High-profile ransomware attacks in 2023 at Dish Network, the city of Dallas, and the Las Vegas MGM Hotel don’t seem to have driven SMB customers to be more wary of their risks and step up the need for protection.
Despite the increased attention on the importance of cybersecurity services, managed services providers may be struggling to get clients’ permission to protect them. That’s where storytelling can be a key sales tool, said Jennifer Bleam, owner and founder of MSP Sales Revolution.
“It’s important to share real-world horror stories from prospects or colleagues. I recommend you stress the impact on the business. Help your client understand the very real risks that your MSP is protecting them from.”
Rather than just sharing the overall news, drill down deeper, suggested Adam Bielanski, CEO of MSP+OS, a full-stack consulting agency that aspires to be the Deloitte and McKenzie of the MSP space.
“Focus on similar sized businesses, not necessarily local examples. A 50-person company wants to hear stories from companies of similar size in the same industry.”
Additionally, while MSP owners often understand technical details, “businesses care about what affects their businesses,” Bielanski said.
Discussions focused on the grade of steel in the shovel blade and the type of wood in the handle miss the point for customers who need a particular sized hole. “Make sure you describe how the right measures at the right time provide protection — and make it real for them.”
Explain the Threats
Objections from prospective clients may include things like being too small, their data already is backed up, or not having enough money to be a target, Bielanski admitted. Educating clients is important, especially since AI makes the security landscape even more confusing, especially for the smaller prospects.
Stories can help better explain how big of a threat cyber attacks can be, Bielanski shared. “Explain the cost of protection against the perceived risk. Examine the cost of doing nothing through storytelling.”
If the prospect claims not to know anyone who’s had a ransomware attack, you didn’t explain the likelihood or impact well enough, Bleam said. Even if they know it’s possible, they may believe they can weather the storm, perhaps because they have cyber insurance, or underestimate the financial and business impact of an incident.
That’s the time for implication questions, which usually begin with, “How would it impact your department if …” and finish with your knowledge of exploits typical of that type of company, she said. “When telling these stories, stress the impact on the business with details like leaked data, missed deadlines, and even the inability to process payroll.”
Spelling Out Costs
Protections come at a cost, of course, so your pricing model must be transparent and include the value of each component and what can save them from a $1 million breach, said Bielanski. It also helps to have multiple options, because not every company needs the top-tier package, he added. “I’m not putting Cisco equipment in a five-person office.”
A common method starts with a standard set of security tools and offers add ons as needed, explained Scott Beck, CEO of BeckTek in Riverview, New Brunswick, Canada, northeast of the Maine border.
“There are only three things you can do with risk: Mitigate the risk by putting protection in place, transfer the risk by way of insurance, or accept the risk and roll the dice.”
Today, however, most cyber insurance companies won’t accept clients that don’t have adequate cyber protection, he added.
“All our clients get our cybersecurity stack with one price for the package. We also offer add ons like SIEM, third-party assessments, compliance as a service, and a virtual CSO role, each with a separate price.”
John Joyce, co-owner of CRS Technology Consultants southwest of Tampa, takes a similar approach, broken down into two buckets. The first is a series of non-negotiables — must-haves to partner with CRS — fixed into a monthly partner agreement, he said. Examples include EDR (endpoint detection and response), monitoring, and business continuity and disaster recovery.
The second bucket includes more specialized offerings, he said, “often recommended for certain verticals such as regulated industries like wealth management, accounting, legal, and the like that employ these services out of best practices and the need for compliance.”
Bring in Good Partners When Needed
There’s also a growing trend of insurance-related requirements driving adoption of various services across verticals from construction to professional services, Joyce mentioned.
“These firms are being asked by insurance companies if they employ Managed SOC, DNS filtering, and other niche security-specific services. Much like EDR just a few years ago, we predict these trends will speed up adoption and better protect those companies, although at a cost.”
Adding more services, such as one that requires 24/7 monitoring, may require an MSP to find good partners, said Bleam. Building your own SOC is costly and brings a significant risk to the MSP if built incorrectly, she said. “This is one service better left to an expert.”
Bielanski agreed, saying it’s about providing the best service and playing to your strengths.
“If you’re strong in threat monitoring, maybe keep providing that but partner with other providers for other services. Are you great at anti-virus but bad at backup? Partner with another MSP, and each of you cover what the other doesn’t do well.”
Regardless of your chosen strategy, reputation and trust in cybersecurity is critical. And storytelling is a lost art in today’s market that’s drowning in social media, he said.
“Get good at telling stories relatable to customers. It may take several stories for the message to sink in. Get back to real-world examples and stories.”
Image: iStock