Published on September 18th, 2019 📆 | 6351 Views ⚑
0How MSPs Can Overcome Optimism Bias to Sell Cybersecurity Solutions
Show clients the threats slipping through their defenses to help them overcome their optimism bias.
By Adrien Gendre, Chief Solutions Architect, Vade Secure
How many times have you heard someone say, âIt wonât happen to meâ?
In psychology, this type of response is known as optimism bias. Also known as âthe illusion of invulnerability,â optimism bias is the belief that weâre more likely to experience good â not bad â outcomes. In other words, we disregard the reality of a situation because we think weâre excluded from the potential negative effects.
As a managed service provider (MSP), youâve likely encountered optimism bias from your clients, particularly when discussing cybersecurity. According to the Ponemon Instituteâs 2018 State of SMB Cybersecurity Report, 67% of SMBs reported having experienced a cybersecurity attack in the last 12 months. This is a fact. Yet, optimism bias leads your clients to believe theyâll be among the lucky 33% who experience no event. âIt wonât happen to me,â theyâll say. But the law of percentages dictates otherwise.
So how can you help your clients overcome their optimism bias to ensure theyâre investing in stronger cybersecurity controls, including your cybersecurity services and solutions?
Well, psychology says stress can help. Stressful events trigger a physiological change that causes us to take in any sort of warning and become fixated on what might go wrong. Itâs believed that this neural response helped early humans to survive; with a heightened focus on potential hazards, they were able to successfully avoid predators. This same response helps firefighters more accurately assess risk and make the right decisions when rushing into a burning building.
When it comes to cybersecurity, thereâs really only one metaphorical burning building: falling victim to a cyberattack. And while cyber incidents are often a (reactive) trigger for increased investment, theyâre clearly not a viable long-term sales strategy for MSPs. Theyâre expensive (costing SMBs $1.43 million per incident in 2018), messy to clean up, and put your clientâs and your businessâ reputations on the line â 37% of SMBs say they would hold their MSP solely accountable for a cyberattack; 74% would be willing to take legal action.
Getting Clients to Act
So itâs in your best interest as your clientâs trusted adviser to create just enough stress â letâs call it urgency â that theyâre motivated to act before an attack disrupts their business and yours. Here are three tips for doing that:
1. Show them how similar organizations are affected by cyberattacks.
Generalized statistics are too abstract, too logical. Theyâre not emotional enough to overcome optimism bias. âI wonât be one of the 67% of SMBs that experiences an attack,â your client will confidently proclaim.
Instead, you could show them how a similar organization was affected and use this example to illustrate the potential impact and aftermath of a cyberattack on their own business.
Take, for example, the high-profile ransomware attack that crippled the city of Atlanta last year, disrupting the Police Department records system, infrastructure maintenance requests, the judicial system and online bill pay. All told, the city spent more than $2.6 million on emergency response efforts. If youâre an official for a local government, itâs easier to project the negative outcomes faced by a peer onto your own organization. At the time, we received several requests from local government agencies who said, âWe see whatâs happening in Atlanta. We donât want to be next.â
Set up Google Alerts for terms like phishing, spear phishing, business email compromise, malware and âŚ
Gloss