Can MSPs Still Make Money on Patch Management?

Platforms like Atera's all-in-one remote management solution enable automated patch management, discovery and IT inventory of enterprise networks.

Courtesy of Atera

Tougher data laws and the growth of cyber-attacks have combined to make effective patch management as important as ever for enterprises of all sizes.

Roughly 85 percent of successful exploits involve unpatched machines, according to a recent alert from the U.S. Computer Emergency Readiness Team, a division of the Department of Homeland Security.

But for many SMBs, gaining the security and compliance benefits of thorough patch management can be a particular challenge.

"SMBs are generally aware of the consequences of not patching," according to a blog post by David Weeks, channel strategy manager for N-able by SolarWinds. "Unfortunately, the way they go about patching is outdated, with many still doing the task on their own or having a technician install patches manually across their workstations and devices on an irregular, ad hoc basis."

An under-resourced IT operation can struggle to keep track of all the servers and endpoint devices – many increasingly mobile, much less stay atop the various operating systems and applications, and which ones are due for patching.

As a result, just over a third of SMBs (36 percent) bother to patch their machines at all, according to a new blog by tech publisher Doug Barney, citing a survey by the U.K.'s Federation of Small Business.

Infrequently patched products from lesser-known, third party developers can be particularly problematic. But even software from Microsoft, known for monthly patch releases, is vulnerable to cyber-attack, Barney explains.

"The patch itself fixes a vulnerability, and, as a result, defines and then exposes that vulnerability," his blog said. "It usually takes hackers only one to four days to release an exploit attacking that hole."

Opportunity for MSPs

The problem seems a ripe market for competent managed service providers (MSPs).

Modern automated patch management tools can quickly and easily discover all relevant devices, their operating systems and applications, and determine which are in need of patching and updating.

The better management platforms automatically find the patches from the Internet, test them for software conflicts and install them on the appropriate machines.

But MSPs often decide it's not that simple – nor worth the effort – to win that business.

"The challenge for most MSPs is that while patching is a relatively low-cost service to deliver, on its own, it does not offer high enough margins to sell as a standalone managed service," wrote Weeks, the channel strategy manager. "As a result, patching is usually available only as part of a more comprehensive service offering that is too expensive for most SMBs."

Patch management has become a commoditized service, to be sure.

Research from Kaseya's 2016 MSP Pricing Survey found that 90 percent of firms that experienced growth of 20 percent or more offered security services that included patching and updating.

It was the most prevalent offering among "high-growth" MSPs.

Still, some argue that an opportunity does exist for MSPs that properly market patch management and updating services.

Mandates on data security imposed by laws like the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act (SOX), and Federal Rules of Civil Procedure (FRCP), are putting new pressures on SMBs to prioritize cybersecurity.

Weeks suggests MSPs with automated tools can offer patch management and updating in a manner that is "low effort and high return."

"Some remote monitoring and management solutions, such as N-able's N-centralplatform, allow MSPs to offer 'freemium' licenses for select services to help them get a foot in the door," Weeks wrote in his blog. "Free monitoring probes can be deployed throughout a customer's network, gathering the data necessary to paint a clear picture of the company's current patching status and where vulnerabilities need to be addressed."

That free consultation can pay well in the long run.

"MSPs can win their customers' trust and eventually sell them on a solitary recurring service to fix their current vulnerabilities and keep them secure moving forward – an approach that is likely to be much more appealing to them than a costly, full-blown managed service package," Weeks said.

In that way, he says, MSPs can generate a long-term revenue stream from a purely reactive customer who would otherwise be unlikely to buy managed services at all.

Send tips and news to MSPmentorNews@Penton.com.

Source: Can MSPs Still Make Money on Patch Management?