For managed IT service providers working to bring a cybersecurity offering to market, it’s serendipitous that “cybersecurity” is at the tip of every small-to-midsize business’ (SMB) tongue… right? With hacks hogging headlines, small businesses will instinctively run to their MSP for security guidance and enhanced protection—in a perfect world. The reality is, the high frequency of debilitating data breaches has spawned a numbness to cyber attacks. The majority of SMBs today actually think they don’t need managed security services. That’s a major hurdle for aspiring MSSPs to overcome.
So, where does the answer lie? In the way you’re able to communicate with these skeptical SMBs. Once you and your client come to a cybersecurity strategy you can agree upon, you’re golden. And it all starts with flipping their perspective on what security really means.
Tell Them Something New
The reason many of your SMB clients don’t want to talk security with their MSP is that there are a number of myths flying around.
“SMBs have nothing worth taking.”
“Attacker groups won’t waste time on SMB targets.”
“The tools I have in place will protect me.”
The truth of the matter is that SMB targets align with hackers’ goals of: theft of funds, ransom data and exploitation of sensitive information. There is a clear misalignment on the definition of security, which subsequently limits upsell and increases risk. This brings the role of the consultative MSP to the forefront, which can be spearheaded with cybersecurity education and risk assessment.
What’s the Real Risk?
Oftentimes, when clients object to your security sales pitch, they think they’re already sufficiently secure; however, they aren’t actually aware of where they stand on a risk level or what acceptable risks are. People tend to think by default that you’re telling them about risks they’ve already detected, but if identified risks aren’t mapped to the client’s desired state, there’s a serious gap in the plan. So, how do you bring that to life for prospects and clients to get their buy in?
Map Out the Plan
From a transparent and eye-opening conversation will come an effective cybersecurity plan. It’s all about spinning the prevalence of cyber-attacks in a way that will change the way your clients think about what they actually need.
For example, you can highlight that a typical end client gets attacked multiple times per day, and basic security effectively roots out hundreds or even thousands of possible attacks—but is that one attack that gets through too much for your business to handle? Or, you could help the client plan for the worst case scenario. If they get ransomed, then what? The answer might be: we’d have to restore from backup, which we only perform once a day—so you could potentially lose 24 hours of work or the system could be down for several hours. Again, what is the acceptable risk? What would the business impact be if the system was down for a few hours and you lose 24 hours of data? If this is unacceptable for the health of the business, you should work with your client to reduce that specific risk.
And remember, not all clients will be at the level of maturity that they will want security. In that instance, just focus on the smaller items they do need and continue working with them on education to help them understand the real risks of other things longer term.
The Beauty of Alignment
A successful security conversation and partnership hinges on true alignment. You’ll be set if you commit to:
- Properly defining security
- Setting expectations with clients
- Providing regular training and support
- Tying true risks to desired outcomes
The topic of managed security services doesn’t have to feel burdensome. It’s your duty as an MSP to lead the security charge with validation.
Handpicked for you:
By Lily Teplow
By Brian Downey
By Dave LeClair