MSPs need to ask SMBs questions about cybersecurity that not only reveal their need for solutions but also their awareness of the growing risks.
Asking open-ended questions can be an effective technique for learning about prospects' technology needs, their pain points, and the goals they are trying to achieve. When it comes to selling data protection and security solutions to small to midsize businesses (SMBs), however, it’s important to ask the right questions.
SMB prospects may differ significantly from larger businesses when it comes to their attitudes about data protection. The underlying reasons SMBs don’t have security solutions can include denial that they could be the target of cybercrime, belief that antivirus is enough to protect their data and networks, or lack of awareness of growing risks. An MSP that presumes too much about an SMB may start a conversation on a completely different plane than their prospect.
Here are some suggestions that can help you learn about prospects' needs related to network security and data protection, and identify knowledge gaps that you need to address before you can sell these solutions.
1. What version of your operating system are you running? You might have to step in and help an SMB determine which OS it uses, but this question can lead to a discussion of minimizing vulnerabilities by keeping security patches up to date. You may uncover that a prospect is still running Windows XP or Windows Server 2003 or another system that has reached its end of support, which will provide the opportunity to explain the importance of upgrading to a new system to minimize the risk of a data breach.
2. Has your business ever been the victim of a cybercrime? If your prospects are representative of all SMBs in the United States, according to the Ponemon 2016 State of Cybersecurity in Small and Medium Businesses report, more than half will answer yes. Research also shows that although most SMBs have experienced a cyberattack, many of them did not respond by putting security solutions in place. Regardless of the answer, this question can lead to a discussion of the types of attacks--e.g., malware, brute force, DDoS (distributed denial of service), ransomware--and what each could mean to an SMB. It also gives you the opportunity to explain solutions that defend against these attacks.
3. What applications are critical to running your business? You may have to explain why you are asking, but this question gives you a chance to gauge policies the company has in place regarding changing default passwords, protecting login credentials and segmenting parts of the network.
4. What is your business’s password policy? Give your prospect the opportunity to explain how often employees change passwords, as well as the guidelines the business enforces (if any) for password strength and keeping passwords confidential. The Verizon 2016 Data Breach Investigations Report provides information you can share on this topic, including the number of data breaches involving stolen credentials, which rose in 2015 to more than 30 percent of all attacks. The report states, “Brute force is still relevant, but we hope it will continue to decline as small and medium businesses move away from passwords that could be guessed by a rhesus monkey of average intelligence.” This question also provides the opportunity to ask about employee training related to phishing and social engineering attacks.
5. How do you protect and secure the data within your business today? This is probably better asked as a follow-up question to one of the other questions above, and you may have already figured out that the answer is that security isn’t managed--if it exists at all. Be prepared for the discussion to quickly turn to objections related to budget, which gives you the opportunity to discuss managed security, backup and disaster recovery, endpoint protection, and other managed services you provide. Prospects may not be able to make a large capital investment, but they may be able to deploy the solutions they need for an affordable monthly payment.
A Serious Summary Question
At some point in the course of your discussion, be prepared to share the cost of a data breach for an SMB. Security magazine reports that the average cost is $36,000, with some costs as high as $50,000. Plus, many SMBs never recover from a breach. Experian estimates that 60 percent of SMBs that suffer a breach go out of business after six months.
Then, the obvious question is whether the SMB can afford not to deploy data protection and security solutions.
Scott Bennett is Director of North American Partner Management for Intronis MSP Solutions by Barracuda, a provider of security and data protection solutions for managed services providers, and he plays a key role in the development and growth of partner relationships.
Guest blogs such as this one are published monthly and are part of MSPmentor's annual platinum sponsorship.