How MSPs Can Sell Cybersecurity to Overly Optimistic SMBs
Adrien Gendre
—September 19, 2019
—4 min read
Stop me if you’ve heard this one before: “It won’t happen to us.” This is a common refrain among SMBs that are reluctant to invest in cybersecurity. Other objections to purchasing new cybersecurity solutions include “We’re too small to be a target” and “We have nothing they want.” SMBs might not have enterprise IT budgets, but there’s more going on here than budget consciousness.
Optimism bias is a psychological response in which people believe they’re more likely to experience good than bad outcomes. It’s also known as the “illusion of invulnerability”—in other words: being overly optimistic. While this mindset is a positive attribute to have when times are tough, it’s just plain naïve when it comes to cybersecurity.
Countering the objections
Convincing a client to spend on cybersecurity when they’re convinced they’re not a target will require you to provide some hard data and your client to confront some uncomfortable truths. Below is a list of the most common objections to purchasing new cybersecurity solutions and how to counter them:
“It won’t happen to me”
Many clients will profess that they’re simply not a target of cyberattacks. Whether optimism bias or misinformation, this perspective leaves your client vulnerable. When confronted with this objection, show your client the disparity between the number of SMBs that believe they won’t be attacked and the number of SMBs that are attacked.
- 51 percent of SMB leaders say they’re not a target of cyberattacks – Switchfast Technologies
- 67 percent of SMBs experienced a cyberattack in the last year – Ponemon Institute
“We’re too small to be a target”
Knowing that an SMB has a smaller IT budget and therefore fewer IT resources makes SMBs a highly attractive and even easy target. We’ve seen examples of this over the past few months when a number of local governments were hit with coordinated ransomware attacks. It’s precisely because they were small that they were attacked. Fewer IT resources means local governments are easier to penetrate and likely don’t have the budgets or in-house expertise to recover quickly.
When most SMBs think of cyberattacks, they likely think of high-profile cases, including well-known breaches at Equifax, Target, Sony, and Facebook. Attacks on SMBs rarely make the news, contributing to the misinformation. To break through the “we’re too small” crowd, show them examples of why size is irrelevant:
- St. Ambrose Catholic Parish loses $1.75 million to business email compromise.
- Wichita State University employees lose paychecks in direct deposit spear phishing attack.
- Empire Industries manufacturing company watches ransomware infect systems in real-time.
- UK mid-market businesses lose £30 billion to cyberattacks.
“It’s too expensive”
A cybersecurity stack can certainly be costly, but so is a cyberattack. Just ask the City of Riviera Beach, FL, which paid $600,000 to retrieve its systems that were locked down in a ransomware attack. This is in addition to the $1 million they plan to spend on new computers and systems as a result of the breach. The attack is being blamed on an employee who downloaded the malware by clicking on a phishing link in an email.
Building a cybersecurity stack is best left to the experts—the MSPs. To encourage your clients to invest in cybersecurity, offer bundled solutions that could bring big savings while also maximizing efficiency, for both you and your clients. As a reminder for how expensive a breach could be, show them examples of the real costs to SMBs:
- The average SMB spends $1.3 million to recover from a cyberattack – Ponemon Institute.
- SMBs with 10–49 employees reported spending $41,269 to recover from a cyberattack – Continuum.
- Two-person startup with no website goes out of business after cyberattack – Wall Street Journal.
“We have nothing they want”
A big misconception about cybercrime is that hackers are always after the big payouts. That’s not always the case. A recent trend we’re seeing at Vade is multiple spear phishing attacks on the same target, each involving small financial transactions that add up over time. These attacks are more likely to go unnoticed for long periods of time because the payouts are small, giving the hackers more time and leeway to gain trust with victims and launch more attacks.
An SMB might not be worth billions, but their employees have plenty to offer, including passwords, personally identifiable information, and bank accounts. Finally, an SMB is often the backdoor to a bigger target: their customers. The Target breach of 2013 came as a result of a malware attack delivered via email to Fazio Mechanical Services, Target’s HVAC vendor. Target ultimately paid more than $400 million for the breach, and Fazio Mechanical Services became famous for all the wrong reasons. SMBs that think they have nothing valuable to steal might be interested in these statistics:
- 44 percent of SMBs experienced employee password breaches, resulting in more than $383,000 in recovery costs.
- SMBs that experienced a breach lost an average of 10,848 individual records.
- 58 percent of SMBs that experienced a data breach blamed negligent employees and contractors.
“We have cyber insurance”
That’s great news for the insurance company. Consider the recent ransomware case in Lake City, Florida, which resulted in a six-figure ransomware payout. According to an investigation by ProPublica, paying the ransom is cheaper for the insurance company because they do not have to reimburse victims for business costs (downtime, loss of productivity, new systems) or pay litigation fees or the public relations fees associated with repairing reputation damage.
Having cyber insurance isn’t an excuse to have poor cybersecurity. While many policies will pay for litigation fees, ransomware payments, and new computer systems, they may not cover the business losses associated with cyberattacks.
In the case of Lake City, they paid 24 bitcoin, or $460,000, to obtain the ransomware decryption key, but it didn’t work as promised. The insurance company avoided paying damages that could have far exceeded the ransomware payment; Lake City restored some, but not all of its files; and Lake City’s IT director was fired. Cyber insurance is a must-have, but it’s not a silver bullet. Show your clients why better cybersecurity is better insurance than any policy:
- How Insurance Companies Are Fueling the Rise in Ransomware Attacks – ProPublica
- Cyber Insurance: You Get What You Pay For – CPO Magazine
- Email Crime Now Top Cause of Cyber Insurance Claims – IT Pro Portal
“Our current solutions are good enough”
Upgrading your prospects or clients from subpar to superior solutions benefits both parties: the client is better protected from attacks, and your business is better protected from the fallout of attacks. While a small SMB might spend more than $49,000 to recover from a cyberattack, 74 percent of SMBs would take legal action against their MSP for a cyberattack.
Demonstrate the value of a better solution with a transparent proof of concept (POC) that shows your client exactly how many threats are slipping through their defenses. With a transparent POC, the new solution monitors but does not take action on your client/prospect’s systems. For example, with Vade for Office 365, we monitor a customer’s email traffic but do not block or remove emails from user mailboxes. After two weeks, you can show your client/prospect how many threats bypassed their current system and the impacts those threats could have had on their business.
Additional Resources
- Phishers’ Favorites: Microsoft Holds Onto the #1 Spot, but Facebook Phishing Surges
- Types of Email Fraud SMBs Should Watch Out For