Email security solutions are vital to protecting your managed services clients from phishing and other email attacks. MSPs can make some common mistakes, however, which, ultimately, can create security vulnerabilities. Members of CompTIA’s Executive Council, Joshua Smith, enterprise sales engineer – SoCal for Sophos, and Lysa Myers, security researcher at ESET, share some advice on how make sure your clients make informed decisions about email security.
1Don’t explain that email security is a separate solution.
Smith says a lot of people assume email security comes with other services, like Desktop as a Service or antivirus. It’s important to explain, however, what each solution does – and doesn’t do. Smith points out that MSPs need to stress the necessity for email security and advise their clients to deploy it. “Cybersecurity services should include defending email,” Smith says.
2You aren’t educating SMBs about why they need it.
Smith explains that although businesses in certain industries such as financial and healthcare are required to use email security solutions, all businesses can benefit from them. “Cybercriminals are targeting all businesses and SMBs just as much as large enterprises. If they can compromise an SMB’s system, they can harvest their contact list or collect ransom. Even though the cybercriminal would make less money, it’s usually easier to steal from the smaller guy because they have less security,” explains Smith.
He says SMBs often decide that instead of deploying email security solutions, they’ll deal with a cyberattack when it happens. “But ransomware can cost tens — or hundreds — of thousands of dollars to pay off and resolve,” says Smith. “Email security should only cost a few bucks per user per month. Even if you consider the cost of email security over ten years, do the math and you’ll see that it’s well worth it.”
Educating businesses about the risks of not using an email security solution, says Smith, is up to MSPs: “They know their business, but they don’t know how to secure their networks or what they should be doing. It’s the MSP’s job to relay that information, either through fear or education. That’s your mission.”
3You let your customers think email security solutions are still complicated.
Myers says people shy away from email security solutions because of past experiences with complicated solutions. “In the past, the emphasis was on doing things securely and not on how people used them,” she says.
Myers explains that when a solution is too difficult to use, people tend to find workarounds or even ways to deactivate the solution. “Our job is to make it possible to do the things they need to do, but to do them securely,” Myers says. “Solutions needed to be much more seamless and unobtrusive.”
“Complexity is an objection that MSPs hear a lot,” says Myers. “But it’s easier now.” She says it’s one thing to tell a prospect that the user experience will be different than it was years ago, but “have them try it and experience for themselves how much less of a hurdle it is.”
Myers says to make solutions as user-friendly as possible, look at it from the users’ point of view. Provide solutions that take the burden off the user and work automatically or with a single click. “It should be as effortless as possible or something that happens by default. If it’s too hard to use, people won’t use it and everyone loses,” she says.
4You don’t argue when a prospect tells you their employees don’t make mistakes.
Smith says businesses that have provided their employees with some training or just assume they know how not to fall prey to a phishing attack may think that an email security solution isn’t necessary.
“See if they’ll agree to a phishing test to see if their employees will click a link, open an attachment, or go to a fake website and enter their names and passwords,” says Smith. “That could prove they are just one rogue click away from destruction.”
“People are the weakest link in a security solution,” Smith comments. “As an MSP or VAR, you need to add value — if you aren’t educating your clients, then why shouldn’t they just sign up for a service on their own? Education should be a part of every security solution.”
Smith comments that teaching users about email security is a lot more fun than it used to be. “We have games, cartoons, and videos that make it edutainment. They’re focused sessions, but users can laugh along,” he says. He points out that education has to be continuous, keeping users up on the newest tactics that cybercriminals are using.
5You think you need to be a security expert to sell email security.
Finally, Smith says another mistake that MSPs make is believing they aren’t qualified to sell email security. “Don’t be afraid to sell things you don’t fully understand. Your vendors have systems in place to help you roll it out,” he explains. “Remember you’re selling to non-technical people. Focus on the benefits rather than technical details — speak to them as one user to another. You can embrace selling security solutions first and then leverage your vendors to learn about the technology.”
We can all only know so much. Be a jack of all trades and rely on your vendors,” he says.