A cyberattack is never going to be expected.
Back when I was running my MSP and my team was recovering hospitals from ransomware events, not once did I get a call from an IT director exclaiming they knew this day would come.
Never. Not one single phone call like that. Every single time it was panicked, and they had been completely taken off guard. It was complete surprise.
And when each of these attacks happened, they happened quickly. There was no smoldering fire that then erupted into a deadly blaze for any of these attacks.
What many organizations continue to ignore is the fact that everyone plays a role in cybersecurity. What they fail to recognize is their team preparedness reflects their overall resilience to an attack.
Think about one of your top clients for a second.
Would they know what to do in the unfortunate event of a ransomware event (other than call you, that is)?
Do they understand what to do? What steps they would need to take to make sure everything was working again?
Do they know what specific information they need to keep their business running? Have they practiced such an event?
Ransomware response is NOT an easy process and if their expectations don’t match reality, it can be even harder. I know in theory you might say that backups will save them, but restoring from backups never ends up getting them quite where they were (and not in the timeframe they’d want it done).
What our partners have found is that by showing their clients what is at stake if an attacker were to get in—what data they have at risk and what systems and processes would be impacted, do they start to grasp WHY they need to invest in security.
What they’ve also started to see is simply running one assessment—one pen test of an environment—is NOT sufficient to making sure they’re secure from the latest hacking strategies and prevent huge data leaks or losses.
What has really worked to both get clients engaged in the cybersecurity decision cycle and investment is ongoing analyses of their environments, where they can see problems upfront. They can address some internal process or people problems and start identifying their very real security gaps.
What they will soon discover:
A good on-going assessment will help engage participants in what an attack will feel like. What the effects of the attack will be. They will need to make crucial decisions based on what risks they’re willing to stomach and plan investments based on what they can tolerate.
As you discuss the results of an on-going assessment with them, you can help them see any unmanageable plans or security designs within their network and how to alleviate them.
Instead of coming off as a salesperson, you’re more than likely to be the solution to a very prescient problem.
By giving them a glimpse of their risks—in a way that they can tangibly see how an attack could impact their data, you’re giving them a window into a tangible event. Many MSPs simply present hundreds of pages in their reports. While this might underscore the magnitude of a problem, it is entirely ineffective at creating urgency to resolve key security items.
I’m sure you’ve experienced analysis paralysis before (at least I have!). If I were given a 400-page document listing out problems, I sure as heck wouldn’t get around to reading it! Clogging your mental switchboard with information that isn’t actionable is frankly clogging up decisions.
The key is presenting a manageable report that executives can understand without wanting to pass it over to an IT person to handle. If they cannot decide based on a relatively brief report, the project is likely dead upon arrival.
And if you perform an analysis on-going, you keep your client in the loop as you go. No big surprises. And if something pops up where they need to consider a new solution, your talk track is relatively easy. You are concerned with the changing threats and focusing on how to address them through your on-going analyses. Some of these changes may be minor tweaks, but others might require heavier investments in security technology.
If you’re up front about why a continuous analysis is important, you certainly will get many of your security-conscious clients on board with investing in a monthly or quarterly penetration test of their network to anticipate their risks.
Not sure how a penetration test looks, evaluate your cyber stack with a free stack assessment.
