I’m sure there are a ton of things on your clients’ minds right now. New COVID information is coming out daily. The 24-hour news cycle has been non-stop on a variety of issues. And people seem to be anxious.
Hackers increase their efforts—breaching and attacking networks and systems during times of chaos. If your users are thinking about current events, holiday plans, or other distractions, are they really focused on protecting their businesses?
What we’ve found is in these times, the best security strategy is to refocus the most basic concepts. What I mean here is to refocus attention on cybersecurity hygiene.
I realize that you might want to communicate what you are doing to make sure your clients are secure or to point out current problems with their current solution (depending on your relationship). You probably want to
Make sure their systems are patched and current
Make sure that they have malware protection
Make sure that only necessary ports are open on their firewall
(This is all stuff that a penetration test can find).
But what your client or prospect really needs to see is what an attacker could get their sticky fingers on. This is what prompts action.
Once you, as an informed cybersecurity expert, can see what is at risk and clearly show stakeholders at your client or prospects exactly what an attacker would access on their network (along with a variety of ways an attacker could get in right now), what do you think would happen?
In my experience, having helped MSPs over the course of the last few years protect themselves and their client networks, as you are able to communicate risk in a way that they tangibly understand, they start to appreciate the need to take action.
Action as in either signing up for a securer managed services offering OR purchasing more advanced security packages.
As you run through your results with them, wouldn’t you want to link vulnerabilities on their network to ways attackers are getting in today? That’s exactly what I needed when supporting hospitals when running my MSP.
If you don’t show them information that they care about and link it back to issues they’re experiencing—with stories in tow, you probably won’t convince anyone (even if their network is terrible).
They won’t want to invest in your solutions.
What I’ve found with MSP security is that rarely buying new security controls to be the problem. It’s putting systems and procedures in place to better utilize the controls you’re already using. And that’s something you can legitimately sell to prospects! If they understand that security isn’t all about tools, but more about people, process and cultural awareness of risks, will they start to understand that security is not just an out of the box solution.
Security is a combination of people, process and the right technology. Unless all are working, none are effective.
The good news is that MSPs are successfully evaluating, communicating and double-checking networks they are supporting. They are building cultural awareness within their teams and their clients. They are converting security-disinterest into security-conscious (those that want to buy and invest in cybersecurity).
The easiest way to create that awareness is to show your team and key people within your clients to understand what is at risk and simple ways to prevent those risks in the first place. The place to start is showing whether their security controls can withstand an attack.
