This week in a professional community group, an IT provider was weighing whether to take on CRM configuration work they were not qualified to do. The client already had other providers quoting $5,000 for the job. They wanted it done cheaper by the IT company they already pay.

A senior peer shut it down directly. His point was simple: taking on work outside your expertise is not a service to the client. It is a liability dressed up as a deal.

I want to talk about how this exact dynamic plays out in cybersecurity, because I compete with it daily.

There are IT providers and MSPs all over this country billing small businesses and nonprofits for cybersecurity services that consist of two things: backup software and a third-party EDR or MDR tool they resell. They configure both adequately, bill it as a security program, and the client goes to sleep believing they are protected.

Here is what that package does not include.

It does not include identity governance. It does not include network segmentation. It does not include conditional access policies that restrict where credentials can authenticate. It does not include dark web monitoring to catch leaked credentials before a ransomware group uses them. It does not include an incident response plan that has been tested, not just written. It does not include a risk assessment conducted by someone with actual security credentials who can stand behind the findings.

Backups are a recovery tool. EDR is an endpoint tool. Neither one stops a Qilin affiliate from walking in through an exposed VPN gateway with credentials they already have, moving laterally across a flat network, and exfiltrating a behavioral health nonprofit’s client records before encrypting everything.

The AMHC attack in Maine this month happened to a 60-year-old nonprofit with 5,500 clients. They almost certainly had some version of backup and endpoint protection. That did not prevent 5,500 people’s most sensitive personal information from ending up on a dark web leak site.

The client in that conversation was trying to save money by not paying the specialist. I understand that instinct. I have seen what it costs when the calculation goes wrong.

Your organization deserves to know the difference between an IT provider and a security provider. Those are not the same credential, the same training, or the same scope of work. The fact that the market has allowed them to blur together is a problem for every client who never thought to ask the question.

Ask it now, while you still have the choice.

The next time someone tells your organization it is covered on cybersecurity, ask them to walk you through the specific controls that would have stopped the AMHC attack or the Foster City attack. If the answer is “we have backups and EDR,” that is a starting point, not a security program.

The organizations that are actually reducing their risk are asking harder questions of their vendors, separating IT support from security expertise, and making sure that any document, policy, or framework that carries legal or regulatory weight was reviewed by someone who can stand behind what it says.

The cheap option is almost never cheap. It is just cheap until it is not.

Ask before it is too late.

What specific controls does your current provider have in place that would stop a ransomware group from moving laterally through your network after compromising one endpoint? If the answer references backups, ask again. If they cannot answer the second time, you have your answer.

My Take: “We Do Cybersecurity” Is the Most Dangerous Sentence in the SMB Market Right Now

Let me be direct about something that I see regularly and that I think deserves to be said plainly.

There are IT providers, good people, technically capable people, who are billing clients for cybersecurity services they are not qualified to deliver. Not because they are dishonest. It’s because the market rewarded them for adding “cybersecurity” to their service list, the tools are easy to resell, and the client never asks a follow-up question.

The result is a client who believes they are protected, a provider who believes the tools are doing the job, and a gap between those two beliefs that a ransomware group will eventually find.

I hold actual credentials in this field. I understand what a real security assessment looks like, what an incident response plan needs to include to actually function under pressure, and the difference between a tool configured correctly and one installed and forgotten. That expertise took time and investment to build. It cannot be replicated by reselling an EDR platform or asking AI to generate a policy template.

The organizations I work with deserve to know the difference between IT support and security expertise. If your current provider cannot clearly articulate the governance and identity controls that sit underneath their tools, that is a gap worth closing before someone else finds it.

NexSecure Solutions exists to fill exactly this gap. Real security expertise, independent of your IT support relationship, with the credentials and experience to back up what we recommend. If you want an honest assessment of what you actually have in place, let’s talk.