How MSPs should talk to clients about SaaS data protection and security

One of the biggest and most dangerous misperceptions about software as a service (SaaS) is that SaaS applications and the data stored therein are inherently secure. They are not.

Unfortunately, many MSP clients think they are, and as a result, they fail to adequately secure their companies’ data. As an MSP, you have both a responsibility and an opportunity to talk to your clients about SaaS data protection and security gaps.

You have a responsibility because as a trusted advisor, you need to let your clients know that they’re opening themselves up to cyberattacks if they rely on SaaS security functions alone. You also have an opportunity to offer them cybersecurity capabilities that will actually keep their data safe.

It’s not just business owners who put too much faith in protection from SaaS vendors. A recent TechTarget survey revealed that a third of IT leaders who use SaaS rely only on their SaaS vendors to protect data. Unfortunately, that is not the case.

Microsoft 365 is a massively popular SaaS offering that counts more than three million companies as customers, including 1.4 million with 10 employees or fewer. Many customers likely think Microsoft 365 provides adequate backup and data protection. It doesn’t.

Research from Acronis shows that attacks on Microsoft 365 are on the rise. And Microsoft’s reputation for cybersecurity also took a hit in early 2024 after nation-states successfully attacked both Microsoft itself and its Exchange Online email environment, a component of Microsoft 365. Plus, built-in security for Microsoft 365 doesn’t include all of Microsoft’s own security features. They come with added subscription costs.

Even the most sophisticated version of Microsoft 365 doesn’t provide complete data protection, which it acknowledges in its Services Agreement:

“We strive to keep the Services up and running; however, all online services suffer occasional disruptions and outages, and Microsoft is not liable for any disruption or loss you may suffer as a result. In the event of an outage, you may not be able to retrieve Your Content or Data that you’ve stored. We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.”

It’s really a pretty simple declaration: Microsoft isn’t responsible for customers’ data and never claimed to be. In fact, it recommends that customers should back up data with a third-party app or service.

Most SaaS vendors have a similar policy on data protection, as TechTarget notes succinctly: “The SaaS vendors are not responsible for your data, they will not back it up for you and there are no magical backup people doing it for you.”

Data backup is a critical component of data security. Should an organization suffer a breach, it’s in a much better position to recover before any damage occurs if the organization can rely on backed-up data in a pre-breach state. SaaS vendors, in general, do not try to provide adequate backup.

Armed with the numbers in this post, you have plenty of data to make your case to clients. But while your clients need to understand the risks they don’t even know they’re facing, your message as an MSP should be one of hope.

Here’s what you can communicate:

The easiest part of all of this is you don’t have to exaggerate or embellish stories or facts to make the gaps in SaaS security sound threating. They really are threatening and scary — and they’re very real. Just tell your clients what you know and they probably don’t.

This is an important distinction. SaaS vendors — some of which you might have chosen for your clients — aren’t doing a bad job of offering complete data protection. They don’t do it, never did do it and don’t claim to do it. What they do, they do very well. That just doesn’t include reliable SaaS security and data protection.

A disaster recovery plan is only as strong as the ready availability of clean data after an attempted cyberattack. Again, SaaS vendors don’t provide backup. As an MSP, with the right tools in place, you can. And that leads to the last communication tip.

It’s unlikely that most of your clients understand anything beyond the basics of technology — and sometimes not even that much. It’s important to communicate with them in layperson’s terms, using the simplest and most direct explanations possible. If your clients want to know more about how you protect them, they’ll ask, but it’s much more likely that they’ll trust your expertise.

Acronis Cyber Protect Cloud enables you to grow your business by providing complete cybersecurity to clients without having to cobble together and manage multiple disparate applications. Rapid, uncomplicated deployment capability lets you get started protecting clients quickly and without stretching your resources.

Acronis Cyber Protect Cloud handles all the data protection and security your clients think SaaS apps are handling, plus much more. With a single, natively integrated solution, you can provide your clients with comprehensive cybersecurity services, filling in the gaps SaaS vendors leave in cybersecurity.

Your clients already trust you to run at least some of their IT services, and there are few services you can provide that are as critical as cybersecurity. It’s not only a potential revenue driver; it’s also a way for you to get closer to your clients and gain their trust. And if they really are relying on SaaS vendors for security, they need your help right away.