MSPs sometimes tell us that selling security solutions to their customers is challenging. We know selling security solutions can be made easier, by using the right approach. In this blog I will cover how you can convince your customers.
Shift to SMB
Most MSPs serve Small & Medium sized Businesses (SMB) as their clients, with, let’s say up to 10 employees. Because of their size these businesses mainly focus on local clients, or on a specific target group. So their company name isn’t well-known across their whole country. Because of this they might think that they are not an interesting target for hackers or cyber criminals, because “we are just an unknown small company”. But nowadays that’s the main reason why they are very interesting for cyber criminals.
A few years ago, cyber criminals by and large only attacked large(r) companies to install ransomware to encrypt documents and complete systems. They did this because larger companies had the funds to pay large sums of money to get their data back and continue with their workflows. Payments often ran up to 500.000 euros or more. Very interesting for cyber criminals indeed. But nowadays those larger companies know that they really need the security solutions to protect their data and workflows. Most of them even have their own inhouse security specialists whose job is to protect the company for cyber criminals.
So cyber criminals changed their focus on smaller unknown companies, exactly because those companies still mostly think cyber criminals won’t attack them as mentioned above. And since these kind of companies mostly don’t have the right cyber protection in place yet they quite a lot easier to attack. Also, cyber criminals nowadays can attack a lot of smaller companies at the same time. Cyber threats have become so advanced it takes way less time than trying to attack 1 large company. When they attack these smaller companies they need to ask for smaller amounts obviously, let’s say 10.000 euro to 20.000 euro, but at the bottom line the results can still be the same when all these smaller companies add up.
Advise and add value
As an MSP you can add value by advising your clients. They trust you to be the expert, and it’s up to you to inform your clients about what has happened in terms of cyber criminals targeting SMBs and advise them on cyber protection solutions that ensure they can continue with their work with data protection in place.
Another thing our partners tell us that, even when the client knows about the threat of cyber attacks, the conversation too often ends being about the immediate costs of implementation. A SaaS-license for a cyber security solution might be 10 euros per employee per month, depending on the solution chosen. Even if a client only has 10 employees, that still adds up to 100 euro per month. Quite a lot for a smaller SMB company.
It’s not about ‘if’, it’s about ‘when’
The solution is to shift the conversation from immediate costs, to potential costs and benefits. Compare cyber security to insurance or burglar alarms. Your not really paying for the times when you don’t use the insurance or the alarm not going off. You are investing because they help protect you when you do need them to. It’s a small investment for something with a certain amount of risk that it could happen in the future, combined with very high cost if it does happen and you don’t have the right protection in place. Its the same for cyber security solutions. That 100 euro per month can help protect the client for 100 months when the cyber criminals ask for 10.000 euro. And that is just the ransomware payment, it doesn’t include the major cost of downtime, reputation damage and the risk of paying and still not getting a key to decrypt company data.
It’s up to you as an MSP to advise your clients, and make sure they get the information they need to make the right decision. Increasingly not just from a business perspective, but also from a legal perspective. Maybe this sounds a bit strange, but in the Netherlands a judge recently concluded that the MSP can be held responsible in case of cyber attacks if the client is properly informed about risks and solutions. In this particular lawsuit the MSP for a client who got attacked couldn’t prove that he had advised his customer to protect themselves against cyber attacks and the client refused their proposal. The MSP ended up paying for the damages his client sustained.
I hope this article helps you guide you to properly advise your clients when it comes to cyber security. When you want to know more about offering Vade’s email security solutions, also have a look at this blog on the Vade website.