Security is a tough sell when business owners believe breaches won’t impact them. MSPs who understand the most common objections and know how to address them are far more likely to convert these conversations into managed security contracts. To demonstrate the value of managed Microsoft 365 security services, cite real-world examples of security risks and highlight the potential ROI. inforcer enables MSPs to support these conversations with concrete findings from their prospect’s own Microsoft 365 environments.
|
Time to read |
|
|
What you’ll learn |
|
|
Next steps |
|
Selling managed Microsoft 365 security services to customers who aren’t already worried about a breach can be challenging for MSPs. The most common objections aren’t especially difficult to address, but you need to come prepared.
Customers who push back on security investments aren’t usually indifferent to risk. They just haven’t been shown the right evidence that they need expert support. The gaps in their current posture haven’t been made clear to them. And in many cases, they can’t see the ROI that managed security services provide.
This guide walks through the most effective approaches for changing those conversations. You’ll learn how to handle common objections, how to use real-world examples and data to shift mindsets, how to surface pain points through the right discovery questions, and how inforcer can help your MSP make the case for ongoing managed services with evidence from the prospect’s own environment.
Most objections to security spending follow recognizable patterns. Understanding what’s actually behind each one makes them much easier to address.
This objection usually reflects a genuine belief that security is a one-time investment rather than an ongoing discipline. The right response isn’t to dismiss the previous work but to contextualize it.
Threats evolve. Attack surfaces change every time a new device is enrolled, a new user is added, or a configuration drifts. Whatever was implemented two years ago may have been appropriate then; the question is whether it’s still effective now.
This is where a security assessment can do the talking for you. Rather than asking the customer to take your word for it, you show them the current state of their environment against a recognized framework. The findings either build trust by confirming that the previous work still holds, or reveals gaps that allow you to pitch your MSP as the solution.
This is an absence-of-evidence objection. Nothing has gone wrong yet, so the prospect assumes that their current approach is sufficient. But security vulnerabilities are often only invisible until they’re being exploited.
The most effective counter-argument here isn’t to argue about probability; it’s to show the potential cost of being wrong. The case studies below will be useful here. The goal isn’t to frighten the customer but to help them understand that “it’s worked so far” is not the same as “it works”.
Budget objections are often really priority objections. Security competes with other spending, so businesses are unlikely to invest if they can’t understand the ROI. The response here is to shift the conversation from cost to risk: what does a breach cost compared to what prevention costs?
For customers on Microsoft 365 Business Premium, there’s an additional angle: they’re likely already paying for security tools they’re not using. Show them how much they can save by making full use of the features they already have instead of continuing to pay for redundant third-party antivirus or device management programs, and they’ll likely be much more receptive.
Of course, some business owners simply assume cyberattacks are someone else’s problem. This is a particularly dangerous perspective, but presenting a few data points tends to shift it quickly.
According to IBM’s 2025 Cost of a Data Breach Report, the global average cost of a data breach is $4.44 million USD. For many SMBs, a loss of this kind represents an existential event rather than a mere setback.
Critically, SMBs are not a secondary target for attackers. They’re often a preferred one, precisely because they tend to have weaker defenses than larger enterprises, less incident response capability, and less ability to absorb a financial hit. The assumption that attackers have bigger fish to fry is demonstrably wrong.
Learn More: Building a Productized Microsoft 365 Security Offering for Your MSP
The question MSPs need to be asking their prospective customers is: what does it cost to maintain proper security controls, versus what does it cost when those controls fail?
For customers on Microsoft 365 Business Premium, the prevention side of that equation is easy to justify. Intune, Defender for Business, Entra ID P1, and Conditional Access are all included in the license, so the cost of configuring and managing them properly via an MSP is a fraction of what it would cost to respond to a breach.
MSPs can also offset a portion of these costs by helping customers consolidate their tech stack. Showing a customer on Business Premium how to make full use of that license allows them to stop paying for third-party tools that duplicate capabilities they already have.
The conversation should never be about whether your prospect can afford security. It’s about whether they’re getting full value from what they’re already paying for, and whether they understand the potential price they’ll have to pay if something goes wrong.
These two examples are particularly useful because they’re recent, well-documented, and speak to different customer segments: one a mid-sized business your prospects will recognize themselves in, and one a household name that illustrates reputational damage in terms anyone can understand.
KNP Logistics was the parent company of Knights of Old, a UK haulage firm that had been operating since 1865. In June 2023, they were hit by a ransomware attack carried out by the Akira criminal group. The entry point was a single weak employee password that was simply guessed.
The attackers encrypted KNP’s critical business data, destroyed its servers, backups, and disaster recovery systems, and demanded a ransom reported to be in the region of £5 million. The company couldn’t raise it. Unable to meet its financial reporting obligations to lenders and with no viable path to recovery, KNP entered administration weeks later. Seven hundred and thirty people lost their jobs. The company’s premises were eventually sold off.
KNP’s director later said the company believed it was in a good place in terms of its security protocols. Preventing the breach would not have been expensive. It would have only required simple fixes like proper password policies and multi-factor authentication. The company simply hadn’t implemented them properly.
Marks & Spencer has long been one of the UK’s most recognised retail brands. But in April 2025, the company was hit by a ransomware attack that halted online clothing orders for more than six weeks, disrupted contactless payments and in-store stock systems, and forced the company to revert to manual processes across its supply chain.
The financial impact was severe: M&S estimated approximately £300 million in lost operating profit. Its stock market value dropped by more than £1 billion in the days following disclosure. Half-year statutory profit before tax fell by 99%.
But the more relevant part of this story for our purposes is what happened to M&S’s customers and what it meant for the brand. Empty shelves, failed transactions, and a weeks-long inability to shop online weren’t just a technology problem. They were a customer experience problem that played out publicly, in the news, and at the dinner table. M&S’s competitors, including Next, explicitly credited the attack for boosting their own sales as customers whose confidence had been shaken moved on.
M&S is a large company with significant resources, and it managed to survive. But for a smaller business, a breach visible enough that everyday customers talk about it and take their business elsewhere often doesn’t have the same ending. Reputational damage is a cost that doesn’t appear in breach reports, but that doesn’t mean it’s insignificant. In fact, it tends to outlast everything else.
Persuasive security conversations are grounded in your prospect’s everyday business environment. Conducting an effective Microsoft 365 security assessment surfaces the specific gaps in a given tenant, benchmarks their posture against your chosen security framework, and presents the findings clearly so that next steps become obvious.
inforcer enables your MSP to offer these assessments free of charge as a way of demonstrating value and building trust, which sets you up for success when pitching long-term managed security services. Our platform cuts the entire assessment process down to minutes rather than hours or days and allows you to generate customer-facing reports in just a few clicks.
Read our full guide to running effective M365 security assessments for a detailed walkthrough of what to evaluate and how to present your findings.
One reframe that works well with customers who see security as overhead is to position it as something that enables the rest of the business to operate with more confidence.
Proper security controls:
The consolidation angle is particularly useful with budget-conscious customers. Rather than asking for additional spend, you’re showing them how to get more value from a license they already have and potentially reduce what they’re paying to other vendors in the process.
Asking the right questions early in a conversation can shift it from feeling like a sales pitch to feeling like a diagnostic by trusted experts. These examples are frequently productive:
inforcer gives MSPs a meaningful advantage when pitching managed security services to business customers.
The business owners who push back hardest on security investments are often the ones who need it most. They’re also the most likely to become long-term managed security customers once you can demonstrate the value of these services to them. All your MSP needs to do is supply the data and framing that makes your pitch relevant to their specific environment.
inforcer gives you both. Book a demo to see how MSPs like yours are using it to facilitate the conversations that win long-term business.