You’ve gotten a lead in the door, had a quick meeting with them to tell if they’re a good fit and have gotten an assessment that will convince them they’re not secure. You did all of this within a week’s time WITHOUT using technical resources. (If you have any questions about this, see how a penetration test can transform your sales cycle).
Once you’ve done all that, you’re going to have to sit down with your prospect and go through the results. I have complete confidence that you are able to get this piece done—in fact, some of our partners have been closing over 83% of leads coming in their doors. The pen test sales process works.
One critical component to making it work is telling stories that will help your prospect understand WHY they need a change.
Today, I want to focus on one story that has delivered that WHY in many deals I’ve personally closed. Feel free to use this story or a modified version with your prospects and clients to get their heads wrapped around investing in cyber.
Here’s the story. If you’re a partner, you can go as far as saying that our security team experienced this situation…
This happened a little while ago, and basically it was an accounting firm that ran into a little issue with the IRS. You see, the IRS decided that there was a problem in the accounting firm. They couldn't really figure out what was going on. This story works great in these certain circumstances.
First, if they don't have multifactor authentication enabled in their office 365, and you end up with that as your report, another one is, if there's PII found in their environment, this is a good story for to explain why that’s concerning.
Another is in the situation where we crack some passwords. So those are kind of the three major areas that this story works well in.
Imagine I'm you and you're the prospect.
How does that work? This reminds me of an incident that our security team was dealing with a little while ago.
You see, we got a call from an accounting firm, and it was towards the end of February. That was kind of strange.
Accountants are super busy in February. I mean, think about what's coming up April 15th, right? They're super busy with taxes and we got a call at the end of February and they were asking for an audit and here's the thing like accountants, they don't do audits at the end of February.
They don't touch anything in their networks unless it's an update for taxes. They're never going to be talking to our firm at the end of February and asking for an audit.
We found out what was going on. The IRS was no longer allowing them to submit E-filings.
You know what that means?
They're not allowed to submit the E-filings. That would be their client's taxes. So can you imagine having to communicate back to their clients and saying, “Hey, we're not allowed to like, submit your taxes”.
Here's what we found out was going on and you see their partner. One of the partners had been phished and the attacker got access to their email. And so you look at these passwords, you think they're not a big deal, but this attacker, they were able to get to their email. And from their email, this is a Microsoft 365 account.
From this email, they're able to go in and reset the password in their tax software. Once they go in and reset the password in the tax software, guess what? It sends an email over to their Microsoft 365 with a link in it so that they confirm who they are, and they had the link and they're able to get right in.
What would happen is the partner would come in in the morning and they would log in to everything and their tax software password would be wrong.
They'd have to reset it and they'd get back to work. And this happened like eight days in a row. And really what was happening is every night when the partner left and went home, the attackers would get into their email, reset the password, submit a bunch of tax returns, and create this havoc.
Here's what our security team found 180 tax returns were filed for different people.
They're all fraudulent. And the IRS refused them from submitting any more E-filings.
This is why it's really important that we get these passwords to be different for each of your sites, or we set up MFA or whatever you're trying to communicate to the client that's related to one of those different areas.
That's how you go through and share a story about phishing. It's more than just email that can turn into a good educational experience for your client.
Get your client to realize how important implementing security is. This stuff doesn’t have to be hard! I want you or your sales team telling stories to make it easy for prospects to understand what’s going on.
My personal mission is to help protect a million people. The only way I see doing that is by enabling MSPs to be more successful with their tools and able to deliver security services to your clients.
Want to help with my mission? See how your cyber stack stacks up.
