With 24/7 news cycles and an overabundance of social media streams, the flow of information available on the internet is mind-boggling. Unfortunately, the accuracy of the reports, suggestions, and “facts” shared through those forums is questionable, at best. The truth often gets distorted by opinions or through the loss or changing of certain elements of the stories told over and over again.
In many cases, alternate versions of facts and statistics can easily become accepted by the masses today. What’s really happening doesn’t seem to matter to those who distribute false information.
The misunderstandings and fallacies around ransomware serve as a great illustration. At times, there seems to be more bad information and outright mistakes in the news about these cyber threats than truths. Some misperceptions may be unintentional. For example, the lack of reporting requirements for many small businesses limits the amount of information about the attacks that occur in that community.
Inexperience and lack of cybersecurity expertise also feed the misinformation streams. The complexity of ransomware can be overwhelming to a novice, and the differing opinions over defensive measures and risks leave a lot of room for misinterpretation.
MSPs face an uphill battle fighting those myths and misperceptions with clients and prospects. Many business owners would rather believe all the false narratives than trust the recommendations of a salesperson, regardless of their past experiences or company reputation. The question for MSPs is how best to dispel those mistaken but entrenched ideas and opinions, especially when significant financial investments may be involved.
Conquer the Myths
The first step in educating clients and prospects about the misperceptions about ransomware is to recognize those fallacies. Of course, that process gets complicated when the people who need to be educated lack technical skills and knowledge, or unfortunately could care less about cybersecurity. MSPs deal with that issue every day. However, with simple and constant communication about real ransomware threats, your chances of getting through to the decision-makers will rise significantly.
Let’s start by acknowledging some of the most common fallacies in the business community:
- “Paying the ransom will get us back to work quickly.” Over the past few years, and increasingly since the pandemic hit, virtually every ransomware attack victim could testify to the inaccuracy of this statement. Complete recovery may never happen. An MSP with deep cybersecurity skills might restore basic services and data in a couple of days (perhaps hours in the most optimal scenario). However, the business may still experience a loss of information and customer confidence, especially if their systems were not properly configured and supported before the attack. The big assumption with this statement is that cybercriminals are trustworthy. A recent research report suggests that while the number of organizations deciding to pay a ransom increased to 32% in 2021 (from 26% in 2020), only 8% of those businesses gained access to all their stolen data. More than 29% of those companies could not recover more than half of their encrypted information. Getting back to work quickly by paying the ransom is a pipedream that very few businesses, if any, will ever realize.
- “Our company is too small to be a target.” The press frequently emphasizes the risks to enterprise businesses while minimizing the danger to SMBs and individuals. Articles and news reports may not deliberately give the green light to small companies regarding cybersecurity, but it may seem that way. Due to public disclosure laws and leaks that apply more to enterprise companies than the SMB, it’s easier to find and share stories about Fortune 500 ransomware attacks than incidents involving local law firms or print shops. Most of those events go under the radar. Unfortunately, this remains one of the largest cybersecurity objections for MSPs and fighting that perception can be difficult. Leveraging industry sourced-data such as the Datto Global State of the Channel Ransomware Report can be helpful. In their most recent study, nearly 60% of MSPs reported that their SMB customers experienced a ransomware attack in the third quarter of 2020, and the average cost of downtime increased 94% to $274,200. Look for relevant data and be sure to share it with clients and prospects as often as possible.
- “Cybersecurity is a one-time event.” Regardless of how infrequently it may occur, preparing for a ransomware attack is a continual process. These incidents are not a one-and-done occurrence that gives previously targeted businesses a perpetual “get out of cyberattacks free” card. As long as the doors to those companies remain open, they must continue to increase investments to protect their data, systems, personnel, and clients. Ransomware attacks can also linger for years. After finding a way into one business system, the malware can wait and watch users’ activities, mapping key data and information paths until the time is right to inflict the most damage. These are not fast strike events but disciplined methodologies that maximize the profit potential for cybercriminals.
- “Our business data has no value.” Information is gold today. Virtually every organization collects and stores some sort of data that cybercriminals can turn into cash. MSPs can enlighten their clients and prospects by sharing the types of information being bought and sold on the Dark Web, including basic personnel details such as names, birthdates, and Social Security Numbers. Customer credit data is tremendously valuable, as are PayPal and bank account numbers. Email may be the largest treasure trove of all since employees tend to share and save an overabundance of confidential and critical business information in inboxes and folders. Every organization has something of value to protect from cybercriminals today.
- “Current cybersecurity measures are good enough.” This myth is one of the most common objections for MSPs. What does an adequate defense look like, and at what point should you and your clients be satisfied with their protection? While MSPs may never be satisfied and should never offer assurances, the business owner on the other side is always trying to justify the expenses. Determining an ROI for these investments is an impossible task, and at no point should anyone feel 100% safe from cybercriminals. Thanks to innovations such as AI and machine learning, and an endless stream of money funding purveyors of ransomware, security that was “good enough” before is no longer good enough.
- “Tech professionals can easily decrypt the data.” MSPs are often so good at fixing things their clients screw up that those customers can become overconfident in their provider’s capabilities. Ransomware is one of those multi-faceted challenges that has no easy answers, and every situation can require a completely different solution. Decrypting data and restoring critical business systems is certainly no easy task. Do your clients understand the challenges? Not the speeds and feeds of the technologies or all the details about the restoration process, but the realistic outcomes of an attack with and without the proper defenses in place. Those discussions can be helpful, as can sharing the cost of ransomware remediation services and downtime. Putting that information into a “dollars and cents” format will ensure that they pay more attention when you pitch more proactive measures.
- “Ransomware just locks down a single device.” Despite all the media reports and information on cybersecurity attacks, many people still don’t understand how much system-wide damage this malware can inflict. While this knowledge may seem rudimentary to an MSP, your clients may know little to nothing about the mechanics of a ransomware attack. Sharing infographics and flowcharts can help. Enrolling and ensuring that all end-users are active in awareness training, including owners and managers, is essential.
- “MSPs are impervious to attacks.” Every business is a target today, and managed services providers are certainly not an exception. MSPs are increasingly finding themselves in the crosshairs of cybercriminals and ransomware attacks. Networked into potentially hundreds of endpoints, cracking a provider’s firewall could give hackers access to a virtually unlimited number of computers and a wide array of valuable data. No business is infallible. Just a single slip by an employee (not necessarily a skilled tech) could be all it takes to bring down an MSP’s networks, clients, and reputation. While that’s not information you should promote to your customers, it is a reason why providers should always “drink their own champagne” when it comes to cybersecurity. Implement the measures you would recommend to clients and show everyone (including prospects) how to effectively “walk the walk” with data defenses.
Demystifying the myths around ransomware will not be an easy task. Crafting clear communications and delivering educational content such as webinars and blogs takes a lot of time and a concerted effort. The end goal for MSPs is to change the perceptions around ransomware and encourage clients to take action.
The best way to stop these attacks is to educate those who use each system. The more they know and the fewer fallacies they believe, the easier it will be to prevent future episodes.