Selling cybersecurity: common objections and how to combat them

| By:
Jay Ryerse

Cybersecurity is one of the hardest variables to control as user error becomes more prevalent across businesses everywhere. Unfortunately, many SMBs who work with managed service providers (MSPs) assume they are safe and protected and are therefore not taking proper precautions. As an IT professional who understands the threat landscape and the risks that exist, how can you navigate the challenge of selling your security services while simultaneously empowering your clients to take preventive measures into their own hands?

Selling cybersecurity services is a delicate dance between overcoming common objections and educating your clients. Many small-and-medium-sized businesses (SMBs) are not hyper-aware of IT security prevention best practices. Therefore, they are under the misconception that they shouldn’t be too concerned about their businesses, leading them to object to having an MSP on their side. Having that frame of mind is risky, and MSPs need to make a valid effort to help clients see the light.

As an MSP, you will help SMBs define and enhance their IT security strategy and navigate the turbulent cybersecurity landscape. After all, it is your mission to protect, support, and educate your clients. To do so, you need to meet their objections with the truth and help them shift their mindset around what it means to reach a business-grade security posture.

Ahead, five commonly heard objections, and the truth behind each one.

1. “My IT team has me covered.”

When it comes to cybersecurity, ignorance is not bliss. What your clients don’t know can and will hurt them. As an MSP, the best thing you can do is talk to your clients frequently and be completely transparent. It’s been reported that 91% of SMBs would change service providers for the right cybersecurity. So, constant communication with your client ensures that someone else doesn’t have a game-changing conversation with them before you do.

Lay out for them exactly what your service does and does not cover. Conduct security assessments at a minimum once a year so they can understand their security position. And show them how vulnerable they are (for example, watch how easily this hacker breaks into a personal computer).

Don’t forget to educate your client on the measures they need to take on their end to protect their networks. The burden doesn’t fall entirely on the MSP. Empower and train your clients to instill some basic cybersecurity measures into their daily culture. For instance, remind them over and over how important it is to use strong passwords. Show them the sheet below so they can see just how easy it is to break a password.

2. “I don’t have the budget for security services.”

Many businesses—especially smaller ones—are understandably very budget-conscious and may presume that they don’t have enough wiggle room to add robust cybersecurity services to their plate. The truth is, paying for cybersecurity services is a tiny fraction of the cost it would take to recover from a cyberattack.

Cyberattacks now cost companies about $200,000 on average. That’s more than enough to put a small company out of business—and that’s the average cost of just one attack.

It is a stressful and necessary task to put together a budget for a business, but cybersecurity must be prioritized. The alternative is potentially losing the business altogether.

3. “My data is not important to bad actors.”

It’s easy to fall under the notion that only large companies have data that’s worth stealing. That’s far from the truth. Whether it be employee records, information about clients, or financial details, every business has valuable data.

The important thing to remember here is that hackers don’t necessarily want someone’s info; they want to act on how important that info is to a business. In other words, they want to hold data ransom until they are paid big bucks to get it back.

Ransom is surging, with average payments around $178,000—an increase of 60% quarter over quarter, and reports say that ransom attacks are happening every 14 seconds.

A ransom payment is not the only point of concern here. What will it cost your client to go without access to their data or systems should they be breached? Can they survive five days without access?

Again, the ramifications of a random ransomware attack can be cause for a business going under.

4. “A cybersecurity attack won’t happen to me.”

No one wants to believe they are going to be the victim of an attack. SMBs may think that they are less vulnerable to a cyberattack because they are not big or well-known, but as long as a business has any sort of digital footprint, they are considered a target.

A recent study published by Ponemon Institute found that 66% of SMBs worldwide reported a cyberattack within the previous year. That’s appalling, and that number is sure to continue rising.

The harsh reality is that we are all vulnerable, and we all need to put the proper cyber defenses in place to protect ourselves.

5. “My firewall (or other technology) is enough.”

Businesses who rely too much on a single piece of technology to keep them protected play a dangerous game. The average hacker is in a network for 197 days before attacking. Your antivirus alone is not going to get the job done.

This is perhaps the most challenging objection for MSPs to overcome because their clients assume their firewall plus MSP services cover all bases.

The truth is, the combination of a great technology stack, professional security services, AND employee best practices is what’s needed to protect one’s house. This is where the education piece of the puzzle plays a major role. Clients need to understand what they are responsible for versus what their MSP partner is responsible for versus what their software can and can’t cover.

Once a business makes it super difficult for anyone to infiltrate their system, they also need to have an incident response plan in place to help mitigate and recover from an attack.

In conclusion

We’re living in a world where cyberattacks are the norm and are on the rise. Cybersecurity services are no longer a nice-to-have for a business but are a must.

As an MSP, it’s your job to talk to your clients and make sure they are fully aware of how well or not they are covered. Only 13% of MSPs are having risk conversations with their clients on an ongoing basis. Having risk-focused conversations positions you as a trusted adviser and not just a vendor. To get to that trusted adviser level:

  • Meet objections with facts so that prospects and clients have a true understanding of the current threat landscape
  • Educate and empower your clients to believe in the power and necessity of cybersecurity
  • Remain knowledgeable and certified in all things cybersecurity
  • Communicate, communicate, communicate frequently so that all stakeholders are aligned and armed with the tools they need