By Adrian Gendre

Adrian Gendre

By Adrien Gendre, Chief Solutions Architect, Vade Secure

How many times have you heard someone say, “It won’t happen to me”?

In psychology, this type of response is known as optimism bias. Also known as “the illusion of invulnerability,” optimism bias is the belief that we’re more likely to experience good — not bad — outcomes. In other words, we disregard the reality of a situation because we think we’re excluded from the potential negative effects.

As a managed service provider (MSP), you’ve likely encountered optimism bias from your clients, particularly when discussing cybersecurity. According to the Ponemon Institute’s 2018 State of SMB Cybersecurity Report, 67% of SMBs reported having experienced a cybersecurity attack in the last 12 months. This is a fact. Yet, optimism bias leads your clients to believe they’ll be among the lucky 33% who experience no event. “It won’t happen to me,” they’ll say. But the law of percentages dictates otherwise.

So how can you help your clients overcome their optimism bias to ensure they’re investing in stronger cybersecurity controls, including your cybersecurity services and solutions?

Well, psychology says stress can help. Stressful events trigger a physiological change that causes us to take in any sort of warning and become fixated on what might go wrong. It’s believed that this neural response helped early humans to survive; with a heightened focus on potential hazards, they were able to successfully avoid predators. This same response helps firefighters more accurately assess risk and make the right decisions when rushing into a burning building.

When it comes to cybersecurity, there’s really only one metaphorical burning building: falling victim to a cyberattack. And while cyber incidents are often a (reactive) trigger for increased investment, they’re clearly not a viable long-term sales strategy for MSPs. They’re expensive (costing SMBs $1.43 million per incident in 2018), messy to clean up, and put your client’s and your business’ reputations on the line — 37% of SMBs say they would hold their MSP solely accountable for a cyberattack; 74% would be willing to take legal action.

Getting Clients to Act

So it’s in your best interest as your client’s trusted adviser to create just enough stress — let’s call it urgency — that they’re motivated to act before an attack disrupts their business and yours. Here are three tips for doing that:

1. Show them how similar organizations are affected by cyberattacks.

Generalized statistics are too abstract, too logical. They’re not emotional enough to overcome optimism bias. “I won’t be one of the 67% of SMBs that experiences an attack,” your client will confidently proclaim.

Instead, you could show them how a similar organization was affected and use this example to illustrate the potential impact and aftermath of a cyberattack on their own business.

Take, for example, the high-profile ransomware attack that crippled the city of Atlanta last year, disrupting the Police Department records system, infrastructure maintenance requests, the judicial system and online bill pay. All told, the city spent more than $2.6 million on emergency response efforts. If you’re an official for a local government, it’s easier to project the negative outcomes faced by a peer onto your own organization. At the time, we received several requests from local government agencies who said, “We see what’s happening in Atlanta. We don’t want to be next.”

Set up Google Alerts for terms like phishing, spear phishing, business email compromise, malware and …

… ransomware, so you’re immediately notified of the latest attacks. Then use the real-world examples you find to educate clients and show them what could happen to their organization.

2. Show them actual threats that are slipping through their defenses.

Many clients feel like they’re adequately protected against cyberattacks because they’ve implemented products such as antivirus software or email security. In reality, the threat landscape is evolving rapidly, and a product that was good just a couple of years ago may no longer be sufficient.

If you’re looking to introduce a newer solution, one approach for overcoming optimism bias is to show the client threats that their incumbent product is missing. It’s hard to say “it won’t happen to me” when presented with evidence that there are threats lurking within their perimeter or in users’ inboxes.

For example, let’s take a small business that is running Microsoft Office 365 with the platform’s native protection, Exchange Online Protection (EOP). While EOP catches most spam and known threats (e.g., malicious attachments with a known signature), it’s typically less effective against unknown, targeted threats like one-off spear phishing emails or zero-day malware.

To convince the client that they may be vulnerable to these threats, you could run a transparent proof of concept (PoC). A transparent PoC is where a solution runs in the background and analyzes the customer’s email traffic to see what threats the filter would have detected had it been in production. In the process, you’re able to quantify the added protection on top of an incumbent like EOP, and thus build your justification to add a complementary security layer. Unlike the generic stats referenced earlier, these figures illustrate actual threats based on the client’s email traffic — potential negative outcomes that are virtually impossible to ignore.

3. Show them the positive aspects of stronger cybersecurity.

After discussing the role of fear in triggering more realistic risk assessment and accurate decision-making, my last point might seem counterintuitive. But many studies suggest that while optimism bias often leads to negative outcomes, it can also have benefits. That’s because optimism can act as a self-fulfilling prophecy: by believing that we will be successful, people are, in fact, more likely to be successful.

When implementing any of the ideas above, avoid being too heavy-handed with fear tactics. Fear-based selling is all too common in cybersecurity but, as your clients’ trusted adviser, you shouldn’t need to scare them to death. Rather than dwelling on the negative, remain objective and educational, balancing the potential impacts of a cyberattack with all the positive benefits of avoiding them in the first place. Let them know that you’ve helped other clients implement successful cybersecurity controls and you want to make them successful, too.

That way, instead of saying “it won’t happen to me,” your client can proudly say, “it didn’t happen to me.”

Adrien Gendre is chief solutions architect at Vade Secure, where he’s responsible for formulating the company’s product strategy and road map, overseeing integration with security vendors, and managing the global Solutions Architect, Training, Documentation and Customer Support Teams. He has spoken about how hackers design their attacks at events like M3AAWG, Data Connectors Cybersecurity Conference, CIO VISIONS Mid-Market Summit, SecureWorld and RMISC. Follow him on LinkedIn or @VadeSecure.