Author: Jay Ryerse, VP, cybersecurity initiatives, ConnectWise
Being able to have frank and honest conversations with your clients is important. In fact, it’s an essential part of a strong client relationship. Ensuring that you start those conversations in a way that educates, benefits, and builds trust between both parties is the best way to set your relationship up for long-term success. And in today’s managed services provider (MSP) landscape, one client conversation stands out from the rest: the cybersecurity conversation.
When it comes to cybersecurity, the worst thing an organization can do is nothing. You know that simply ignoring the issue won’t make it go away; it’ll only make your clients more vulnerable, and it’s important that they understand this. To prevent most attacks and ensure they’re prepared if one occurs, your clients need to be properly informed—understanding the likelihood of a breach, what will happen in the event of one, and what steps they can take to stay safe and secure.
Plant the cybersecurity seeds
Taking a transparent, proactive approach to cybersecurity can make all the difference when it comes to protecting a client’s business—and your reputation.
It all starts with a simple assessment. By conducting an assessment of your client’s current situation and putting together a plan to move forward together, you can help them understand the risk and get them on board with the cybersecurity conversation.
According to a ConnectWise study, 92% of SMBs would switch MSPs for one with the “right” security offering. By getting proactive and prioritizing this conversation, you’re not only making a smart business decision—you’re delivering on your clients’ wants and needs. There’s no better time than the present to take charge of your clients’ cybersecurity by evaluating the solutions they hastily set up to accommodate pandemic-fueled remote work and doing it better, safer, and smarter this time around.
Start the conversation: A three-step framework
Ready to have the cybersecurity conversation with your clients but don’t know where to begin? Follow these three steps to set you and your clients up for a productive conversation—and a positive security outcome.
1. Overcome objections
There are always going to be clients who think that because you handle their IT, you also manage cybersecurity for them already. Be prepared to address this objection by assuring your clients that while you are here to help, their cybersecurity is not solely in your hands—it’s their responsibility, too.
Sharing real stories of breaches that have happened to companies similar to theirs can help them grasp the severity of the situation, easing objections and spurring action. If you don’t have any stories on hand, talk to people in the industry and do some research. Once they get the sense that the last target could just have easily been them, they’ll be more likely to take the next step when you suggest it.
Some SMBs may also believe they’re too small to be the target of a cyberattack, or that nobody would want their information in the first place. This is a dangerous fallacy, and one that you can help your clients overcome by explaining the facts. In today’s increasingly digital world, all data is valuable. Be sure to communicate to your clients that if their data is valuable to them, it’s inherently valuable to cybercriminals, too—opening the door to extortion attacks that put money in the pockets of attackers in return for data held hostage.
While you may face other client objections, know that many of them stem from misconceptions and misunderstandings about cybersecurity. A little education goes a long way. As technology continues to advance and more of our lives and businesses move online, cybercriminals will evolve their tactics, making it more important than ever for your clients to stay one step ahead. Once you help them understand that fact, they can move away from a dangerous set-it-and-forget-it mentality—and move toward a forward-thinking, long-term, and sustainable cybersecurity approach.
2. Understand your client
To make the biggest impact, you’ll first have to identify where your client is on their cybersecurity journey by having a collaborative conversation with them. How much risk are they comfortable with? Where is their information currently stored—on-premises, in the cloud, or in paper files? Who has access to what information—and who should and shouldn’t have access going forward? These are some of the most important preliminary questions to ask.
Once you get a sense of the current state of security at their organization, you can determine where they are on the security spectrum. They’ll typically fall into one of three categories:
They have to upgrade their security. This category consists of companies that are ruled by regulatory standards—whether it’s HIPAA, NIST, CMMC, or something else—that bind them to uphold a certain standard of privacy and cybersecurity.
They want to upgrade their security. This category covers businesses with high-risk profiles and low-risk tolerances, and can often include law firms, accounting firms, payroll processors, and similar organizations.
They need to upgrade their security. This category includes any client that has an urgent need to upgrade their security posture.
As you work with your client, gaining an accurate understanding of who is responsible for managing the business’s risk and what their priorities are will also be important. Knowing who you’re talking to, that you’re talking to the right person, and that you’re speaking to them in a way that aligns with their interests and priorities is essential.
If you’re working with an SMB and speaking directly with the business owner, they’ll likely want to stick to the bottom line information: what the cybersecurity plan is and how much it’s going to cost. If you’re working with a larger enterprise’s IT team and speaking to an IT professional, they’ll likely want to receive the full story—and dive deeper into the details. Understanding your client can come in a lot of forms but connecting with your contacts in a way that encourages their involvement rather than pushing them away is a great place to start.
3. Create the assessment
As you get ready to assess your clients’ security, know that you don’t need to reinvent the wheel. There are plenty of tools you can use to complete your assessment, and we’ve created a roadmap that you and your clients can follow:
Show your clients something real and actionable. Start by mapping out a realistic plan to get your client to where they need to be, based on their company type, risk level, and current security setup. Don’t scare them into inaction with a big and expensive plan. Simply start with the fundamentals and work from there.
Employ tools to help tell the story. You don’t have to do the heavy-lifting yourself. ConnectWise offers multiple tools that can help you communicate a plan to your clients clearly and concisely. ConnectWise Identify® is a visual report that allows clients to quickly see where they need to improve, while ConnectWise Fortify™ Assessment is a vulnerability scanner tool that produces a tight, high-impact report, allowing clients to easily understand what they need to do—and why it’s important. Together, these tools can help you tell a full story about where your clients stand today and how best to move forward.
Prove the business value of a cybersecurity assessment and plan. Don’t assume your client knows the ins and outs of cybersecurity or the true consequences of a data security breach. Help them understand what you’re doing, what it will help protect, and what it will help prevent. Discuss everything that can happen after a breach, from the payout for ransomware to the involvement of lawyers, insurance professionals, and regulators—and the awkward process of alerting their clients or customers of the attack. By painting a picture of the potentially catastrophic series of events that a breach can trigger, you can build a stronger business case for preventative action.
Share best practices and your assessment components. As the subject of the assessment, your clients should understand how you’re measuring their current security and what it’s being measured against. Describe your approach and the basis of the assessment, emphasizing that it looks at all aspects of an organization’s security posture, including the following elements:
Regulatory requirements: Are there factors like HIPAA, NIST, or CMMC that must be taken into account?
Network considerations: Are there parts of the network that should have limited access? Are they using “out-of-the-box” security protocols? Is the network accessible to individuals outside the company?
Human errors: Have they accounted for physical security, phishing vulnerabilities, misconfiguration, and other human errors that could leave the door open for attackers?
Software components: Are they using old software that’s no longer being serviced?
As you discuss cybersecurity with your clients, remember to stick to the facts, remain realistic, and avoid sounding alarmist. If you can communicate all of the above in a calm, clear, and informative manner, your clients will be left with a strong understanding of the issue—and have confidence in you from the start.
Have the cybersecurity conversation today
You know you need to be talking about cybersecurity with your clients, and there’s no better time to start. Look at your clients’ security postures and create a plan to make them more secure. As more and more companies embrace remote work, cybersecurity will only become more important—and every day that it’s placed on the back-burner can make a measurable difference in risk.
Author Jay Ryerse is vice president, cybersecurity initiatives at ConnectWise. Read more guest blogs from ConnectWise here.