Go back to Sherweb.com
Menu
Back to top
Cybersecurity
Author: Roddy Bergeron
SMB security
Cyber resilience
Supply chain risk
Security outcomes

The forgotten majority: Why ignoring SMB security weakens everyone

5 days ago September 26, 2025 2 min read

From clinics to contractors, small businesses hold the keys to payrolls, portals and supplier data and attackers know it! In this Perspectives piece, Cybersecurity Technical Fellow Roddy Bergeron explains why overlooking SMB security puts everyone at risk, and how the channel can reset the standard around outcomes that prove resilience.

Stop pretending the castle stands when the village burns

If you work in this channel, you already know the truth we keep soft-pedaling, enterprise programs fail the minute a small partner becomes the entry point. We parade frameworks and tool stacks on stage and then one compromised mailbox with silent forwarding rules unravels an entire relationship.

SMBs aren’t a niche. They are the economy. Contractors, clinics, schools, specialty manufacturers, professional services shops. They sit on payroll data, health records, intellectual property, supplier portals and the vendor access enterprises grant because business must move. That access is the adversary’s shortcut.

One 2025 case showed a hijacked RMM letting an intruder fan out into three downstream tenants before the SOC cut it off, and industry reporting the same year documented Microsoft 365 compromises driven by inbox-rule manipulation and vishing. None of those victims had “weak” stacks on paper. They had thin operations, delayed detection, noisy alerting and no one was on the hook for decisive response. That’s not a tooling problem. That’s a responsibility and accountability problem.

The channel owns this. If we keep treating SMB security as optional, we’re not just failing small businesses, we’re weakening the supply chain that depends on them.

SMBs are leverage, not “small”

Attackers don’t chase brand prestige; they chase ROI. The math is obvious:

  • Less friction. Smaller teams mean fewer eyes on telemetry and longer gaps between suspicious activity and action.
  • Rich data. A 40-person accounting firm holds enough tax and payroll detail to power weeks of fraud, BEC and identity abuse.
  • Amplifiers everywhere. MSP tools, vendor portals, supply-chain APIs—one foothold turns into many.

When a 70-person fabrication shop is locked by ransomware, it’s not just one company’s downtime. It’s a line stoppage two tiers up, penalty clauses, potential regulatory fines, and reputational damage rippling across an industry. When a regional MSP is pivoted through, you don’t have “a breach”; you have a broadcast.

Treating those events like isolated SMB incidents is how we normalize systemic risk. The village is the firebreak. If we let it burn, the castle goes next.

Can enterprise SOCs actually absorb upstream risk from smaller partners?

I hear this from large programs: “Our perimeter, our controls, our SOC will catch supplier fallout.”

That assumption breaks in three places:

  1. Access happens upstream of you. If an attacker owns a supplier mailbox, they own the context you trust—POs, invoices, shipping updates. They aren’t breaching your firewall; they’re replying in thread.
  2. Paperwork isn’t a control. We love vendor questionnaires because they’re measurable. Attackers love them because they’re meaningless. “MFA enabled” is not an outcome if push fatigue or malicious OAuth grants walk right past it.
  3. Time beats tools. The delta between first malicious action and the first human looking at the right signal is where damage compounds. Businesses don’t fail because they lack features; they fail because no one contained the thing that mattered, in time.

Enterprise security doesn’t “absorb” SMB risk. It inherits it. If your suppliers and partners can’t detect, contain, and prove, your controls will meet the attacker after the attacker has already been trusted.

What outcomes define a defensible security program?

Thought leadership that stops at “SMBs matter” is useless. Here’s the scorecard I expect any defensible SMB program—or any MSP claiming to deliver one—to put on the table. This isn’t marketing theater. It’s the minimum viable accountability the channel should demand.

1) Mean Time to Detect (MTTD)

If you discover business email compromise because a customer complains about a fake invoice, you didn’t detect and you were notified. Near-real-time identity and mailbox signal is non-negotiable. A detection window measured in hours, not days, changes the economic outcome every single time.

2) Mean Time to Respond (MTTR)

Containment is the only metric that matters after detection. Disable the account, revoke tokens, kill persistence, rotate secrets, restore integrity. If your playbook requires a war room and six approvers, you built for theater, not survival. Same day containment is the standard.

3) Dwell time

Attackers don’t need a month to hurt an SMB. They need an afternoon. Every extra day inside is another day of silent forwarding, credential lifting, persistence planting and lateral staging. If dwell time crosses 24 hours, you’re stretching your luck and your insurer’s patience.

4) User resilience

I don’t care how pretty the LMS looks. If users still click everything and report nothing, you bought posters. Show behavior change: declining phish success, rising user-generated reports, faster internal escalation. That’s the human control surface that actually moves risk.

5) Audit-ready evidence

Boards, customers, regulators and carriers don’t buy promises. They buy proof. If it takes you a week to assemble logs and screenshots after an incident, you’re gambling with renewal and reputation. “Evidence pack in minutes” is not a luxury; it’s table stakes for the modern SMB.

The point of this scorecard isn’t to sell a framework. It’s to reset the conversation from “what’s deployed” to “what’s delivered.” If you can’t show movement on these five, the rest is noise.

What MSPs, vendors, distributors and insurers must change

Everyone in our ecosystem has a job here. None of them involve another slide of product logos.

MSPs: Prove the outcome

MSPs are the operators of record. That comes with accountability. The channel shouldn’t accept SKUs as a strategy. We should expect MSPs to publish their operating model: who triages, how fast, how containment is authorized and where the human is on the loop. Without commitments backed by evidence, an MSP isn’t selling security, they’re reselling hope.

Vendors: Design for constraints, not aspirations

If your “SMB version” assumes a full-time analyst, you built for yourself, not the customer. Ship default-quiet detections that point to decisions. Collapse configuration paths. Produce evidence, not exports. Charge for value, not volume.

Do: prioritize identity signals, kill-chain-adjacent detections, safe-by-default response, report packets a manager can actually use.
Don’t: pretend a feature parity matrix is “supporting the channel.”

Distributors & Marketplaces: Curate signal over catalog

More is not better. Stop celebrating how many items are in the aisle and start owning the outcomes your stack can deliver together. Bundle to operations, not to discounts.

Insurers: Reward proof, not paperwork

If you want risk to go down, pay for it to go down. Replace “gotchas” with incentives: lower premiums for demonstrated detection/containment performance; playbooks exercised, not imagined.

Regulators & large buyers: Write to the operator you actually have

A 50-person firm can’t implement a defense department spec. Calibrate. If you want a safer supply chain, require outcome evidence aligned to size and risk, not copy-paste controls the SMB will never truly run.

This is what leadership in the channel looks like: choosing the hard thing—operations and outcomes—over the easy thing—announcements and alignments.

The real test is speed and proof

“But we already covered pillars.” Good. This isn’t pillars.

You’ve heard me talk about stacks and operational discipline before. This isn’t a retread. Pillars and best practices matter, but the channel has a habit of hiding behind them. What I’m asking for here is simpler and harder: pick the handful of outcomes that define whether a small business survives contact with a real adversary and align everything you sell or support to those outcomes.

This is not about perfect coverage. It’s about decisive advantage: faster detection, faster containment, less room for quiet persistence, humans who escalate instead of hesitate and proof that convinces the people who write checks and policies.

How quickly can smaller programs show meaningful progress?

Here’s the point: when the channel delivers real support, SMBs can show progress faster than most people expect. The key is focus. Think tight execution in the few areas that shift attacker economics. A defensible program comes from steps that can be proven, not years of theory.

  • Identity first. Enforce MFA, cut stale privileges, kill legacy auth. The next suspicious login should be spotted and contained the same day.
  • Endpoints quiet by default. Run curated detections that point to decisions. Prove you can contain a test incident in under an hour.
  • Evidence on demand. Produce an incident pack in minutes, not days. Show customers, regulators, and insurers you can back up your claims.

When those conditions shift, you don’t just have “better hygiene.” You have proof: detection is faster, containment is tighter and resilience is visible to everyone who matters. That’s the bar the channel should hold itself to.

What we should stop doing (because it’s costing SMBs real money)

  • Buying noise and calling it visibility. If your stack creates more questions than decisions, it’s debt.
  • Confusing configuration with operations. A control unmonitored is a control you don’t have.
  • Treating training like theater. If behavior doesn’t change, you ran a seminar, not a control.
  • Equating exports with evidence. Screenshots and CSVs are not how you convince an auditor or a carrier.
  • Celebrating catalogs. Choice without curation is how small teams drown.

How resilience is earned

Security that ignores SMBs isn’t security. It’s a nice story that ends the moment somebody forwards a poisoned invoice from a trusted domain.

The channel has to move first. MSPs need to show outcomes, not dashboards. Vendors need to build for the operator that actually exists. Distributors need to curate to decisions, not to margin. Insurers need to reward provable progress. Large buyers and regulators need to ask the only question that matters: Can this small partner detect, contain, and prove—fast?

We do not need another press release. We need a measurable drop in dwell time across the long tail of the economy. We need fewer “we found this by accident” moments and more “we caught it and killed it the same day.” We need proof.

Until the forgotten majority is fully included, every enterprise strategy is—by design—brittle. The village keeps the castle standing. Treat it that way.

If you want to know whether an SMB program is defensible, start with the scorecard above. Put names and times next to each line. In three months, look at the numbers again. If they moved, you’re delivering security. If they didn’t, you’re selling theater.

Written by Roddy Bergeron Technical Fellow, Cybersecurity @ Sherweb

Roddy Bergeron's career has taken various paths including government auditing, nonprofit work, public/private partnerships with the State of Louisiana, helping build an MSP by building their managed service, managed security, vCISO and compliance programs, and now as the Cybersecurity Technical Fellow with Sherweb. Roddy has obtained many certifications over the years including his MCSE, CCNA:Security, CEH, CCSP, CISSP and CSAP. Our MSP community is extremely important to Roddy and he loves giving back to the community that has helped him out so much over the years. Roddy hopes to continue to help other MSPs succeed and raise the cybersecurity tide for our industry.

Keep reading...

Search our blog to find more articles about technology for Managed Service Providers.

AI in cybersecurity for MSPs: Insights from Hacker Summer Camp 2025 at Black Hat and DEF CON

AI is reshaping the cybersecurity landscape for MSPs, from how SOCs investigate threats to how attac[...]

Read more

You’re not losing security at the firewall. You’re losing it in the browser.

Guest writer Roddy Bergeron, Cybersecurity Technical Fellow, explores why most MSPs are losing secur[...]

Read more

Beyond tools: Integration, automation and workflow that makes security move

Most stacks can detect threats. Very few know what to do next. In this follow-up, Cybersecurity Tech[...]

Read more

What defines a good security stack? It’s not what you’re buying

Most MSPs treat their security stack like a product catalog, but that approach breaks the moment a r[...]

Read more

NordLayer: Fast, flexible network security for MSPs

Hybrid work has become the new normal, but many MSPs still rely on traditional VPNs and firewalls th[...]

Read more

2025 - ALL RIGHTS RESERVED