Ransomware attacks continue to happen more frequently, but many companies still aren’t taking the necessary steps to protect their data. When large attacks happen, companies may start to worry and begin investigating potential solutions, but the energy behind those efforts often dwindles. Despite the big headline-grabbing attacks like the WannaCry or NotPetya outbreaks in 2017, companies often fall back into bad habits because the ransomware threat doesn’t feel imminent after the news cycle moves on.
But, attacks are multiplying. Last year, Cybersecurity Ventures predicted losses in excess of $5 billion from ransomware. A 2017 survey from Statista revealed that 28 percent of respondents felt vulnerable, and 30 percent felt very vulnerable to a ransomware attack.
Still, many SMBs aren’t taking the threat seriously because they think they are too small or anonymous to be a target. In some cases, these companies may fail to institute the right security measures even after being affected by ransomware.
What’s an MSP to do with a customer that doesn’t want to spend the time or money needed to protect their data?
1. Talk to them about security. New ransomware variants are unleashed on a regular basis, which means there is always a news item or statistic to share with your customers. Show them that they aren’t immune just because they’re small or because they’ve already survived one incident. And, if you can point to competitors or similar companies that have undergone a recent attack, even better.
Ransomware attacks also open up discussions about backup and recovery solutions and the importance of creating multiple copies of data in different media (with at least one copy hosted off site.)
But even if the customer still scoffs at a ransomware threat, remind them that backup and data recovery solutions are important because there is still the possibility of a system failure or other disaster that could put their data at risk. Further, there are practical benefits beyond the worst-case-scenario that ransomware presents.
For example, backup and recovery can make it easier to deal with a network-wide failure, or even a single user’s failed hard drive--because it’s not a matter of if but when a hard drive will fail. According to a recent study by Kroll Ontrack, in fact, 72 percent of those surveyed by the data recovery firm had lost data from a drive in a laptop or desktop computer. The study also found that drive crashes and other hardware problems were responsible in two-thirds of data loss, while human error only accounted in 20 percent of the cases.
2. Back up your points with data. There are plenty of studies indicating just how vulnerable SMBs are to ransomware and the scope of the costs. According to TechRepublic, for example, an attack can cost an average of $256,000. That’s enough to put many companies out of business.
Make sure your clients are fully aware of the costs of the recovery effort once they’ve experienced a ransomware attack, both from paying the ransom and from rebuilding data and systems affected by malware, replacing drives and performing forensics. Include labor and lost productivity. If their own customers’ data was compromised in the attack, there will also likely be a costly loss of reputation or business.
Once they see just how expensive it is to deal with an attack after the fact, the cost of the necessary security services to prevent another one will look small by comparison.
3. Emphasize the financial aspect of these attacks. Many companies don’t think they’ll be targets because they don’t generate or store valuable data. Remind them that while their data may be worthless to a hacker, it’s not the data that cybercriminals are after--it’s their money. Ransomware attacks aren’t targeted at getting a peek at their information. They’re designed to disrupt a company’s ability to do business during the attack.
4. Put them in touch with their peers. Highlighting customers who have successfully fended off a ransomware attack and can attest to the return on their security investment may help. Harrowing firsthand accounts can strike a chord with a reluctant manager.
5. Dispel the vaccine myth. Ransomware isn’t like getting a vaccine where an inoculation gives you immunity against future exposure. It’s not unusual for companies to be attacked multiple times. The threat is only going to get worse--particularly if a company has already paid off hackers to end a previous attack.
If you still can’t get them on board, it may be time to re-evaluate your client relationship. MSPs can spend days or weeks helping clients recover from a ransomware incident. While those represent billable hours, that recovery effort can tie up internal resources that would be better used to service other clients.
Set boundaries with clients that insist on dismissing security advice. Make sure they know that you can’t be expected to drop everything and respond to their security emergencies if they aren’t taking basic steps to safeguard their systems.
The good news is that most companies are getting--and responding to--the security message. With some encouragement, education, and awareness of the costs and risks, most clients will be open to investing in data security solutions and services.
Chris Crellin is Senior Director of Product Management for Barracuda MSP, a provider of security and data protection solutions for managed services providers, where he is responsible for leading product strategy and management.
This guest blog is part of a Channel Futures sponsorship.