Blog Articles
Read MSP360’s latest news and expert articles about MSP business and technology

3 Reasons Why Selling Cybersecurity to the SMB is a Challenge (and What to Do About It)

3 Reasons Why Selling Cybersecurity to the SMB is a Challenge (and What to Do About It)

As MSPs look for ways to get through to SMBs that aren’t seeing the need for cybersecurity services, the answer lies in shifting the conversation away from technology.

Remember when backup services first became a thing and MSPs grabbed onto the service, only to have customers tell you that it sounds like an over-glorified insurance policy? Well, trying to sell SMB customers cybersecurity services has a bit of that same feeling, doesn’t it? Even though we’re about 5-6 years into cyberattacks truly being a daily occurrence and an everyday topic, there’s still this persistent disbelief that it’s a problem that the SMB needs you to solve for them.

But why is that?

As you attempt to sell cybersecurity services, there are three reasons – that likely all play a role – why you aren’t seeing the acceptance and adoption of this new service you’re offering.

Reason 1: The SMB Still Doesn’t Think They’re at Risk

You’ve likely heard it before: “That’s a problem for larger businesses.” Because of the limited revenues SMBs bring in, it makes sense that they think the bad guys are focused on the “whale” organizations with supposed deep pockets. But this just isn’t the case. According to the Webroot BrightCloud Threat Report, just over one-third (34%) of businesses with 21-100 employees have experienced malware infections as a result of cyberattacks, with an average of 9 infections! That same report points out that 82% of ransomware attacks targeted businesses with fewer than 1,000 employees, with 44% of attacks targeting businesses with fewer than 100 employees.

In short, the SMB is most definitely a target! (They just don’t know it!)

Overcoming the Challenge

This may be a longer-term play, but the answer lies in educating the customer on what the state of cyberattacks looks like, who is being targeted, the ways cyberattacks occur, and what they should be doing about it. This can be implemented as a series of blogs, webinars, podcasts, etc. It definitely isn’t something you’re going to be able to just tell a prospective customer once and have them a) believe you and b) be ready to sign up for your cybersecurity service. So, begin to think about how you can best create (or curate) content that educates your customer. A decent strategy might be to use a tool like – a curation platform where you can specify search terms and websites to watch that provides you with an easy way to grab blog posts and create your own blog quickly.

The Value of Backup in Ransomware Protection Strategy
What your ransomware protection strategy should look like? Learn in this whitepaper:
New call-to-action
Ransomware WP icon

Reason 2: They Don’t See the Value

Enterprises get the fact that it will cost them a ton should they become the victim of a cyberattack. There are countless examples in the news, as well as reports that focus on the repercussions that enterprises are facing, and the risk alone is enough to get an enterprise business’s attention. However, the SMB is trying to keep the lights on, pay the bills, and make a little profit – so they likely see a ton more risk in just keeping the business going and are less concerned about the threat of a cyberattack.

This means that cybersecurity has little value to them, as it isn’t mitigating any business risk.

But, according to the CyberCatch Small and Medium-Sized Businesses Ransomware Report, three-quarters of SMB customers’ businesses wouldn’t survive more than 7 days after a ransomware attack. Being out of business a week from now is a significantly larger risk than anything your customer is currently concerned about. The trick is to get them to understand just how much business risk we are talking about.

Overcoming the Challenge

As with the first challenge, this one comes down to education as well – but an education that will likely not take anywhere near as long. Once you have a prospect who understands that the threat of cyberattacks is a reality, the education they need is to understand what the impact will be on their business should they succumb to an attack, how it will affect their ability to operate, how long recovery will take (assuming you’re already offering backup and recovery services to them), and what it will cost them in practical terms.

Use of customer anecdotes (leaving names out of it, of course), projections based on what data protection they have in place, as well as industry data – all presented through the lens of “what’s at risk” from a business perspective – is what it’s going to take to get them to see the value.

Reason 3: You’re Having the Wrong Conversation with Your Customer

Most MSPs started as one or two IT pros deciding to do it on their own, where talking tech with a customer was pretty much second nature. Hopefully, you’ve learned that your customer doesn’t care one bit about the tech being used; they care about how it keeps them operational, how it helps them grow, and how it makes them profitable.

So, if you come in guns blazing, telling your customer “you need cybersecurity”, telling them all about the layered defense strategy you employ, their eyes are going to roll into the back of their head. Don’t talk about technology with them – that’s the wrong conversation to be having. All your conversations about new services (cybersecurity included) should start with the customer’s pain and your ability to take that pain away.

Overcoming the Challenge

Begin the conversation by talking about operations, the business, what aspects are critical, etc. (and, if you’re already providing disaster recovery services, focus in on the protected workloads from a business standpoint). Ask your customer how impactful it would be if workloads were inaccessible, employees couldn’t work, and if they had to spend cycles and money dealing with a data breach or ransomware attack. In short, what if they couldn’t operate? Then ask how long they could sustain the business (likely measured in days) before it became truly catastrophic. Then talk about the value cybersecurity services offer, perhaps citing what percentage of attacks are stopped by the solutions you employ (no doubt well above 99-point-something percent) to protect them and prevent cyberattacks from taking shape.

WP icon

New call-to-action
The MSP’s Response Guide to a Ransomware Attack

Read our free guide to learn about:

  • Common MSP vulnerabilities;
  • How to prepare for a ransomware attack to keep your clients safe;
  • Which actions response to a ransomware attack should involve;
  • How to manage clients while handling an attack.

Notice that nowhere in the conversation are you discussing tech, where solutions are deployed, how it works, etc. It’s purely a business conversation. It’s no different from if you were selling a machine that would replace a customer’s manual process – you’d ask how much it costs to perform the process manually, what kinds of errors occur (and their impact), and then discuss how your solution provides the customer with the outcome they want (a more productive and cost-efficient way to perform the process). You wouldn’t lead with how the machine offers these features and those capabilities; you’d just talk about how it takes away the customer’s pain. Do the same thing but talk about the pain that cyberattacks will eventually bring to the customer and how they can prevent that from ever happening.

“Selling” Cybersecurity

By now, you should realize that you’re not going to sell cybersecurity at all; in fact, you’re selling uptime, resilience, operational availability, productivity, and profitability – all in the face of a cyberattacker who seeks the exact opposite. So, realize you’re in the business of keeping your customer in business, and modify your sales strategy to educate them on how a cyberattack would affect their business, how cybersecurity mitigates the risk, and the impact your services will have on keeping the customer operational.