The MSP’s Guide to Selling Microsoft 365 Security to Skeptical Customers

Summary

Security is a tough sell when business owners believe breaches won’t impact them. MSPs who understand the most common objections and know how to address them are far more likely to convert these conversations into managed security contracts. To demonstrate the value of managed Microsoft 365 security services, cite real-world examples of security risks and highlight the potential ROI. inforcer enables MSPs to support these conversations with concrete findings from their prospect’s own Microsoft 365 environments.

Selling managed Microsoft 365 security services to customers who aren’t already worried about a breach can be challenging for MSPs. The most common objections aren’t especially difficult to address, but you need to come prepared.

Customers who push back on security investments aren’t usually indifferent to risk. They just haven’t been shown the right evidence that they need expert support. The gaps in their current posture haven’t been made clear to them. And in many cases, they can’t see the ROI that managed security services provide.

This guide walks through the most effective approaches for changing those conversations. You’ll learn how to handle common objections, how to use real-world examples and data to shift mindsets, how to surface pain points through the right discovery questions, and how inforcer can help your MSP make the case for ongoing managed services with evidence from the prospect’s own environment.

Common Customer Objections to Security Investments

Most objections to security spending follow recognizable patterns. Understanding what’s actually behind each one makes them much easier to address.

“We already did a security project a couple of years ago”

This objection usually reflects a genuine belief that security is a one-time investment rather than an ongoing discipline. The right response isn’t to dismiss the previous work but to contextualize it.

Threats evolve. Attack surfaces change every time a new device is enrolled, a new user is added, or a configuration drifts. Whatever was implemented two years ago may have been appropriate then; the question is whether it’s still effective now.

This is where a security assessment can do the talking for you. Rather than asking the customer to take your word for it, you show them the current state of their environment against a recognized framework. The findings either build trust by confirming that the previous work still holds, or reveals gaps that allow you to pitch your MSP as the solution.

“We’ve always done it this way and it works”

This is an absence-of-evidence objection. Nothing has gone wrong yet, so the prospect assumes that their current approach is sufficient. But security vulnerabilities are often only invisible until they’re being exploited.

The most effective counter-argument here isn’t to argue about probability; it’s to show the potential cost of being wrong. The case studies below will be useful here. The goal isn’t to frighten the customer but to help them understand that “it’s worked so far” is not the same as “it works”.

“We don’t have the budget or time for this right now”

Budget objections are often really priority objections. Security competes with other spending, so businesses are unlikely to invest if they can’t understand the ROI. The response here is to shift the conversation from cost to risk: what does a breach cost compared to what prevention costs?

For customers on Microsoft 365 Business Premium, there’s an additional angle: they’re likely already paying for security tools they’re not using. Show them how much they can save by making full use of the features they already have instead of continuing to pay for redundant third-party antivirus or device management programs, and they’ll likely be much more receptive.

Why “It Won’t Happen to Us” Isn’t a Security Strategy

Of course, some business owners simply assume cyberattacks are someone else’s problem. This is a particularly dangerous perspective, but presenting a few data points tends to shift it quickly.

According to IBM’s 2025 Cost of a Data Breach Report, the global average cost of a data breach is $4.44 million USD. For many SMBs, a loss of this kind represents an existential event rather than a mere setback.

Critically, SMBs are not a secondary target for attackers. They’re often a preferred one, precisely because they tend to have weaker defenses than larger enterprises, less incident response capability, and less ability to absorb a financial hit. The assumption that attackers have bigger fish to fry is demonstrably wrong.

Learn More: Building a Productized Microsoft 365 Security Offering for Your MSP

The ROI of Security: Cost of Breach vs. Cost of Prevention

The question MSPs need to be asking their prospective customers is: what does it cost to maintain proper security controls, versus what does it cost when those controls fail?

For customers on Microsoft 365 Business Premium, the prevention side of that equation is easy to justify. Intune, Defender for Business, Entra ID P1, and Conditional Access are all included in the license, so the cost of configuring and managing them properly via an MSP is a fraction of what it would cost to respond to a breach.

MSPs can also offset a portion of these costs by helping customers consolidate their tech stack. Showing a customer on Business Premium how to make full use of that license allows them to stop paying for third-party tools that duplicate capabilities they already have.

The conversation should never be about whether your prospect can afford security. It’s about whether they’re getting full value from what they’re already paying for, and whether they understand the potential price they’ll have to pay if something goes wrong.

The Costs of Poor Security Posture: Two Case Studies

These two examples are particularly useful because they’re recent, well-documented, and speak to different customer segments: one a mid-sized business your prospects will recognize themselves in, and one a household name that illustrates reputational damage in terms anyone can understand.

Knights of Old: How One Weak Password Ended 158 Years of Business

KNP Logistics was the parent company of Knights of Old, a UK haulage firm that had been operating since 1865. In June 2023, they were hit by a ransomware attack carried out by the Akira criminal group. The entry point was a single weak employee password that was simply guessed.

The attackers encrypted KNP’s critical business data, destroyed its servers, backups, and disaster recovery systems, and demanded a ransom reported to be in the region of £5 million. The company couldn’t raise it. Unable to meet its financial reporting obligations to lenders and with no viable path to recovery, KNP entered administration weeks later. Seven hundred and thirty people lost their jobs. The company’s premises were eventually sold off.

KNP’s director later said the company believed it was in a good place in terms of its security protocols. Preventing the breach would not have been expensive. It would have only required simple fixes like proper password policies and multi-factor authentication. The company simply hadn’t implemented them properly.

Marks & Spencer: Proof that “Too Big to Fail” Doesn’t Exist in Cybersecurity

Marks & Spencer has long been one of the UK’s most recognised retail brands. But in April 2025, the company was hit by a ransomware attack that halted online clothing orders for more than six weeks, disrupted contactless payments and in-store stock systems, and forced the company to revert to manual processes across its supply chain.

The financial impact was severe: M&S estimated approximately £300 million in lost operating profit. Its stock market value dropped by more than £1 billion in the days following disclosure. Half-year statutory profit before tax fell by 99%.

But the more relevant part of this story for our purposes is what happened to M&S’s customers and what it meant for the brand. Empty shelves, failed transactions, and a weeks-long inability to shop online weren’t just a technology problem. They were a customer experience problem that played out publicly, in the news, and at the dinner table. M&S’s competitors, including Next, explicitly credited the attack for boosting their own sales as customers whose confidence had been shaken moved on.

M&S is a large company with significant resources, and it managed to survive. But for a smaller business, a breach visible enough that everyday customers talk about it and take their business elsewhere often doesn’t have the same ending. Reputational damage is a cost that doesn’t appear in breach reports, but that doesn’t mean it’s insignificant. In fact, it tends to outlast everything else.

Let the Assessment Make the Argument

Persuasive security conversations are grounded in your prospect’s everyday business environment. Conducting an effective Microsoft 365 security assessment surfaces the specific gaps in a given tenant, benchmarks their posture against your chosen security framework, and presents the findings clearly so that next steps become obvious.

inforcer enables your MSP to offer these assessments free of charge as a way of demonstrating value and building trust, which sets you up for success when pitching long-term managed security services. Our platform cuts the entire assessment process down to minutes rather than hours or days and allows you to generate customer-facing reports in just a few clicks.

Read our full guide to running effective M365 security assessments for a detailed walkthrough of what to evaluate and how to present your findings.

Positioning Security as a Business Enabler

One reframe that works well with customers who see security as overhead is to position it as something that enables the rest of the business to operate with more confidence.

Proper security controls:

• Reduce the likelihood of disruption
• Make it easier to meet compliance requirements
• Unlock potential savings by identifying redundant tools

The consolidation angle is particularly useful with budget-conscious customers. Rather than asking for additional spend, you’re showing them how to get more value from a license they already have and potentially reduce what they’re paying to other vendors in the process.

Discovery Questions That Surface Security Pain Points

Asking the right questions early in a conversation can shift it from feeling like a sales pitch to feeling like a diagnostic by trusted experts. These examples are frequently productive:

• How many different security or IT tools are you currently paying for outside of your Microsoft 365 license? Do you know which of those are already covered by Business Premium?
• When did you last have someone review whether your M365 environment is configured to the settings Microsoft recommends?
• If an employee’s account was compromised tomorrow, how quickly would you know, and how would you contain it?
• Have you had any unusual login activity, failed access attempts, or anything that felt like it might have been a near-miss in the last year or two?
• Do you know what your Microsoft Secure Score currently is?

Using inforcer to Offer More Reliable and Consistent Results

inforcer gives MSPs a meaningful advantage when pitching managed security services to business customers.

• Running tenant assessments through the platform takes minutes instead of the hours required to conduct them manually
• Gaps are easily surfaced and clarified via the platform’s built-in reporting capabilities
• Once customers are onboarded, the inforcer dashboard provides a single pane view of every tenant’s alignment with your chosen security standards and instantly alerts you when drift occurs
• Remediating misaligned configurations or permissions can be achieved in minutes, without logging into individual tenants or even leaving the dashboard

Turn Skepticism Into Signed Contracts

The business owners who push back hardest on security investments are often the ones who need it most. They’re also the most likely to become long-term managed security customers once you can demonstrate the value of these services to them. All your MSP needs to do is supply the data and framing that makes your pitch relevant to their specific environment.

inforcer gives you both. Book a demo to see how MSPs like yours are using it to facilitate the conversations that win long-term business.