How MSPs Can Overcome Optimism Bias to Sell Cybersecurity Solutions

Adrian Gendre

By Adrien Gendre, Chief Solutions Architect, Vade Secure

How many times have you heard someone say, “It won’t happen to me”?

In psychology, this type of response is known as optimism bias. Also known as “the illusion of invulnerability,” optimism bias is the belief that we’re more likely to experience good — not bad — outcomes. In other words, we disregard the reality of a situation because we think we’re excluded from the potential negative effects.

As a managed service provider (MSP), you’ve likely encountered optimism bias from your clients, particularly when discussing cybersecurity. According to the Ponemon Institute’s 2018 State of SMB Cybersecurity Report, 67% of SMBs reported having experienced a cybersecurity attack in the last 12 months. This is a fact. Yet, optimism bias leads your clients to believe they’ll be among the lucky 33% who experience no event. “It won’t happen to me,” they’ll say. But the law of percentages dictates otherwise.

So how can you help your clients overcome their optimism bias to ensure they’re investing in stronger cybersecurity controls, including your cybersecurity services and solutions?

Well, psychology says stress can help. Stressful events trigger a physiological change that causes us to take in any sort of warning and become fixated on what might go wrong. It’s believed that this neural response helped early humans to survive; with a heightened focus on potential hazards, they were able to successfully avoid predators. This same response helps firefighters more accurately assess risk and make the right decisions when rushing into a burning building.

When it comes to cybersecurity, there’s really only one metaphorical burning building: falling victim to a cyberattack. And while cyber incidents are often a (reactive) trigger for increased investment, they’re clearly not a viable long-term sales strategy for MSPs. They’re expensive (costing SMBs $1.43 million per incident in 2018), messy to clean up, and put your client’s and your business’ reputations on the line — 37% of SMBs say they would hold their MSP solely accountable for a cyberattack; 74% would be willing to take legal action.

Getting Clients to Act

So it’s in your best interest as your client’s trusted adviser to create just enough stress — let’s call it urgency — that they’re motivated to act before an attack disrupts their business and yours. Here are three tips for doing that:

1. Show them how similar organizations are affected by cyberattacks.

Generalized statistics are too abstract, too logical. They’re not emotional enough to overcome optimism bias. “I won’t be one of the 67% of SMBs that experiences an attack,” your client will confidently proclaim.

Instead, you could show them how a similar organization was affected and use this example to illustrate the potential impact and aftermath of a cyberattack on their own business.

Take, for example, the high-profile ransomware attack that crippled the city of Atlanta last year, disrupting the Police Department records system, infrastructure maintenance requests, the judicial system and online bill pay. All told, the city spent more than $2.6 million on emergency response efforts. If you’re an official for a local government, it’s easier to project the negative outcomes faced by a peer onto your own organization. At the time, we received several requests from local government agencies who said, “We see what’s happening in Atlanta. We don’t want to be next.”

Set up Google Alerts for terms like phishing, spear phishing, business email compromise, malware and …

Comments are closed.