Useful for: MSP / Partners & IT Departments Selling Security Awareness Solutions. EveryCloud Staff
By Graham O’Reilly, EveryCloud CEO
Selling is at the heart of Security Awareness. The more effectively it’s sold both into and then within an organization, the more effective the security becomes. It’s a funny layer of security for us more-geeky types to get our heads around, because it’s really all about communication. But by breaking it down into parts, selling Security Awareness is just like any other process.
So. Let’s start at the beginning... Why?
Understand the good you’re doing.
The reason I dived into the Security Awareness world was to be found during an idyllic walk in the park in Marlow, England. I sat on a bench and started looking out at approximately 100 people playing, laughing, running and generally enjoying themselves. I realized that on average, let's say five of these people are working to steal, attack and generally hurt the rest when they’re online. That’s sad and I hope one day that number will be zero people, but while it’s happening, I’ll do everything in my power to help protect the ninety five others and teach them to protect themselves.
So... first, realize the good you’re doing by selling it. These are real people you’re protecting and teaching to protect themselves. Don’t think about the ‘organization’; think about your brothers, sisters, parents, family members who will be taught to protect themselves more online and stop threats to themselves and their livelihoods.
Next you need to believe in the market
The reason Cybersecurity Ventures has predicted the Security Awareness market will move from $1b in 2014 to $10b by 2027 is the threat—and therefore need—is growing at the same pace and Security Awareness has now been around long enough to demonstrate it can be radically effective at neutralizing the threat.
“Andrew Walls, research vice president for security, risk and privacy at analyst firm Gartner, estimated the security awareness training market at more than $1 billion in late 2014.
Another Gartner analyst, Perry Carpenter, covers an important slice of that market - security awareness CBT (computer based training) - which he estimated at $240 million for 2016. That figure only accounts for the companies that Gartner covers in its popular Magic Quadrant.
A new report from Cybersecurity Ventures states that training employees how to recognize and defend against cyber attacks is the most underspent sector of the cybersecurity industry - a sector that can be worth $10 billion by 2027.”
This trend means that almost all businesses will have some form of Security Awareness solution in place over the coming years, in the same way they have antivirus or email filtering. It’s another critical layer.
Then you need to believe in the product
Of course as the CEO of EveryCloud, I’m biased toward my own product. But to be fair, we built our Security Awareness platform to solve the problem in the most-effective way we could envision. I’ll try and talk more broadly about what I think a good product should offer.
An automated platform that takes most of the work away for the IT department.
Combines simulation, training and proactive protection. My belief here is that we should focus on the wider tools and not just phishing simulation and phishing training. The threats will evolve and so must the platform.
An effective approach to training. Are people really going to sit through 1 hour of training on their computer? Or will they keep it running and do something else? Effective training should be short, engaging and regular.
Includes comprehension testing to ensure people have actually watched and understood the training videos.
Has great content! On the simulation side, templates are everything. It doesn’t help anyone to send obvious or outdated templates. They need to be kept up to date on the latest threats. It’s better to train staff on the worst case and hope the real ones are easier.
Is active in the inbox. Encouraging staff to report suspicious email is a key piece of the puzzle. An Outlook plugin is a must.
I won’t add much more here, because I think it’s obvious that we’ve built (and continue building) our platform to be what we believe to be the best. You can check it out here.
Now let's dig into the actual sale and the various sales arguments
When it comes to ROI, it’s hard to find solutions that give more.
But just as important is the impact on the real people that are involved. Companies regularly go bankrupt because of cyber attacks, teams / departments lose their jobs and they create a ton of pain that can be prevented by a structured solution, good practices and awareness. This is the key to selling the solution, and it's what I see my job is to protect against. Then there is the reputation damage because customers will hold any negative effects against the company that got hacked. For example, a member of our team just learned their credit score went down 65 points for having been a Capital One credit card customer. This would directly affect their rates for borrowing money, getting insurance etc. If their score was already borderline, it might be enough to keep them from getting credit at all! If that happened, a good attorney would probably suggest they sue them. And they could certainly flame them online and never do business with them again. This is just one example of the impossible-to-calculate costs.
Social Engineering Is A Gaping Hole
Social Engineering is the key to almost all successful attacks. Organizations spend huge sums on email filtering, antivirus and firewalls, but it all means nothing if staff are giving out passwords on the phone or entering data into fake websites.
Cybercriminals stole over $2.5 million from North Carolina’s Cabarrus County through an email fraud in which they posed as a contractor to request a change in the target bank account for electronic funds transfers.
A spear-phishing attack on a large U.S. bank’s IT help desk resulted in a breach of roughly 40,000 customer records that went undiscovered for 185 days. The estimated cost to the bank is expected to top $7 million.
Ransomware Is Devastating
Like many in our industry I grew up being that person who was constantly asked by older relatives to help fix their broken computer after it was infected by a virus. Think of Security Awareness as a way of channeling your geeky side to help others before it gets to that point.
Hollywood Presbyterian Medical Center was forced to declare an internal emergency when a phishing email was used to lock down the hospital’s computer systems until a ransom of nearly $17,000 was paid.
Compliance requirements are getting stronger for all sizes of organizations
Did you know for example, any business that takes credit card payments from customers must be PCI compliant, while any business offering healthcare services is subject to HIPAA, GDPR and other regulations, depending on their geographic location.
GDPR governs the data rights of EU residents and places an array of obligations on organizations that process personal data. Fines for violating GDPR regulations can range from €10-20 million, or 2-4% of the firm’s worldwide annual revenue from the preceding financial year, whichever is higher. The size of fines is determined in part based on how damaging the loss and the extent to which an organization had “precautionary measures” in place.
The EU is advising we should “Expect more GDPR fines in 2019.”
Examples affecting the US include the Children’s Online Privacy Protection Act, Video Privacy Protection Act, Health Information Portability and Accountability Act, as well as breach notification laws in all 50 states.
A good Security Awareness solution will offer regular, automated training to keep staff up to date on compliance requirements.
Legally you are required to act "reasonably" and take "necessary" measures to cope with a threat. If you don't, you violate either compliance laws, regulations or recent case law. Your organization must "scale security measures to reflect the threat."
The board expects it. Any organization that experiences an attack and didn’t have an adequate Security Awareness program in place will have serious questions to answer to the board. Failure in this area puts everyone at risk.
Security Awareness is a competitive differentiator. Consumers now see cybersecurity and data privacy as one of the three main reasons to select a retailer—beating even price as was demonstrated in a recent survey. We often look at the downside risk, but it’s important to factor in the understanding that having a workforce (and marketing) outwardly demonstrating that you’re security aware can increase sales revenue significantly. Trust is everything when you’re doing business with a new organization.
Manage The Sale & Timelines
Run a baseline phishing simulation test, but realize it’s just one small piece of the discussion. Security Awareness is partly about phishing simulation (it’s one tool) and reducing the risk of phishing attacks, but really it’s a much-wider solution about education and habit change. EveryCloud offers a free phish for all of your customers, via your own free partner account.
Product Demo. A great product demo is always important. Focus on the benefits and value rather than trying to show every piece of functionality.
Understand that you’re selling a whole Security Awareness program, not just the platform itself. The IT Department will want to get staff fully engaged with the process and working through a detailed plan and implementing progresses around it. Anywhere you can assist with this adds a huge amount of value. We featured a great example (slides / background) of this in IT Pro Tuesday recently. This sysadmin worked on and practiced it for over a year. MSPs / EveryCloud Staff: SysAdmins will deeply appreciate you helping them with this huge task and giving them the tools to automate much of it. SysAdmins: We salute you and hopefully this article will help you sell the concept internally.
This is probably the most critical part: While demonstrating value is great, you must manage the timescales. If someone is replacing their existing email filtering or antivirus, the timeline is already established. With a fresher market like Security Awareness, those time limits aren’t in place—so you have create them. Some ways of doing this are:
Get commitment to the process. During the first discussion with the customer, set a defined ‘Review Period’ and set exceptions that once it’s completed, you’ll want to discuss moving forward with a full program (or agreeing not to pursue it).
Link the sale to a renewal of an existing service / product you are selling them, and offer several incentives—e.g., a 15% discount, advanced support and 5 email templates you build for their organization if they take it with the renewal.
Run time-limited promotions.
Build a package that is limited to the first x customers. This can create time limits and real scarcity, genuinely giving the customer something that won’t be available later.
We’ve combined some of these ideas to work with our partners to create a too-good-to-refuse offer for customers.
People generally look for other people similar to themselves to guide them on a buying decision. Since we started EveryCloud, we’ve focused very hard on customer service and have collected reviews from those customers. We now have over 280 five-star reviews on Spiceworks. Explaining this to prospects helps prove we did what we said we’d do for a lot of customers who were once in a similar place to where they are now.
You can do the same thing by introducing clients or bosses to other people who have been in a similar situation with Security Awareness and are now successfully on the other side.
Selling SaaS or a Managed Service is essentially saying ‘we’ll agree to keep improving our services for you in return for money’. So realize the sale is as much about trust in the people & future as it is about the product today.
To close off the sale, simply return to the point I made at the beginning; believe in the service and the good you’re doing. With this attitude, it’s easy to recommend finalizing the sale so we can start teaching and protecting all the people around you.
How MSPs Can Add More Value
Security Awareness is a uniquely powerful product for MSPs to sell because there are so many services that can be added around it. Once the platform itself it sold, it enables MSPs to offer:
Custom Template Service
Custom Video Content Service
Phishing as a Service - Whereby you’re charging a monthly fee to create email templates and landing pages that are specific to the customer’s organization, perhaps reworking their own login pages and using their own email designs
A Security Awareness Program - With checklists, review cycles and documentation
Incident response helpdesk - Supporting customers to respond to their own users
We believe we’re just at the beginning of our Security Awareness journey and are busy developing more tools that sit in the amazing space between technology, people and psychology. I’d love to hear your thoughts in the comments below (you’ll need an EveryCloud Account (just sign up to our Free Phish or our Free Mailflow Monitor if you don’t have one) or via reddit (u/crispyducks), twitter, linkedin, or carrier pigeon.