The number one business bad habit MSPs need to stop doing immediately
The N‑able Head Security Nerd, Lewis Pope, just published a blog outlining the top 25 cybersecurity bad practices demonstrated by MSPs today. To accompany his post, I wanted to add one more risky bad habit to his list. It’s something I commonly see being practiced by too many MSPs from a business perspective—allowing a customer’s budget to dictate what a cybersecurity offering should look like.
In light of the recent REvil ransomware attack on Kaseya, I feel MSPs should stop letting their customers dictate what they will and will not pay for when it comes to preventing, mitigating, and recovering from a security attack. In speaking with MSPs about the existing cybersecurity programs they offer their clients, many acknowledged there was a dire need for them to modernize and standardize them in order to improve their overall effectiveness in preventing and recovering from an attack. But often, the MSPs I spoke with would pre-object that they couldn’t make the required changes to their cybersecurity programs like they wanted because their customers wouldn’t agree to paying extra, or more, for the new recommended services.
I have lived in the world of customer service since I was nine years old. From running my own little paper route kingdom in my neighborhood to working at McDonalds for over a decade to working for one of the top financial institutions in Canada. With every organization, it was ingrained in me that the customer is ALWAYS right. But, in this particular circumstance, when it comes to cybersecurity and what is needed to best protect and mitigate security attacks, the customer is NOT always right and MSPs need to step up their sales skills to educate their customers on why these changes are critical for everyone involved.
Hoping that a breach will never occur or thinking you will just pay the ransom if you do get breached does not make for a good strategy. So, when your customers object to your new security offerings, instead of conceding and allowing them to maintain the status quo, here are some potential responses you can use to help manage those objections and turn them into sales wins for you.
1. “I thought I was already protected with your services. Now you are saying I’m not?”
A good response to this common objection would be: You were; but as the threat landscape evolves, so does the technology required to continue providing protection in order to keep ahead of the bad actors. This is a business to them, and they are making a lot of money as result. For example, in the recent REvil ransomware attack, they asked for the largest ransom payment ever—to the tune of $70 million! So, to ensure this doesn’t happen to you and your business, our security packages needed to change, and we now need to enforce stronger measures—not with you, but across all of our customers as well.
2. “Aren’t I already spending enough with you? I don’t have the budget for that. Your new program sounds too expensive.”
In the recent Coveware Consulting 2020 Ransomware Report, it stated the average ransomware payment in Q3 2020 was $233,817, while the average length of downtime was 19 days. These are startling statistics many business owners are likely not aware of. As their MSP, you need to educate your customer on what the true cost of an attack would be and have the ROI discussion around the complications and other costs that can arise by NOT enrolling in your new cybersecurity program. The monthly cost of your new security program will be peanuts compared to the customer getting breached, having their data be unrecoverable, and potentially being put out of business due to collateral damage and loss of reputation in their marketplace.
3. “I can get this program cheaper elsewhere.”
This is likely not the case since they are probably not comparing apples to apples. My fear would be that the competitor’s program is missing key features and services in their offering, resulting in significant gaps in the overall protection coverage for the SMB. There are five key layers that need to be considered when it comes to protecting an organization’s critical data: 1) The Perimeter/Internet level; 2) The Network level; 3) the End-User level; 4) the Applications level; and 5) the Device level. And when developing a comprehensive cybersecurity program, all five layers need to be addressed, where each layer requires its own set of specific security toolsets and services. So, if a competitor is saying they can deliver a cybersecurity program for far less than what you are going to charge them, I would be suspicious of what is actually being done across all five levels.
4. “I’m too small to be attacked. Something like that wouldn’t happen to my business.”
The idea here is that EVERYONE is vulnerable to being attacked—no business is immune. The SMB may not be the intended target, but bad actors might want access to the suppliers and vendors the customer has business dealings with causing the client to act as a potential gateway. So, in this instance, the customer needs to harden their network security to avoid becoming the weak link in the chain to their suppliers and business partners. Because if one of them is attacked—and it is discovered the bad actors were able to access the network and data via one of their partners—the customer will likely be dropped by that vendor, resulting not only in loss of revenue, but suffering the ramifications of a potential loss of reputation, trust, and respect within their marketplace.
So, if you find yourself practicing any one of these 26 risky bad habits as it relates to cybersecurity, my hope is that you can carve out time and commit to resolving them—not only for your customer’s sake, but for the safety, security, and longevity of your MSP business as well. Failing to stand your ground when it comes to implementing your desired and recommended cybersecurity programs and best practices could lead to a potential extinction event for both you and your customers.
Stefanie Hammond is the Head Sales and Marketing Nerd at N‑able. You can follow her on her LinkedIn and on Twitter at @sales_mktg_nerd.
© 2021 N‑able Solutions ULC and N‑able Technologies Ltd. All rights reserved.
The N‑able trademarks, service marks, and logos are the exclusive property of N‑able Solutions ULC and N‑able Technologies Ltd. All other trademarks are the property of their respective owners.
This document is provided for informational purposes only. Information and views expressed in this document may change and/or may not be applicable to you. N‑able makes no warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information contained herein.