at night. You decided they couldn't afford it. You never gave them the chance to say yes or no. You just assumed.
I've told the story before about the law firm owner in Nashville. Forty-person firm. Ransomware shut them down for weeks. Attorneys couldn't access files. Staff couldn't work. And then his IT company's engineer said the quiet part out loud: "You're experiencing this because you didn't have us install our Advanced Security tools. We prevent this for most of our clients."
The tool existed. They just never offered it to him. When I asked why, the answer was: "We figured he didn't have the budget."
They made a financial decision on his behalf without ever giving him the chance to make it himself. That's the Silent Gap. And it's happening right now in your client list.
Small Clients, Big Lawsuits
Here's what most MSPs get wrong about risk. They assume their biggest clients carry the most liability. More users, more data, more exposure. Makes sense on paper.
It's backwards.
Your biggest clients are more likely to have documentation. More likely to have policies in place. More likely to have gone through a compliance process. More likely to have evidence that someone was paying attention.
Your smallest clients have none of that. No acceptable use policy. No documented training. No incident response plan. No evidence that anyone ever had the conversation about what "protected" actually means.
And when something goes wrong, those are the clients with nothing to lose by pointing the finger at you. I mentioned on stage that a recent lawsuit against an MSP came from a 16-person organization. Not the big account. The small one.
Think about that. The client you spent the least amount of time protecting is the one standing in a courtroom saying you didn't do enough.
"We Don't Have the Budget" Is Not a Free Pass
When a client tells you they don't have the budget for security, that is not the end of the conversation. That's the beginning of it.
Because here's what happens when that client gets breached. An attorney shows up. Could be the client's attorney. Could be a plaintiff's attorney chasing a payout. Could be the insurance carrier. Could be a regulator.
And the first question they ask isn't about your firewall. It's not about your RMM. It's not about your stack.
The question is: "What did you have in place? Can you show me?"
If the answer is "the client said they didn't have the budget," that's not a defense. That's an admission. You knew the risk existed. You knew the client was exposed. And you didn't document the conversation, capture the risk acceptance, or provide an alternative path.
The cyber scum don't care about your client's budget. The attorneys don't care about your client's budget. The insurance carrier reviewing your E&O claim definitely doesn't care about your client's budget.
Show Them the Path
Here's where this gets practical. I'm not telling you to force a $267/month security program on a client who genuinely can't afford it. I'm telling you to show them the path.
Every client, regardless of size, needs three things at a minimum:
Their people need to be trained. Not once. Ongoing. With documentation that proves it happened.
Their policies need to exist and be acknowledged. An acceptable use policy that every user has signed. Not a template sitting in a folder. A living document with evidence of acknowledgment.
There needs to be a plan for when something goes wrong. An incident response plan that was built before the incident, not after.
That's Essentials. That's the starting point. And for the clients who say they can't afford it, you document that conversation. You capture the risk acceptance. You make them sign something that says "I was informed of the risk and chose not to act." Because that signature is what protects you when the attorney shows up.
But most of the time, when you actually show a small client what's at stake and what the path forward looks like, they say yes. As one MSP leader put it at XChange, clients eventually realize the cost of the solution is nothing compared to the cost of getting hit.
The problem was never their budget. The problem was that nobody showed them the path.
The Question You Need to Answer Today
Pull up your client list right now. Look at the bottom. The smallest accounts. The ones that haven't had the security conversation.
Ask yourself: if any one of those clients had a breach tomorrow and an attorney showed up asking for documentation, what would you produce?
If the answer makes you uncomfortable, good. You're paying attention.
Now do something about it. Start with five. Show them the path. Get them into Essentials. Document everything. Because the clients you're ignoring today are the ones who will be sitting across from you in a courtroom tomorrow.
And they won't care that you were trying to save them money.
