top of page


  • Sponsored by ConnectWise

How to respond to 5 common objections SMBs have to cybersecurity services

Cybersecurity is one of the hardest variables to control as user error becomes more prevalent across businesses everywhere. Unfortunately, many SMBs who work with managed service providers (MSPs) assume they are safe and protected and are therefore not taking proper precautions. As an IT professional who understands the threat landscape and the risks that exist, how can you navigate the challenge of selling your security services while simultaneously empowering your clients to take preventive measures into their own hands?

Selling cybersecurity services is a delicate dance between overcoming common objections and educating your clients. Many small-and-medium-sized businesses (SMBs) are not hyper-aware of IT security prevention best practices. Therefore, they are under the misconception that they shouldn’t be too concerned about their businesses, leading them to object to having an MSP on their side. Having that frame of mind is risky, and MSPs need to make a valid effort to help clients see the light.

As an MSP, you will help SMBs define and enhance their IT security strategy and navigate the turbulent cybersecurity landscape. After all, it is your mission to protect, support, and educate your clients. To do so, you need to meet their objections with the truth and help them shift their mindset around what it means to reach a business-grade security posture.

Here are five common objections to cybersecurity services and how to respond to them.

1. “My IT team has me covered.”

When it comes to cybersecurity, ignorance is not bliss. What your clients don’t know can and will hurt them. As an MSP, the best thing you can do is talk to your clients frequently and be completely transparent. Recent findings report that 94% of SMBs would change service providers for the right cybersecurity. So, constant communication with your client ensures that someone else doesn’t have a game-changing conversation with them before you do.

Lay out for them exactly what your service does and does not cover. Conduct security assessments least once a year so they understand their security position, and show them how vulnerable they are (for example, watch how easily this hacker breaks into a personal computer).

Don’t forget to educate your client on the measures they need to take to protect their network(s)—the burden doesn’t fall entirely on the MSP. Empower and train your clients to instill some basic cybersecurity measures into their daily culture. For instance, frequently remind them how important it is to use strong passwords. Show them the sheet below so they can see just how easy it is to break a password.

Sample Response: “IT teams are great sources of security, but there is much more that can be done on your end. It is imperative to create a cyber-safety procedure for your company to educate and empower your team members. Protecting your SMB from cyber-attacks is of the utmost importance, and it starts with you.”

2. “I don’t have the budget for security services.”

Many businesses—especially smaller ones—are understandably very budget-conscious and may presume that they don’t have enough wiggle room to add robust cybersecurity services to their plate. The truth is, paying for cybersecurity services is a tiny fraction of the cost it would take to recover from a cyberattack.

It’s estimated that a cyberattack could cost a small business an average of $2.98 million. That’s more than enough to put a small company out of business—and that’s the average cost of just one attack.

It is a stressful and necessary task to put together a budget for a business, but SMBs must prioritize cybersecurity services. The alternative is potentially losing the business altogether.

Sample Response: “While it may seem expensive, the cost of cybersecurity services is far less than the alternative – a data breach. If you are interested, I would be happy to walk through various plans that may be better aligned with your budget.”

3. “My data is not important to bad actors.”

It’s easy to fall under the notion that only large companies have data that’s worth stealing. However, that’s far from the truth. Whether it be employee records, information about clients, or financial details, every business has valuable data.

The important thing to remember here is that hackers don’t necessarily want someone’s info, they want to act on how important that info is to a business. In other words, they want to hold data ransom until they are paid big bucks to get it back.

Ransom is surging,with average payments around $812,000—an increase of 60% quarter over quarter, and reports say that ransom attacks are happening every 14 seconds.

A ransom payment is not the only point of concern here. What will it cost your client to go without access to their data or systems if they get breached? Can they survive five days without access?

Again, the ramifications of a random ransomware attack can be cause for a business going under.

Sample Response: “Every business has valuable data to someone. Even if you don’t believe your data is important, bad actors can hold your data over your head until they are paid to give it back. As crazy as it sounds, it happens. The best way to prevent the loss of data and money is by utilizing cybersecurity services.”

4. “A cybersecurity attack won’t happen to me.”

No one wants to believe they are going to be the victim of an attack. SMBs may think that they are less vulnerable to a cyberattack because they are not big or well-known, but if a business has any digital footprint, they are considered a target.

A recent study published by ConnectWise found that 76% of SMBs worldwide reported a cyberattack within the previous year. That number is startling, and is sure to continue rising.

The harsh reality is that we are all vulnerable, and we all need to put the proper cyber defenses in place to protect ourselves.

Sample Response: “Every business with a digital footprint is at risk for a cyber-attack. In fact, 2/3 of SMBs worldwide reported an attack in the last year. That is the last thing I would want for your company, or any SMB. As that number continues to rise, it is urgent to defend your business and data with cybersecurity services.”

5. “My firewall (or other technology) is enough.”

Businesses who rely too much on a single piece of technology to keep them protected play a dangerous game. The average hacker is in a network for 197 days before attacking. Your antivirus alone is not going to get the job done.

This is perhaps the most challenging objection for MSPs to overcome because their clients assume their firewall and MSP services cover all bases.

The truth is, the combination of a great technology stack, professional security services, AND employee best practices are what’s needed to protect your house. This is where the educational piece of the puzzle plays a major role. Clients need to understand what they are responsible for versus what their MSP partner is responsible for versus what their software can and can’t cover.

Once a business makes it super difficult for anyone to infiltrate their system, they also need to have an incident response plan in place to help mitigate and recover from an attack.

Sample Response: “While your firewall and MSP services protect your business from various threats, cybersecurity services along with those security measures are the best way to protect your business from an attack. Unfortunately, your firewall and other technology may not be enough to defend against a serious cyberattack.”


We’re living in a world where cyberattacks are the new normal. With attacks on the rise, cybersecurity services are no longer a nice-to-have for a business but are a must-have.

As an MSP, it’s your job to talk to your clients and make sure they are fully aware of how well they are covered. Only 43% of MSPs have risk conversations with their clients on an ongoing basis. Having risk-focused conversations positions you as a trusted adviser and not just a vendor. To get to that trusted adviser level:

  • Meet objections with facts so prospects and clients have a true understanding of the current threat landscape

  • Educate and empower your clients to believe in the power and necessity of cybersecurity

  • Remain knowledgeable and certified in all-things cybersecurity

  • Communicate frequently so all stakeholders are armed with the tools they need to be successful

Need more help handling cybersecurity objections from your clients? Join the Partner Program for educational resources, in-depth training, and community-based events that will deepen your knowledge and expertise.

If you are a current ConnectWise partner and would like access to the Partner Program and its Portal, click here. If you are new to ConnectWise and would like more information about joining our Partner Program, please complete this form.


bottom of page