You can’t not have a conversation about ransomware with your customers. The risk that ransomware poses to their businesses is too great not to discuss. Your customers need to be aware of how the growing ransomware threat is evolving and what they can do to minimize risk. The more they know, the easier it’s going to be to do your job.
Table of Contents
What your customers think about ransomware
If you're an MSP, you know how much of a threat ransomware poses. You are familiar with data points like the one showing that cybercriminals in the first nine months of 2019 launched ransomware attacks against 621 government entities, healthcare service providers, school districts, and colleges and universities, according to a blog post by anti-malware and antivirus software provider Emisoft.
But your customers are not MSPs, and they may not be aware of statistics like these -- and even if they are, they may not think that ransomware is a serious threat to their particular businesses. As a result, they don't think they need to pay for ransomware protection.
Customers can have mistaken beliefs about ransomware for several reasons. For one, it's easy for customers to assume that their business is too small or unimportant to be the target of ransomware and they may not realize that companies of all sizes are routinely targeted.
Likewise, some clients may think that they are immune against ransomware because they believe they don't have any sensitive data that could be held for ransom. They mistakenly think that ransomware attacks only target businesses that store financial data, social security numbers or other information that is inherently sensitive. The reality, of course, is that even the most benign data can fall victim to ransomware. Ransomware attackers are not necessarily out to encrypt highly sensitive data; if they gain access to any data that is critical to a business, they can take it for ransom.
Finally, some customers also fall into the trap of thinking that they are safe from ransomware because they have protections in place. They may believe that their antivirus program makes them immune from attack, for example, or that a firewall keeps them safe. But as MSPs know, a robust anti-ransomware strategy requires more than just setting up basic cybersecurity tools.
For all of these reasons, your customers must understand the severity of the risk that ransomware poses to businesses of all types. When they do, they are more inclined to protect themselves by implementing proactive security measures.
If you’re unsure of how to approach your customers about ransomware, here are a few ways to go about it.
Use cybersecurity breaches in the news as a way to begin a conversation about ransomware
It’s now easier than ever to discuss being proactive about cybersecurity with customers. Nearly every day, there’s a story in the news about another data breach impacting a company’s customer base. Using well-known examples can assist you with broaching the subject of ransomware with customers.
While this tactic is a great way to inform customers about the impact of ransomware on businesses and other entities, don't come off as fearmonger. Be helpful with your advice by following the educational tips described later in this article.
How much do your customers know about ransomware?
Your customers are more than likely familiar with the increasing number of cybersecurity attacks in general. But what they’re probably not aware of is how ransomware works, and what happens when it targets an insecure network, meaning one unprepared to handle such a threat.
Walk through ransomware scenarios with them. Even better, simulate a ransomware attack for them (there are plenty of simulators available online). It’s a lot easier for them to understand the seriousness of a ransomware attack after witnessing the damage it can cause.
Explain the harm in terms your customers can understand.
Further reading How Ransomware Works and How to Protect Yourself With Backups
Highlight the costs of a ransomware attack
As you know, a ransomware attack can ruin a business, especially if the business owner pays the ransom, which goes against the advice of many cybersecurity professionals and federal agencies. Things aren’t getting better for ransomware victims; cybercriminals are demanding more.
The average ransom payment jumped from $12,762 in Q1 2019 to $36,295 in Q2 2019, an increase of 184%, according to data published by ransomware recovery vendor Coveware.
Another cost to highlight to your customers is downtime. IT downtime costs businesses on average $1.55 million every year, according to a report by Ireland-based IT solutions company, ERS IT Solutions. Not only that, but the length of downtime is increasing.
Average downtime was 9.6 days in Q2 2019, compared to 7.3 days in Q1 2019, according to Coveware.
How to educate customers about ransomware
When you talk to your customers about ransomware, the goal shouldn't be simply to make them understand that the threat is real. Ultimately, you should aim to educate them about best practices to follow, so they can avoid being the victims of a ransomware attack.
Toward that end, consider the following strategies for educating customers about ransomware:
- Value of updates: Clients should understand the importance of keeping everything in their IT estate updated -- applications, operating systems, passwords and more. As the MSP, you may be responsible for some of these updates, but probably not all. Customers need to understand the importance of updating any assets that they manage.
- Attack simulation: Encourage your customers to simulate phishing attacks. For example, send an email to employees that is designed to look like a phishing email, and see how many people click on links in it.
- Prepare educational materials: You can offer clients materials (such as presentations, whitepaper, mailers and so on) that they can use to educate their own employees about ransomware.
- Put the right technology in place: No amount of cybersecurity tools or configurations guarantees immunity against cyberware. But taking basic cybersecurity steps will go a long way toward mitigating the risk. This Reddit thread offers good tips on strategies that businesses can adopt without breaking the bank. Use ideas like these to guide your own managed security services, if you offer them, or to guide your clients on how to secure their systems themselves.
Ransomware attacks are increasing. The first line of defense is your customers. Educate them on what they need to know about evolving ransomware security threats and you'll make them safer, while also making your job easier. It's a win-win.