The 5 Stages of SMB Cybersecurity Grief

It may come as a shock to hear that your SMB clients and prospects aren’t interested in cybersecurity. However, with all the challenges SMBs are currently facing — from new overtime and minimum wage laws to rising wholesale costs and increasing competition — an invitation to talk about why they need to purchase cybersecurity solutions could be met with indifference.

As you speak with prospects, you will find they are at different levels of understanding cyber risks and how to prevent them. You could think of the progression toward fully understanding the gravity of the situation —and the loss that could result — as the “five stages of SMB cybersecurity grief.”

Stage 1: Denial

SMBs know cybercriminals target large corporations, retailers, and healthcare organizations because they hear about it in the news. What isn’t getting air time from the media are the thousands of data breaches and hacks with SMBs as victims.

The Verizon 2016 Data Breach Investigations Report found that one-third of businesses that experienced data loss from a cyberattack in 2015 were SMBs. The investigation also revealed that no industry was immune to attack: retail, healthcare, finance, and information sectors experienced the most attacks that resulted in data loss, but construction, utilities, transportation, real estate, mining, manufacturing, entertainment, educational, and agricultural businesses were victims as well.

Still, denial can run deep. A report commissioned by Nationwide insurance found that about 80 percent of SMBs don’t have a cyberattack response plan, even though 63 percent of them had experienced at least one type of attack.

Stage 2: Anger

When you bring up the topic of cybersecurity with an SMB, be prepared for the possibility that you may strike a nerve. With all of the challenges they are facing to run a profitable business, SMBs may struggle to budget for guarding against cybercrime.

It may be the logical thing to do — the cost of the solution could be far less than the cost of dealing with a data breach — but it’s not always the easy thing to do. Many small businesses aren’t technology experts and don’t have in-house resources to deploy and maintain security solutions.

It’s highly likely that as you talk to SMBs, you will encounter some that have experienced data breaches. For example, they may have incurred an unexpected cost to fix a hacked website or had to deal with losses from fraudulent charges on their accounts. Recognize that your prospect may need to sort through an immediate problem before they are ready to talk about how to prevent it from happening again.

Stage 3: Bargaining

Some SMBs may feel that cyberattacks have become just a part of doing business, and decide they’ll deal with them if they occur. For example, ransomware attacks are on the rise —a literal case of bargaining to regain access to your network and data. Small business owners may rationalize that if they were to get infected and have to pay the ransom, which averages $300 to $600 in digital currency, that would still be cheaper than paying for data protection services. What this shortsighted thinking overlooks, however, is that the additional costs of downtime and damage to the business’ reputation can far exceed the cost of a single ransomware attack. Plus, getting hit with ransomware once is no guarantee that it won’t happen again.

Stage 4: Depression

When an attack results in the loss of payment card data, healthcare information, employees’ social security and personal information, or proprietary corporate data, depression is bound to set in. It may not be depression from an emotional perspective, but rather from factors that bring the company down from a business standpoint, such as breach reporting, fines, costs to repair systems, and downtime, as well as more intangible costs such as damage to the SMB’s reputation and brand. With average costs of an SMB data breach estimated at about $36,000, some businesses may never recover.

Stage 5: Acceptance

There will probably come a point when an SMB understands that the risks are real, and they need to put security solutions in place. When you encounter an SMB that has reached the acceptance stage, it may be easier to start a conversation, but you will still need to help educate them on security best practices and the technology that can help minimize their risks.

To assist you, Intronis offers The MSP’s Complete Guide to Cyber Security, a resource that will help you educate your SMB clients on the risks and the security solutions and policies they need to protect their data. A companion download, The SMB’s Guide to Cyber Security, is also available for you to share with your clients.

When your prospects are finally ready to talk, be prepared to share the information SMBs need to make informed decisions about security solutions and best practices.

Chris Crellin, TK
Chris Crellin is senior Director, product Management for Intronis MSP Solutions by Barracuda. Read more Intronis MSP Solutions blogs here.