Security threats are bigger now than ever before, but how do you talk to your customers about this when they just see IT security as another cost they can do without? The reality is they have to sit through so many sales pitches for new technologies, they don’t understand that any nontechnical owner is likely to just see this as another cash grab. Security is different, and we need to show the real value with scenarios that hit home.
Going to your customer with the idea that a criminal organization is going to target them may not be the best choice. Even if they are a valuable target (like an accounting firm for example), it can be an uphill battle to convince them that there aren’t bigger and more “deserving” targets out there. You need to start with real-world examples.
Unfortunately, it is likely you or they have personal knowledge of another business that has suffered a ransomware outbreak. So, take that example and quantify the monetary cost as well as the time offline into real-world numbers. Don’t try to inflate it to make a point, just focus on the direct and easy-to-verify costs first. There are software tools on the market that specifically audit risk, giving the customer a real-world dollar figure. They can then compare this risk level against the cost you are pitching your security services at and make a value-based decision. You don’t need to go into the technical specifics to your customer, trusting that you know what to do is what they pay you for.
If you want to add additional value to this, then audit the software license charges the customer is ALREADY paying. They may be buying old antivirus (AV) software from years ago. A quick review in many cases may prove there are cheaper and more effective solutions on the market; you can then package a more cost-effective AV solution into your wider security offering. The savings the customer is making can be redirected into additional security layers (including your security service) to give them better security at a similar cost to the one they’re already paying.
Now that you’ve addressed some of the cost concerns, turn your focus to the “business value” you provide. Always translate the security tools you’re implementing into why your customer should care.
Consider the critical layers to secure against today’s ransomware and insider threats. Position these as why the customer needs them.
Don’t just buy a firewall box and install; you need regular audits to ensure holes have not been opened and configuration and rules have been backed up. A junior tech in a hurry to give access to a hosted service could open your customer’s security up and invite a breach.
Email filtering is part of the perimeter. Email is still one of the most used forms of file transport today. Yet we often rely on default filters to protect our networks. Using a purpose-built email filter—not just one that has been bolted on as an afterthought—gives you the added bonus of continuity in case of a service outage as well as the ability to trace delivery logs from a third party in case of missing emails caused by the server. We also need to be able to look at how users interact with the email itself; solutions now exist which send your users fake scam emails and report just how far some users will interact with a threat email. This helps you easily identify who needs more.
Ransomware can use permissions to replicate itself to all systems. Insiders could also use their permissions to damage or steal sensitive data—sometimes maliciously, but also sometimes by accident.
With password and privilege management, the damage from a ransomware outbreak and insider threats can be mitigated or even prevented. Controlling sensitive data access can also help prevent the need to rework the same data from an accidental loss while also ensuring competitors don’t get an edge over your customer’s business in case of a data leak.
Customers are used to paying premiums for legacy tech. Keep the costs steady while providing more value. Where your customer may have paid $25+ per year for an annual AV license, today you could find an alternative solution for half that price that’s as good or better. The key is to not just cut the customer’s outlay, but to use that extra cost saving and invest it into more services, such as additional security layers or your own service rates. This means you can dedicate time for regular technical audits and upgrades while the customer is still paying the same costs they’re used to. Same price, better value.
Regardless of the other lines of defense, always prepare for the worst result. A local backup can be stolen or encrypted as easily as a local server. Ensure you also have an up-to-date offsite backup of your customer data. Doing this regularly means that if there is a local outbreak, it can’t cause an extinction event if your customer is, or at least has, paid for backup software or services in the past. Review that outlay; that price sets an idea of where the customer’s expectations are. If you can’t beat that price today, then provide additional service beyond what it provided, and you can form the discussion around value for money rather than just good security practice.
Remind your customers about real-world threats and how you can provide protection against multiple vectors by consolidating their costs without drastically increasing their security bills. Show value with nontechnical reports and focus on the business risks you’re mitigating and the dollar value saving against those risks.
That way, you move the conversation away from tech they don’t understand, and instead talk to them in a language they do understand—their bottom line.
Kris Hansen is strategic product manager at SolarWinds MSP. You can follow Kris on Twitter® at @KristianJHansen
Click here to find out how SolarWinds® Risk Intelligence can help your customers uncover the risk to their business.
© 2017 SolarWinds MSP UK Ltd. All rights reserved.