With data breaches and cyberattacks reported widely in the media, you would be forgiven for thinking that the merest mention of ‘security’ would open all SMB doors (and budgets) to you.

Sadly, this is not proving to be the case.

Excessive media coverage seems to have produced in some SMBs the IT equivalent of ‘donor fatigue’: the more people banging the drum about security – the greater the tendency among your SMB audience to tune out.

According to a recent Datto survey:

“In 2017, 90% of MSPs are ‘highly concerned’ about the ransomware threat while only 38% of SMBs feel the same.”

Does this mean SMBs accept cyberattacks as the new norm, alongside reassurances such as:

• my business is too small to be hacked
• we don’t hold any sensitive data
• it’s not happened to me or any business I know
• we’ve paid for security so we don’t need any more

How can you make your customers and prospects more concerned? How do you make that first security conversation happen and be more likely to have a successful outcome?

The following seven pointers may help.

1. Identify the right businesses

It makes sense to start with the low-hanging fruit.

This may be found among your existing managed services customers who know and trust you (hopefully!) and are presumably predisposed towards you. As you are probably familiar with at least some of their current security arrangements, you are starting from an informed position. And, importantly, you know the people there – particularly the individuals most likely to be receptive to your advice.

If you are focussed on regulated vertical markets, such as healthcare in the US (HIPAA), financial services (Sarbanes-Oxley) or retail (PCI/DSS), compliance is an added security incentive. And regional regulatory drivers such as GDPR are driving data security. Businesses which need to demonstrate compliance are likely to be more receptive to a security conversation.

It’s probably also worth picking out businesses of a sufficient size and maturity level who are more likely to be able to take on board more advanced security layers.

2. Don’t start with a sales pitch

Don’t sell – ask questions and listen. You want your customers and prospects to open up about their current security arrangements, so you can discover:

• Their knowledge level of security threats
• Their assessment of their own risks
• Their awareness of vulnerabilities within the business
• The protection they currently have in place
• How quickly they could recover and resume business as usual in the event of an attack

3. Don’t presume a high level of knowledge

Like many MSPs, you may live and breathe security these days, but most SMBs do not. You may need to start the security conversation with simple questions, designed to identify gaps in their knowledge – questions such as:

• What version of your operating system are you running?
• How do you make sure you are on the latest version and how do you manage patches?
• Do you know which areas of your business are vulnerable to cyberattack or data breach?
• Are you aware of the different types of attack that you could suffer (malware, distributed denial of service (DDoS) attack, ransomware…)
• Do you know what impact one of these attacks would have on your business? For example, if all of your files were suddenly locked or personal data was stolen.
• Do you know what the cost of such an attack could be – financial and reputational?
• Have you carried out a comprehensive risk assessment recently?
• Are you bound by compliance regulations? If so, how often are you audited?
• Who manages security on a day-to-day basis?
• What security tools and procedures are in place currently?
• When was your last security audit/health check?

4. Offer something of value

Since there is a good chance that SMBs are not doing audits as often as they should, the offer of an ‘independent’ security assessment should be perceived of value.

For prospects, the offer of a ‘no commitment’ assessment of current security arrangements could be a very good way for you to get a foot in the door; while existing customers could be offered a security assessment as a ‘value-add’ part of the service. It is always worth offering a security assessment to existing managed services customers – if only to forestall competitors from making the offer first.

Your RMM provider may have tools that will help you carry out this assessment.

5. Don’t forget the people

Human error is one of the top causes of data breaches, so don’t restrict your security conversation to technology and tools.

In a recent study, 54 % of the SMBs surveyed pointed to a negligent employee or contractor as the root cause of a data breach experienced by their business. (Ponemon Institute)

Include questions about security training and how frequently it is run, as well as the resources that are available to keep staff informed about the latest threats and how to avoid them.

6. Walk the walk, don’t just talk the talk

You need to demonstrate that your own house is in order security-wise before you have that first conversation with customers or prospects. Everything you are telling them to do – you should already be doing yourself.

This includes:

• Having understood your own security challenges and how to overcome them
• Having the right tools to protect against the changing threat landscape
• Writing and following your own security policy, based on industry standards like ISO 27001 and NIST
• Setting out your cybersecurity management process and how it will be enforced
• Having the right skills available, in-house or through a partner

7. Get in first!

It may not be as easy as you would hope to pin down that first security conversation – but it’s a conversation you need to have. Your existing managed services customers are your competitors’ prospects – and they may be using security as an ‘in’ to ultimately dislodge your managed services.

So make time for that dialogue – before your competitors do.

Contact us if you would like to find out how partnering with Inbay for NOC and Service Desk can help your MSP business.