Security Conversation Guide

Overview
Unless a client or prospect has recently suffered a successful cyberattack, convincing them that they need security
services above and beyond what you or they are already doing requires a thoughtful, multi-touch approach. Be
prepared to spend time raising their awareness, educating them, assessing their risks, and putting forth an action plan
to address their risks.

The following can help you get the conversation going and keep it moving towards the initial goal of getting the client
or prospect to agree to a security risk assessment.

Conversation 1: Building Awareness

Goal: Agreement on the Need for Greater Education on Security

You Client/Prospect
[Conversation starter]: Today it’s a question of when, not if, your business We’re not big enough to have to worry
will be attacked. When it does happen to your company, how prepared about cybercriminals targeting our
are you? business.
Many small businesses think that they’re not targets for cybercriminals, We don’t have data that would be
and in the past, they were probably right. Today, it’s different though worth the effort for them.
because cybercriminals believe that smaller businesses are easier targets.
In fact, today 67% of SMBs experience cyberattacks.
You’d be surprised at all the valuable assets you have in your business I’m sure we have that kind of
right now that a cybercriminal would love to get their hands on. How information protected already.
about financial transactions? What about supply chain credentials?
Personal employee data?
Security is much more complex these days, which means that the [Listen for if they can answer
likelihood of a company having security gaps is pretty high. If you had to this question and how well they
speculate where your business was most vulnerable, where would you understand what makes them
suspect it would be? vulnerable]
Cybercriminals are not only more plentiful and targeting businesses Sure, that sounds like it would be
like yours, they’re also causing far more damage than in the past. worthwhile.
Employees are a growing risk as well, after all, they have the access and
the knowledge, whether they use it maliciously or are unwitting pawns of
cybercriminals.

Bottom line is that a significant attack could result in losses that impact
your business for a long time. Almost half of SMBs believe that a major
data breach could cause them to go out of business.

But there are things you can start doing right away to improve your
security without spending additional money. We’d love to do a training/
seminar for your employees to bring you up to date on best practices for
keeping your business protected. What do you think?
 Security Conversation Guide
What to Listen For
During the conversation, listen for clues about the client or prospect’s level of knowledge about the security risks to
their business and how they prioritize it. Does the client believe that antivirus is the same as security and that anything
more is overkill? If so, bring in stats and stories from recent attacks on local SMBs and/or ones in similar verticals
that show the various tactics (at a high level) that criminals used. Point out that the same IT strategy they (or you, as
their MSP) have been deploying for years simply isn’t enough to protect businesses of any size today. This is a good
opportunity to share the measures you’ve put in place to protect your own small business.

Conversation 2: Initiating Discovery

Goal: Agreement to Perform a Security Assessment

You Client/Prospect
[Conversation starter]: While educating your users on what they can do to Can’t we call your company for help
avoid being victims of a cyberattack is a good security best practice, the next with that? You’re the experts.
thing to think about is what you will do when an attack happens anyway.
What is your plan for responding to an attack or breach?
While we can help you react to an event you discover, serious damage may I think we already have
already have been done to your business. It could be weeks or months preventative measures in place.
before you figure out that something happened.

Industry studies show that the mean time to detect a threat within your
network is 190 days (that’s 6+ months), while the mean time to contain a
threat is 57 days (almost 2 months). The longer it takes to detect or contain
a threat, the more it costs.

Being proactive lets you reduce the risk of a real threat causing serious
damage and gives you an action plan to discover and respond quickly to an
attack. Wouldn’t you rather put your resources into preventative measures
than exert more resources and money into damage control?
The first step to being proactive is understanding which assets you have that I’m sure that we know where our
need protecting. Have you taken an inventory? data is and what we have, but I
don’t think we have a list.
You should have an inventory of all your assets that need protection, I’m sure they haven’t. Users
including things like credentials. As you know, cyberthieves have many with access to important data
tactics for getting users to reveal their login information for important know they need to protect their
systems. Do you know whether your users’ credentials have already been credentials, especially now that
compromised? we’ve given them more training.
Let’s do a quick check … [initiate proof point, such as searching the dark Wow! Looks like we need to do
web to uncover compromised credentials] a better job of protecting our
information.
This is the tip of the iceberg. There are many other vulnerabilities and I think our risks are probably pretty
security gaps that might increase your business’ risk of a successful attack. low, but it would be good to
Awareness is the first step in developing a smart plan for your business and confirm that.
budget. Wouldn’t it be helpful to understand what your risks are? We follow
industry-standard frameworks that analyze a wide breadth of potential gaps.
 Security Conversation Guide
What to Listen For
At this point, listen for clues about the client or prospect’s understanding of what an adequate security strategy entails
and their confidence that security risks are being properly managed and mitigated. If the client begins to express
doubt about whether the business is protected adequately, it’s a good time to propose a risk assessment.

Conversation 2: Reviewing Top Risks to Discuss Action Plan

Goal: Agreement to Send a Proposal with the Action Plan

You Client/Prospect
[Conversation starter]: Thank you for working with us to complete a risk I’m not sure that we can commit to
assessment. Here is a printout of the report. Let’s walk through it together addressing all of these items you’ve
to determine which risks are most critical to address. identified as critical. It looks like a lot
of money and I don’t have it in the
[walk through report with the customer and the impact of not addressing budget.
their top risks]

We’d recommend getting started as soon as possible before some of

those risks turn into actual attacks.
I understand that this wasn’t foreseen in the current budget, which is why Our budget is limited and we’d have
we’re here to plan ahead with you. We believe in a layered approach to to weigh these items against our other
security that is geared towards the unique needs of each customer. non-discretionary business expenses.
I know that this is an unplanned expense, but it’s something every small If we were attacked, I don’t think it
business needs to plan for today as a cost of doing business. would cost us as much as it would to
address all the items on your list.
A cyberattack can cost you far more than what it would take to remediate
the risk upfront. Not even considering the costs to get your business We already have backups in place,
going again, repair and restore systems, and other recovery costs, just right?
think about the lost revenue and costs of an attack that shuts down your
operations for several days or even a week — what impact would that
have on your business’ profitability?
Of course, we have appropriate measures for backups, but as we’ve I don’t want the same thing to happen
shown in the risk assessment, companies need more than that today to to us that happened to [example
protect their businesses from today’s sophisticated attacks. If [example business] Let’s discuss what it’ll take to
business] had closed its security gaps, then maybe it wouldn’t have get started.
[insert local cyberattack story aftermath].

Our MSP is establishing new standard requirements for security based on

the sophistication of the attacks today.

You don’t have to address all your security gaps at one time, but you do
need to get started as soon as possible.

Why don’t we start with some of the medium to high risks that are more
digestible to you today (e.g., creating security policies). That way we
can start to improve your security posture while you plan for your next
budget cycle to reach a more acceptable level of risk over time. Can
I send you a proposal with an action plan that spans the next [insert
timeframe]?

Further Objection Handling
Objection
Aren’t we already paying
your company for security?
We’ve already put security
in place because we have to
be compliant with (HIPAA,
PCI DSS, SOX, etc.)
It’s a lot of money to spend
that I don’t have in the
budget.
Security Conversation Guide
Response
The services we’ve been providing your business include (list of services), which
include basic security measures such as (list of capabilities.)
However, our managed security offerings, which you don’t currently have, are
designed to address the new threat landscape we find ourselves in today, where
basic security is no longer enough.
While regulations set certain levels of security requirements, they often only apply
to specific types of data. But your business has more to protect than what’s covered
under the regulations. Plus, cybercriminals change their methods frequently, while
regulations are only updated much more infrequently. Complying with the most
current regulations still means that you could be several steps behind the latest
threats.
Do you have cash reserves set aside for post-attack cleanup and restoring your
operations? Average costs of a data breach for SMBs is going up significantly
every year. For example, a recent survey shows that a breach causes an average
of $149,000 in damages, yet most small-to-medium-sized businesses thought
cyberattacks would cost them under $10,000. These days, the cost of getting your
business operational again is often far more than the cost to protect it in the first
place.