Security has been front-of-mind for small businesses ever since the crypto-style ransomware breakouts started. The reason is simple; scale. I don’t know a single small business owner that does not know another small business owner who has been hit by ransomware. How many of you as managed service providers (MSPs) have not seen any of your clients hit by some form of ransomware in the past four years? If you are lucky enough to be in this bracket, congratulations, but you are in a very small minority of your peers.
Social media, TV news, and events are riddled with the fear of a ransomware attack. Psychologically, your clients and prospects are concerned about security because the world is filling them with FUD (fear, uncertainty, and doubt). While I’m not a proponent of FUD, understanding the psychology of both customers and prospects can help us open the door on important conversations. The key to both groups is finding out where they are psychologically and what security layers they already have in place. There will be differences between the two, as existing customers are in “up-sell” mode while for prospects, it’s about getting a “foot in the door” or displacing an existing supplier.
The Security Assessment is a key tool when selling security. As I said in the paragraph above, finding out where the client is must be the first step. The assessment play works for both clients and prospects because with existing clients, you can just say you provide security assessments periodically to make sure nothing has changed in their business that might require additional security layers or features. It is also important to perform periodic assessments for your customers to keep competitors from doing what I am about to tell you to do for prospects.
For prospects, a security assessment can always be positioned as a third-party check on what their existing IT provider is doing. It also helps to position yourself as an MSSP (Managed Security Services Provider) to establish a level of security authority. This could get you in doors that would normally be closed because the company is perfectly happy with its current IT services. It also helps if you can utilise a security specific product like Risk Intelligence from SolarWinds MSP. Risk Intelligence can be used not only as an assessment tool, but also as a monitoring tool to continuously protect the client and generate recurring revenue for you. A good security assessment begins with a survey. It should guide your client or prospect into revealing key information, such as:
You can add more types of questions based on your knowledge, and to help position the products and services you intend to offer them.
Speaking of products and services, the next thing you need to do is figure out how you are going to position your products. Here are some ideas to help you do this with some common MSP features as security products.
This will be for a prospect that has no existing managed IT provider. We use managed antivirus (AV) as a door-opener all the time because everyone knows they need AV. The key to positioning it over and above standalone AV is to check their systems. If they have more than a handful of PCs, the chances are at least one has stopped updating because the subscription expired or because it simply stopped working. Managed AV means that you are constantly monitoring their AV to make sure it is up-to-date and running properly.
This is one step above managed AV but very similar. Many SMBs have a firewall or UTM device to protect the network, but ask them what happens when employees take their laptops home at night. Is that device still protected?
An important piece of the security puzzle and slightly more complicated than the previous two features. This is something that the average SMB cannot do themselves effectively simply because of the wide variety of vendors to update individually. Offering a managed patch service is also something they cannot buy at their local big box store.
Another item that is above the skill level of your average business owner is email security. Given that the vast majority of ransomware infections come through email, this is a critical layer. Even if a customer is on a hosted email solution that already provides mail filtering, they should still have a third-party filtering, archiving, and continuity solution for redundancy, and provide different filtering algorithms to catch more malicious content.
One of the common things we find today is that businesses do not know where their sensitive data is or who has access to it. Knowing that information helps you contain and protect critical/sensitive information. Constantly monitoring those data types lets you know when data has migrated to an unprotected device or unrestricted file share that it should not be on. This service is not often provided by the average MSP so it can differentiate you as a security provider. If the customer is already under a good managed services contract this may be your only way in the door.
Although not a security product per se, it is the last layer of defense in case the worst occurs. Making sure a customer can recover from a successful ransomware attack is critical and therefore their backup product and process must be managed well and tested periodically to ensure successful recovery when needed.
Hopefully, this has given you some ideas to use security as a beachhead to successfully “approach” your clients and prospects with new layers of security.
Eric Anthony is Director of Customer Experience at SolarWinds MSP. Before joining SolarWinds, Eric ran his own managed service provider business for over six years.
You can follow Eric on Twitter® at @EricAnthonyMSP
Want more advice on growing your MSP business? Click here to read more of our blogs.
© 2017 SolarWinds MSP UK Ltd. All Rights Reserved.