Which is larger?
- The percent of Americans that don’t believe climate change is real, or
- The percent of Internet users who don't believe their online accounts are at risk?
The answer may surprise you: it’s actually the latter—and by a wide margin. For perspective, the number of people who believe their accounts are immune to cyber threats (32 percent) is greater than the percent of Americans who believe they have seen or been in the presence of a ghost (18 percent) or the percent that believe it's not a good idea to send signals to outer space to communicate with aliens (31 percent).
Which brings me to this edition of The Doyle Report: “Selling Security to Non Believers.”
At the recent Annual Membership Meeting (AMM) hosted by CompTIA, the Computing Information Technology Industry Association, selling security solutions to small business customers came up in a big way. While many small business recognize the need to protect their networks and data, a sizable percent do not. The problem: small businesses simply don’t believe they will ever be the target or victim of a security breach. For them, the idea that they will fall prey to Russian criminals or Chinese hackers is not believable.
This, of course, flies in the face of research that reveals that most security threats are internal, either by malfeasance or ineptness.
“Selling fear alone,” said CompTIA board member and managed service provider (MSP) Vince Tinnirello of Anchor Network Solutions, Inc., “just isn’t working.”
Instead of fear, many solution providers have turned to facts to help make their case. The numbers are pretty compelling. Consider:
- Half of all small- to-medium-sized companies have been the target of a cyber attack, according to Tim Francis, enterprise leader for cyber insurance for Travelers Insurance.
- Three of every five targeted attacks strike small- and medium-sized organizations, according to the 2015 Internet Security Threat Report produced by Symantec.
- 40 percent of businesses hit by ransomware have fewer than 100 employees, according to Intermedia’s 2016 Crypto-Ransomware Report.
- One of every 100 emails sent in the month of February to a small business with fewer than 250 employees contained malware, according to Symantec’s Latest Intelligence Report.
“[Small] organizations often have fewer resources to invest in security, and many are still not adopting basic best practices like blocking executable files and screensaver email attachments,” says Symantec in its Internet Security Threat Report. “By targeting smaller or more niche institutions, phishers can avoid competition with their peers.”
Thanks to a recent increase in the number of denial of service incidents, phishing schemes and ransomware attacks aimed at small businesses, it’s little wonder that The New York Times summed in January, “No Business Too Small to Be Hacked.”
In the article, author Constance Gustke offered small business customers some of the same advice that MSPs have provided for years. Update antivirus software, firewalls and passwords, etc., and consider putting “data in the cloud rather than on company servers, which may be more vulnerable.” She went on to recommend hiring an outside expert. “…often, given lean staffing, it makes more sense and can cost less in the long run to hire a firm that specializes in digital security,” she says.
The message, some data show, is getting across. According to Trustwave’s 2016 Security Pressures Report, more customers are putting their security in the hands of MSPs: “The number of respondents who either already partner or plan to partner with managed security services providers has climbed from 78 percent to 86 percent.”
While good news, I reached out to several experts who have looked squarely at the problem of small business denial.
“You can’t sell on fear alone less you end up looking like Chicken Little shouting ‘the sky is falling,’” says Ron Culler, CTO at Secure Designs Inc., a North Carolina MSP that caters both to end customers and fellow MSPs.
“What has helped us is the ability to relate it to the customer’s business. For partners, we show how security included with their products and services can act as a market differentiator,” he says. “Security is not a piece of tech that you sell and move on. It’s a mindset, with policies and tech combined to create a solution to a problem. Often that problem is risk, and you have to ask customers ‘how much risk are you willing or able to accept?’”
Another MSP I know works at a prominent MSP in America’s heartland. The company, which is a top Cisco and Avaya partner, is growing rapidly and is known for providing top-notch customer service. Like many, it is transitioning a part of its business from on-premise solutions to managed services. As it does, its revenue model and sales contribution mix changes. While some practices transitioned more readily than others, security took some additional effort. Today, some of the company’s customers look to IBM, Dell and others to provide the technology they need. But they look to his organization to manage these investments and keep them safe from harm.
Selling security, the MSP tells me, is more than selling piece of mind. It’s also selling convenience and competence to those in need.