MSP Guide: Explaining Cyber Security to Clients

Cyber security will undoubtedly be a topic of conversation with clients as the awareness of evolving risk heightens. In this new era of cyber security, it’s your responsibility as an MSP to understand how to successfully navigate the modern landscape and ease your clients’ minds.

Cyber Security

This article is your guide to effectively communicating with your SMB clients and becoming the cyber security leader they need and will rely on. It covers key security terms, how to define your cyber security solution, and how to deal with common client objections to security measures.

  • The definition of key security terms.
  • MSP security standpoints with accompanying delivery tips for communicating with SMB clients.
  • How to clearly define your cyber security positioning and solution.
  • How to spin the prevalence of cyber attacks in a way that will change the way your clients think about what they need.
  • How to respond when you get SMB customers objecting to your cybersecurity solutions.

In today’s rapidly evolving cyber security landscape, the stakes are at an all-time high for virtually every business today. Small businesses have become the prime target of cyber attacks. As an MSP it’s your responsibility to understand how to successfully navigate the modern landscape and protect your clients.

Cyber Security

Content Summary

Introduction
Key Security Terms
Defining Your Security Solution
MSP Talking Points
Objection Handling

Introduction

In today’s rapidly evolving cyber security landscape, the stakes are at an all-time high for virtually every business today. Small businesses in particular have become the prime target of cyber attacks, and 60 percent of SMBs go out of business within 6 months of a breach. Their lack of preparedness to defend against these attacks presents a significant opportunity for managed security services providers to minimize risk for their SMB clients and protect them from emerging threats like ransomware, brute force attacks and other malicious activity.

With advanced threats and hyper-targeted malware and ransomware permeating the landscape, foundational security tools are no longer enough to keep environments secure. Even if the security tools you’ve been leveraging are 99.99% effective, risk has evolved from minimal to material due to the fact that there are far more security events per year than ever before.

In this new era of cyber security, it’s your responsibility as an MSP to understand how to successfully navigate the modern landscape. Even if the security tools you already have in place have proven effective for the past couple of years, your clients are facing higher risk than ever before due to the prevalence of advanced attacks—thus your cyber security strategy must evolve and grow to keep pace.

Educating your clients on cyber security and clearly positioning your stance and services will help you instill trust, enable scalability and build a long term business relationship.

This eBook is your guide to effectively communicating with your SMB clients and becoming the cyber security leader they need and will rely on. Here is how to explain cyber security to your customers.

Defining Cyber Security
A recent Tech Pro Research survey showed that 61 percent of SMBs allocate less than 10 percent of overall budget to IT security. As a result, one in three (32 percent) security professionals lack effective intelligence to detect and respond to cyber threats, according to a survey from Anomali.

What does this mean for MSPs? Cyber security will undoubtedly be a topic of conversation with clients as the awareness of evolving risk heightens. The best place to start in formulating your approach is to have a solid understanding of how cyber security is defined.

Cyber security is: the state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this.

Key Security Terms

Accurately defining the cyber security conversation calls for a shared vocabulary with your clients. Here’s a look at some of today’s key security terms to help you build that foundation.

Antivirus: An application that understands what type of content you are opening and identifies threats within this content. It scans all documents, attachments, and applications to identify threats. It checks against a database of scans across the entire Internet to determine what is a threat and what is safe.

Breach: A cyber security compromise. It differs from a cyber-attack in that it is more precise, and there’s less malicious intent; in other words, data was probably released by a mistake, negligence, or another unintentional case.

Brute-Force Attack: A cyber-attack in which the strength of computer and software resources are used to overwhelm security defenses via the speed and/or frequency of an attack, or by gaining access through algorithmically attempting all combinations of login options until a successful one is found.

Domain Name System (DNS): The Internet’s equivalent of a phonebook. Every domain on the Internet is assigned an Internet Protocol (IP) address, and all IP addresses are stored in the DNS. Computers and other devices access websites based on IP address, and the actual domain name (i.e., google.com) is only meant for the user, as it is easier to remember than a string of numbers.

Encryption: The use of an algorithm to convert plain text into cipher text; data scrambled to the point it becomes unreadable and therefore the information is hidden. For security or privacy, end-to-end encryption is the process of encrypting data while it is passed through a network.

Firewall: A network security device that monitors incoming and outgoing traffic and decides to allow or block specific traffic based on a define set of security policies. They are the first line of defense in network security.

Malware: Short for malicious software, is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, trojan horses, ransomware, spyware, adware, scareware, and other malicious programs. It can take the form of executable code, scripts, active content and other software. Malware is defined by its malicious intent, acting against the requirements of the computer user—and so does not include software that causes unintentional harm due to some deficiency.

NIST: National institute of Security for Technology—a segment in the department of commerce that recommends ways for federal agencies to recover from cyber events.

Open DNS: A company and service which extends the Domain Name System (DNS) by adding features such as phishing protection and optional content filtering in addition to DNS lookup, if its DNS servers are used.

Patch: A patch is a software update to an operating system, application or other function that directly addresses and corrects a particular vulnerability. Patches often improve system usability or performance.

Phishing: The attempt to obtain sensitive information such as usernames, passwords and credit card details (and, indirectly, money) for malicious reasons, by disguising as a trustworthy entity in an electronic communication. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter personal information at a fake website, the look and feel of which are almost identical to the legitimate one. Communications purporting to be from social web sites, auction sites, banks, online payment processors or IT administrators are often used to lure victims. Phishing emails may contain links to websites that are infected with malware.

Ransomware: A type of malware that limits or prevents a user’s access to their system. The malicious software may either lock the computer’s screen or the user’s files—often through encryption—until a ransom is paid, typically using an encrypted digital currency like bitcoin. Like other types of malware, ransomware can be spread through email attachments, infected software, infected external storage devices or compromised websites, although a growing number of ransomware attacks have used remote desktop protocols. Its motive is almost always monetary

Here are some example MSP security standpoints with accompanying delivery tips for communicating with SMB clients.

MSP Notes: Security is not a one-size-fits all concept; it is a combination of many things.

Delivery to SMB: Antivirus, for example, is just one aspect of security.

MSP Notes: You can make security a less complex, scary and unattainable topic by focusing on specifically what the client is trying to accomplish, and then strategizing on how you can help them take the appropriate steps to get there. You can also show them what exactly their specific vulnerabilities are through a security assessment so that you know what’s needed to protect against those risks.

Delivery to SMB: Here is an example of a device of yours with a high risk score for ransomware and phishing—and if we click on that risk score, we can see that this is due to DNS not being configured, patch policies being out of compliance, and no endpoint protection installed. With a ransomware and phishing risk score of 100, this machine is considered to be at the highest risk and corrective action should be taken immediately.

MSP Notes: Highlight broader security trends in your strategy to exhibit that you are catering your offering to what matters most to the client. The goal is to help get your clients to their desired state in terms of security, so make it known that the measures you’ll take will directly solve their problems.

Delivery to SMB: Ask: “What most scares you about the current state of the threat landscape?”, “What do you see as major risks to your business?”, “What do you want to feel confident you are protected against?”

MSP Notes: It’s also helpful to simplify big breaches in the news, like Equifax, and focus on the root cause.

Delivery to SMB: For example, the Equifax breach happened because patches weren’t applied, so it’s important to effectively manage vulnerabilities.

The way cyber security has been thought of in past years versus the direction it’s heading is significantly different—and this could very well be unknown to your clients. In order to offer successful managed security services and uphold your role as security leader and partner, it’s up to you to ensure these SMBs are onboard with the new requirements. If you’re able to effectively tell the story, you’ll get the buy-in it takes to not only better protect clients, but create a lasting business relationship.

So what does the current definition of cyber security mean to your SMB customers and prospects?

Small businesses generally assume they are already protected from phishing, ransomware and insider threats, having historically secured their data firewalls, antivirus applications, or two-factor authentication. Those foundational security tools and policies are still required—but due to the modern threat landscape, additional layers of security need to be added into the equation to provide more complete and holistic protection.

This presents an opportunity for the MSP to effectively articulate this shift and essentially redefine how their clients should be thinking about security today.

Defining Your Security Solution

As SMBs across the globe scramble for answers, MSPs can step in with the people, processes and technology they need to remain secure. To do this effectively, it’s crucial that you clearly define your cyber security positioning and solution upfront. Once you have that strategy and associated talk tracks in place, you’ll then be able to deliver true peace-of-mind to their customers in a way that’s profitable and scalable.

MSP Talking Points: Once you’ve identified where your client’s gaps in protection lie, map them to the type of security services that will keep those risks constantly managed. Explain why this type of security is necessary in getting the client to their desired state of protection.

Pro Tip: With Continuum Security, you can create profiles that align with specific customer needs—each of which tells you exactly what technologies should be in place in a particular client environment, and offers real-time alerting and risk scoring to identify vulnerabilities or gaps in protection. This allows you to constantly predict and manage risk, addressing security gaps and controlling risk in real-time. You can continuously monitor and adjust to keep risk levels acceptable and keep your clients protected—and all of these activities provide new revenue opportunities for you as a security services provider.

It’s crucial that you clearly explain upfront what your security solution can and cannot do. Be proactive in communicating how exactly your solution will keep them protected and present the reasoning behind why you’re focus on certain areas.

It’s important to lay a solid foundation in the way you communicate your security offering to the client. This will ensure they understand the importance of having you on board and leading the way as they navigate cyber security.

Taking an approach that not only brings to life what your services will represent, but also justifies additional fees and services will cement you as a managed security services provider that can ensure clients remain protected and profitable.

MSP Talking Points

It’s likely that your clients aren’t aware of their true risk in the current cyber security landscape. As an MSP, you can spin the prevalence of cyber attacks in a way that will change the way your clients think about what they actually need. Here are some key talking points to get you there.

Communication Type: Defining Acceptable Risk

Start by discussing “acceptable risk.” Your client should understand that there will always be some level of risk in today’s cyber landscape, but partnering with the right managed security services provider will substantially lower their risk level. You can work with your client to define what acceptable risk looks like for them, and determine what it will take to keep their risk at an acceptable level.

Explain that a typical end client gets attacked multiple times per day, and basic security effectively roots out hundreds or even thousands of possible attacks. Then you can discuss whether that one attack that gets through would be too much for the business to handle.

Communication Type: Planning Ahead

Help the client plan for the worst case scenario. If they get ransomed, then what? The answer might be: we’d have to restore from backup, which we only perform once a day—so you could potentially lose 24 hours of work or the system could be down for several hours.

You can ask: “What would the business impact be if the system was down for a few hours and you lose 24 hours of data?” If this is unacceptable for the health of the business, you should work with your client to reduce that specific risk.

Communication Type: Building Trust

Make sure your client sees your relationship as ongoing. If they’re at an unacceptable risk level, you can ensure them that your security services will get them to the acceptable range, and you will maintain that by consistently identifying, prioritizing and mitigating gaps in coverage. This essentially justifies additional costs and opens you up to upsell opportunities down the road in your relationship.

Ultimately these tactics will help you develop a common language with your clients and present your services in a comprehensive way.

Objection Handling

The majority of SMBs today actually think they don’t need managed security services. The reality is, the high frequency of debilitating data breaches has spawned a numbness to cyber attacks. For MSPs offering cyber security services, this calls for a major mindset shift.

When clients object to your security sales pitch, often they believe they’re already sufficiently secure. Some audiences tend to think that acceptable risk includes only the risks they’ve already encountered and find additional protection unnecessary.

The way you pitch your cyber security solution to prospects and clients will determine whether or not you get their buy-in—so here are key recommendations on how to successfully navigate those conversations.

SMB Objection: SMBs have nothing worth taking.
Discovery Questions: Do you think you’re at risk? Do you know where your vulnerabilities lie?
MSP Rebuttal: There’s a reason half of all US citizens have suffered a cyber attack: Most cyber attacks aren’t targeted and focus on volume-based techniques to exploit vulnerabilities. SMBs’ data is valuable and the risk of a breach is high if they remain vulnerable.

SMB Objection: I already have the tools in place that will protect me.
Discovery Question: Would you consider your current security tools effective?
MSP Rebuttal: The majority of cyber attacks are sophisticated enough to bypass basic security. Foundational security measures won’t protect against all types of threat vectors at all times. Security needs to be advanced in proactive measures and efficient in reactive capabilities for risk levels to remain consistently acceptable.

SMB Objection: We probably won’t even need to use the security measures in place.
Discovery Questions: Do you think you should prepare for a cyber attack? Would compliance be an issue if you were audited?
MSP Rebuttal: There’s no denying that SMBs have become the primary target of modern cyber attacks— and it’s not a question of if, but when. Don’t leave yourself exposed to risk simply because you haven’t experienced an attack in the past. You wouldn’t stop backing up data just because you’ve never had to recover it, right? The same goes for demonstrating compliance with regulatory standards—it is crucial to be prepared.
Pro Tip: Continuum Security’s Detect & Respond – Network & Compliance provides active network and log monitoring to identify risky or malicious behaviors and attacks within the network, meeting common regulatory requirements.

SMB Objection: I thought you were already providing us the level of security we need.
Discovery Question: How would you describe the difference between foundational and advanced security?
MSP Rebuttal: As today’s landscape continues to evolve, it’s important for us to continue expanding our security portfolio to ensure we’re minimizing risk as much as possible for your business. Historically, we’ve been providing you with things such as [current services, e.g. DNS, Firewall, endpoint protection], and while those have effectively protected from certain attack types, we’re bringing some new services to our customers—including user training—to provide additional layers of security and help you stay safe from things like phishing ransomware and attacks that specifically target your users.
Pro Tip: Continuum Security’s Detect & Respond – Endpoint product provides fully SOC-supported endpoint monitoring and threat detection to identify active threats and remediate attacks.

SMB Objection: Additional security isn’t worth increasing our spend with you.
Discovery Question: Do you see benefits in working with us on an ongoing basis?
MSP Rebuttal: As the risks and potential damages associated with cyber attacks continues to increase, the reality is you can’t afford not to be protected from these emerging threats. We will work with you to create the right package at the right price point to ensure you’re only leveraging what you need—but we’re very confident in some of these new offerings and want to make sure all of our customers are as protected as possible.

Responding to skeptical SMBs with these talk tracks will justify your cyber security leadership and help you build a foundation of trust. Emerging as your client’s go-to cyber security partner starts with effective communication and buy-in. After that common ground is established, you can keep the conversation going.

Whether you’re offering cyber security education and training or pitching your security pricing packages, there needs to be appropriate context. MSPs will be set up for success if they’re able to properly set the scene and tell the story. With a deep understanding of what cyber security means today for your clients, how you should be leveraging that opportunity, and what it takes to instill trust in your expertise, you’ll nail an impactful explanation.

Continuum Security is the advanced solution MSPs need to deliver the protections their clients demand. With Continuum Security, you can deliver a complete, end-to-end cyber security offering without having to build and maintain in-house operations. The solution combines powerful software with a suite of SOC services to deliver both foundational security and highly advanced protections for SMB customers—including endpoint protection, SIEM, advanced threat intelligence and the capabilities and reporting required to ensure compliance in modern business environments.

Offered Free by: Continuum