Another source of structural security weaknesses among many SMEs is that SMEs are unlikely to possess a single, coherent owner of security policy within their organisation, meaning that their security posture is in practice determined by multiple decision makers who are not necessarily coordinated and who may not be prioritising security. As a Security Advisor, we offer to act as the owners of your security posture, within your organisation. This takes the burden off other actors, such as MSPs, who end up as de facto security leaders yet who may not have the authority to manage your security properly, or who may not desire the responsibility of doing so.
To see why a single owner with a bird's-eye view matters, consider a common situation. An SME commissions a marketing and customer-communications system through its website. The developer building it needs the system to send mail from the company's address, so they add an SPF record authorising the new sending service - correctly, since otherwise that mail is flagged as spam. Separately, and just as correctly, the company's MSP hardens its email against impersonation with a strict DMARC policy, telling the world to reject any mail claiming to come from the company that isn't authenticated under its own domain - exactly how you stop attackers spoofing your address in phishing campaigns.
Neither supplier has erred, yet together they break something. The marketing mail authenticates under the sending platform's domain, not the company's, so under the new DMARC policy it no longer aligns and silently stops arriving - no error, just customer emails vanishing, which to the business looks like a broken marketing system rather than two suppliers working at cross purposes. The proper fix, authenticating that mail under the company's own domain, is split between both parties: the developer must enable it on the sending platform and supply the details, and the MSP must publish them in the company's DNS. If the MSP tries to solve it unilaterally, their only lever is to weaken the DMARC policy it just deployed, reopening the domain to the spoofing it set out to prevent.