averting disaster: the cybersecurity threats keeping your ... · “when talking to a business, you...
TRANSCRIPT
Averting Disaster: The cybersecurity threats keeping your customers awake at night
Sponsored by
CRN ON: CYBERSECURITY
2
“To err is human, but to really foul things up you need a computer.”
So said scientist Paul R Ehrlich, and he certainly had a point. In this day and age, all it takes is an employee clicking on a rogue link for the whole of a company’s IT system to come crashing down around them and for their business to forfeit potentially hundreds of thousands of pounds in lost productivity.
At a CRN On event in central London, sponsored by Datto, a host of security experts gathered together to discuss the importance of proper staff awareness training and the most pressing security issues facing the channel today.
The overwhelming message of the day was that opportunities abound for MSPs/VARs to offer customers additional services in the form of staff training and education about the very real threats facing every business today. Nobody is immune. Speakers also alluded to the importance of getting a proper business continuity plan in place should the armour be penetrated.
According to figures from analyst Markets and Markets, the security market is set to be worth $170bn (£129bn) by 2020, with Gartner estimating the value of the 2018 security market at around $96bn.
And opportunities are emerging from some more unusual places as well as the traditional corporate demands. According to Statista, the Internet of Things security market will be worth $40bn by 2020, with areas such as connected TV worth $5.5bn and the connected car security market offering a $1.5bn opportunity.
But the market is driven by the customer – if they are unwilling to buy certain solutions then it is a difficult job persuading them otherwise, so the channel certainly has its work cut out, particularly as buyers are not only more savvy, but are making buying decisions at a board level. Selling any solution is harder than ever before and requires more effort and resources to convince customers to part with their cash.
Speaking on a panel discussion about the challenges associated with selling security, Paul Stringfellow, technical director at Gardner Systems, said getting in front of the right people is absolutely key.
“When talking to a business, you realise how serious they are about security. If you are only talking to the IT guys on the floor and nobody else above them is interested, then you are wasting your time,” he said.
“The buy-in has to be absolute – the people who actually sign the cheques have to have total buy-in and understand what they are investing in. If you have not brought people in from top to bottom, the ones at the top will not sign it off and the people at the bottom are not going to support it. They will moan and find ways of getting around it.
“That is the challenge for us as a channel – if you don’t see how a company views security, compliance and security education, you will be working hard to sell a solution and they will not buy into it.”
Chris Tate, business development director at Datto, said buying patterns have changed for vendors too – a point that is often overlooked.
“We see the same as MSPs – if we are pitching our solutions to pure tech people they will say they prefer another vendor, but if we pitch to owner managers or CFOs/directors, it is a lot better and they are more open,” he said.
What do customers fear the most?
To get the sales approach right, it is advisable to have an understanding of what is actually keeping customers awake at night in terms of security.
CRN conducted a survey among end users in order to gauge the appetite for security solutions, and also to see how prepared they are in the event of a cyberattack. The findings, which were revealed exclusively at the
Companies are under increasing pressure to keep their customer data safe and secure, but it is not just a case of buying a few solutions, sticking them together and hoping for the best. Often the threat comes from within, due to a workforce who are unaware of the dangers they face from phishing emails, ransomware and increasingly clever cybercriminals. And this means customers have to not only look out for external threats, but also be aware of the dangers their own staff pose to their businesses. This raises a new load of challenges for the channel, as attendees to a CRN On Cybersecurity conference found out
Threats from all sides
1. What percentage of your budget is spent on security?
<10% 44%
<50% 8%
<20%45%
Other 2%
>50% 1%
CRN ON: CYBERSECURITY
3
Datto-sponsored event, were quite shocking, and respondents were also not shy in sharing their views about the shortcomings of IT providers.
To set the scene, respondents were all end-user customers, ranging from one-man bands to firms with more than 1,000 employees. They were from both the public and private sectors, and IT budgets ranged from less than £25,000 to more than £25m.
Respondents were asked what percentage of their budget they spend on security (see Fig 1, p2) – and a whopping combined 89 per cent said they spend less than 20 per cent of their budgets on it. However, when budgets are sizable this does add up; along with the fact that security should be considered as part of every sell. Just one per cent said they spent more than 50 per cent of their budgets on IT security.
When asked whether they would be increasing their security budgets this coming year (see Fig 2, above), a significant 56 per cent said they would not, although 28 per cent said they would be ploughing 10 per cent more cash into security, and six per cent said they would increase their spend by 20 per cent. In encouraging news for the channel, eight per cent said they were planning to upgrade their entire security strategy and two per cent said they were looking to double their budgets.
CRN then asked respondents to quantify the cost of a security breach by asking them to estimate what 24 hours of downtime would cost (see Fig 3, below left).
In response, 18 per cent said it would cost them up to £25,000, but 17 per cent said it would cost up to £100,000. A further 15 per cent said it would be less than £10,000, but the same number said it would cost over £1m. Additionally, 12 per cent said it would cost them up to £50,000. Five per cent said they would rather not say, and 11 per cent said it would see them £250,000 worse off, with seven per cent £500,000 out of pocket.
But despite these rather alarming figures, convincing customers to part with their hard-earned cash when it comes to security is no mean feat.
Despite ransomware being the greatest fear of 26 per cent of respondents (see Fig 4, below), and 22 per cent fearing human error, with other fears including end-point security, business email compromise and the threat from disgruntled employees, many are still very cautious when it comes to signing off new security solutions and it is up to the channel to find the holy grail of selling and also to encourage them to think about employee education.
Rhys Parfitt, head of services solutions at XMA, said: “This comes full circle. The way MSPs/VARs actually service their customer base from a security perspective has changed, and you only have to look at how many vendor products and different focal points are required from customers. Also, is every customer aware of what they are spending on security?”
Sam Reed, chief technology officer at MSP Air-IT, said it is important that customers understand what they are being sold.
“Many of them will say: ‘well, don’t you do that anyway?’ when you are talking about new solutions – so it is key that they understand exactly what they are getting before you start. It is better to go on the angle of business orientated and feature led – ie what are the business benefits of putting in a certain solution? What is the value to them as a business? It has to be saving them money one way or another,” he said.
2. Are you planning on increasing your security budget this year?
No 56%Yes, by 10%
28%
We plan to upgrade our entire security strategy
8%Yes, by 50%
2%
Yes, by 20% 6%
3. What would the estimated cost be to your business for 24 hours’ downtime?
<£10,000 15%
Rather not say 5%
Up to £500,000
7%
Up to £25,000
18%
Up to £50,000
12%Up to
£100,000 17%
Up to £250,000
11%
Over £1m 15%
4. What is your greatest fear when it comes to your company’s security?
Human error 22%
End-point security
17%
Other 5%
Spear phishing 2%
Ransomware 26%
Disgruntled former
employees 6%
DDos 13%
Business email
compromise 9%
CRN ON: CYBERSECURITY
4
When trying to convince customers to part with their cash, vendors are not always the most helpful or supportive to their partners. The panel said there was plenty a vendor could do.
Datto’s Tate said it was important to get the messaging right. “One thing I try to guard against is scaremongering. Especially when talking to SMB business owners, you see those stats over and over again. I like to keep it realistic,” he explained.
“At Datto, we do a lot of events and talk to customers about business continuity – so we inform them about the risks but don’t let them think we are scaremongering.”
XMA’s Parfitt said vendors need to help partners understand where their technology could fit in:
“The challenge comes back to the complexity of the landscape,” he said. “If you take something as simple as web and mail filtering, MSPs and VARs need to understand where all these solutions fit for their respective customers. It is not a one-size-fits-all.
“For example, it may be a mail and web-filtering solution for an SMB, with another combination more suitable for the public sector and likewise another one again for enterprise. Trying to narrow that down from the hundreds of solutions in the market is hard – vendors need to convey the value of what they are offering, and also differentiate from that blur of noise.”
Parfitt added that XMA often adopts the technologies and uses itself as a case study for customers.
“We all have the same challenges,” he said. “It gives us really clear insight into the value and where it sits in the target market.”
Air-IT’s Reed agreed and said vendors need to realise that client models are very different.
“You can’t take an enterprise or 250-seat solution and say it is SMB ready – it really isn’t. Sometimes vendors are so out of touch with what customers need. Vendors need to understand the market out there and not just what the dream is. If all you offer is the ‘gold standard’ then people will not take the product. Everybody wants the dream, but it isn’t always possible,” he said.
Preparing for the worst
Returning to the CRN survey, end-user customers were asked how informed their staff were in all matters relating to security and whether they conduct regular – or in fact any – training to keep them up to date.
A total of 32 per cent said they send out regular emails to their employees – but is that really enough to address the issue? Aren’t people drowning in email already? A further 28 per cent said they hold regular meetings to educate staff about the threats they are facing and 11 per cent said they hold regular threat-simulation training.
Fourteen per cent said they expect the senior management team to pass on their knowledge to their own teams and even more worryingly, 15 per cent said they don’t hold any sort of training at all, they just expect staff to be aware. Regular training is key, and something that firms should do as a matter of course. More on that further in the report.
Of those who answered that they provide no training, 26 per cent said they have neither the expertise nor the time to do it in-house, 13 per cent said they didn’t need it, 16 per cent said it was because of budget issues and another 15 per cent said they just focus on external threats rather than internal ones.
CRN also asked whether the customers have an action plan if they are breached from the inside (see Fig 5, above left). On a positive note, 68 per cent said they would be able to locate the infected machine(s) and isolate it/them immediately. In great news for the channel, 21 per cent said they would contact their IT services provider immediately and leave it to them. However, eight per cent said they had not even thought about it.
With the channel in mind, the next question asked respondents, if they didn’t already, would they consider using a service provider for staff training and company security policy purposes (see Fig 6, below).
Positively, 10 per cent said they would definitely invest in that type of service.
A further 37 per cent said they would definitely consider
5. Do you have an action plan for if you are breached from the outside?
68%
21%
8%3%
We would be able to locate the infected device(s) and isolate it/them immediatelyWe would contact our IT services provider and leave it to themWe haven’t even thought about itOther
6. If you don’t already, would you consider using a service provider for staff training and company
security policy purposes?
37%
33%
20%
10%Yes, definitelyWe would consider it if the price was rightWe would be interested in learning more about these services, but not necessarily investingWe don’t use service providers
CRN ON: CYBERSECURITY
5
investing if the price was right, and 20 per cent said they would be interested in hearing more about the services but would not necessarily invest straight away.
Whichever way these answers are looked at, a combined 67 per cent of respondents would at least consider training as a service, if not invest straight away. That translates into a serious opportunity for the channel.
The panel also agreed it was a service that more MSPs should consider offering.
Reed said that the appetite for training is often there and customers don’t even realise it.
“It is all about having conversations with the client and asking them whether they know what a phishing email is, for example. People working in finance or marketing might not spot it, but partners can help customers nip it in the bud by offering training,” he said.
“However, it is important to pick those clients and make sure you have the right conversations with the right people.
“If they don’t act on your recommendation, you need to warn them of the dangers of not taking the technology or service and what it might cost them in the long run. They need to be aware of the risks they are taking.”
Parfitt said customers definitely appear to be taking training more seriously.
“The worst thing you can do as a partner is present a technology or solution to a customer where you can’t train them and manage it, or offer them a managed service so they can use it to the best of their ability. Customers seem to be embracing spending on training more than they were a couple of years ago.”
It is all about having that conversation, Stringfellow said.
“We want to talk to people all the time about phishing tests, but it is about articulating the appropriate message to customers. It is not about fear, it is about value,” he added.
“Mostly, people are interested in hearing more, but unless you have the conversation, they are rarely thinking about the need for it.”
Channel perceptions
As the comments and results have alluded to, selling security is all about perceptions, and it is vital that the channel ensures its customers have the right impression from the outset. Unfortunately, judging by the results of the final few questions asked in the CRN survey, it would appear there is still plenty of work to be done.
Respondents were asked what qualities they look for in an IT service provider and were encouraged to pick at least two options (see Fig 7, right).
Topping the board with 87 per cent of votes was technical knowledge, with 61 per cent also wanting efficiency of service – both points expected of any IT service professional. Next was the age-old issue of price – with 47 per cent wanting the best possible – always a tricky balancing act when vendors are constantly raising their prices. Honesty followed next with 42 per cent of the vote, and proactiveness scored 41 per cent. The ability to listen garnered 32 per cent of the vote, with regular communication scoring 27 per cent. A further five per cent said all of the above.
Customers were also asked to share their worst experiences (see Fig 8, below) and the overwhelming majority – 51 per cent – said that IT providers often overpromise and underdeliver. Price reared its ugly head again, with 17 per cent saying costs keep going up, but again, this is often due to vendors passing costs onto their partners.
A further 14 per cent said VARs/MSPs react when it is too late and cost them money in downtime, and 10 per cent said their partners could not meet deadlines. Finally, six per cent said their IT suppliers had failed to keep in touch, another mistake. Just two per cent were happy with their IT suppliers.
CRN then asked respondents whether or not they have had to change their IT service provider because of a bad experience (see Fig 9, p6). The results were fairly shocking.
A total of 44 per cent had changed their provider more than once because of a bad experience, and 23 per cent had changed once. So 67 per cent in total have taken on the expense and hassle, at least once, of bringing
7. Which qualities do you look for in an IT service provider?
...
Technical knowledge 87%
Efficiency of service 61%
Best price 47%
Honesty 42%
Proactiveness 41%
Ability to listen 32%
Regular communication 27%
All the above 5%Fail to keep in
touch 6%Cannot meet
deadlines 10%React too late
14%Overpromise &
underdeliver 51%Costs keep going
up 17%
8. What is the worst experience you have had with service providers?
We are happy 2%
£
CRN ON: CYBERSECURITY
6
Datto is an innovative company at its core and is an exciting and dynamic workplace. We are 100 per cent focused on our managed service provider partners and believe that with the right technology, managed service providers can change how businesses around the world operate.
Datto provides data protection, business continuity, networking, business management, and file backup and sync products that enable and protect the clients of our 14,000+ partners. We are headquartered in Norwalk, Connecticut and have 22 offices worldwide.
About the sponsor, Datto
a new provider on board because their previous one gave such poor service. Hardly a great reputation. A further 15 per cent said they were considering it. Again, not the answer that we should be hearing. On a more positive note, 18 per cent said they were happy with the service they were receiving.
CRN’s final question asked respondents what they wanted from their IT providers when it came to security (see Fig 10, right). The majority – 48 per cent – said they wanted security to be incorporated into everything they buy. A further 33 per cent said resellers need to be more proactive in warning them about threats – again highlighting the importance of communication.
In total, 11 per cent want VARs to keep them up to date about new technology coming to market, and four per cent felt part of the general service offered should include staff awareness training. Four per cent wanted all of the above.
Conclusion
As the research and the corresponding event has highlighted, there is still a real opportunity for the channel when it comes to security, and a relatively untapped area of potential revenue in the form of staff training.
Customers are often too focused on external threats when
it comes to protecting their valuable assets, and many just never really consider the fact that their own employees will be the weakest link. However, the fact that human error is one of customers’ biggest fears proves it is something that needs to be addressed.
As the panellists from the event alluded to, partners need to ensure they are having conversations with the right people in every organisation, and making them aware of the threats they face and the solutions that can allay their fears, particularly around staff awareness and business continuity. Every person at every level within a given company should be able to recognise a phishing email or a dodgy link, and know not to click on them. But it certainly isn’t the case at the moment.
However, it is also agreed that vendors need to up their game and ensure they keep their solution offerings as simple as possible and not just assume that all their partners’ customers are the same and have identical needs. Listening – both at partner and customer level – is absolutely key.
VARs/MSPs that can get in there early and add staff awareness training to their services arsenal will definitely reap the benefits, because the appetite is there among end users. It is all about communication, and ensuring those customers are aware that it is a service they can not only afford, but will ensure protection from all angles.
9. Have you changed service providers because of terrible service?
23%
18%
15% 44%
Yes, more than onceYes, onceNo, but we are considering itNo, we are happy with the service we are receiving
10. What should service providers do more of when it comes to security?
48%
33%
11%
4%Incorporate security into everything we buyBe more proactive in warning about potential threatsKeep us up to date about new techPart of their service should include staff awareness trainingAll of the above
4%