I was on a call with the owner of an MSP the other day. Smart guy. He tells me, “We’ve got our Basic IT solution and our Advanced Security offering split out.”
I nodded.
That’s exactly how you should do it.
Because let’s face it—when Karen from accounting goes price shopping, she doesn’t know the difference between an RMM agent and a rootkit. She sees a price tag. And if your services are all wrapped up in a mysterious “bundle,” Karen’s going to assume you’re the overpriced MSP trying to pull a fast one.
Basic IT vs. Advanced Security makes the difference visible.
Karen can finally see why the guy charging half your price is, in fact, selling half a solution. So far, so good.
But Then He Dropped the Bomb
“We’ve got some clients who just go with the Basic IT.”
That’s not a red flag. That’s a timebomb.
Because here’s the truth MSPs hate admitting: If you’re supporting clients who’ve declined your security stack, you’re holding a lit stick of dynamite—and pretending it’s a flashlight.
And when it blows up? You won’t just lose the client. You’ll be the one they sue.
Not because you caused the breach. Because you let the breach happen. Because you supported them anyway.
Let’s Be Crystal Clear
Yes, you should unbundle Basic IT from Advanced Security.
But no—Advanced Security is not optional. It is non-negotiable. It is the seatbelt in the car. The brakes on the downhill slope. The firewall between you and the courtroom.
You don’t support clients who refuse it.
Give them a risk acceptance document to show them you are serious. Then full stop.
“But They Said It Was Too Expensive…”
I’ve heard that excuse before.
Here’s the fix: If they want to cut costs, pull back Help Desk, not Security. Help Desk costs you about $25/month. Pulling it out is manageable. You survive that.
But removing your security stack?
That’s like taking the airbags out of the car to save on gas mileage.
It’s dumb. It’s dangerous. And when it goes wrong, you’ll be the one with a target on your back.
So offer the downgrade—but only if it keeps Security in place. You’re not punishing them. You’re protecting them. And you’re protecting yourself.
One More Thing…
If you have an Advanced Security Stack but you haven’t tied it back to a framework?
You’ve got a risk. A serious one.
Because without mapping to a known control set—without aligning to a standard—your decisions are subjective. Your coverage is inconsistent. Your defense is paper-thin.
And no, “We follow best practices” won’t hold up in court.
You need a documented, defensible, mapped security program.
Here’s What You Do Next
Stop supporting insecure clients. Start defining security as a requirement, not an upgrade. And if you haven’t linked your stack to a framework? Fix that now.
Need help?
Schedule a Cyber Liability Assessment.
We’ll help you:
- Lock in your stack
- Map it to real controls
- Build a defensible cyber liability program that protects you and your clients
Because the worst-case scenario isn’t losing the client
It’s keeping them long enough to get blamed when everything goes wrong.
