Why Your MSP Clients Aren’t Terrified of Cybercriminals … And How to Wake Them Up

Cybercrime is one of the most pressing challenges for businesses today, yet many small businesses fail to take the necessary steps to protect themselves. In a recent Guardz webinar featuring Doni Brass, VP of Product at Guardz, and marketing expert Paul Green, the discussion centered around a surprising truth: most MSP clients aren’t terrified of cyber criminals. Why? because they don’t know what they don’t know. The conversation highlighted how MSPs can bridge this knowledge gap to motivate their clients toward action.

Here are the three main takeaways from the webinar:

1. Make cybersecurity relevant by speaking to clients’ emotions, not their logic.
2. Repetition is key: consistently remind clients of the risks and solutions.
3. Remove choice: set a mandatory security baseline for all clients.

Let’s unpack these insights and how they can transform the way MSPs communicate cybersecurity to their clients.

1. Make Cybersecurity Relevant to Clients’ Emotions

The biggest hurdle MSPs face is that their clients don’t see themselves as targets of cybercrime. Many small businesses believe cyberattacks only happen to large enterprises, but this misconception leaves them vulnerable. The first step in addressing this issue is making cybersecurity feel real and relevant to them.

The Psychology of Relevance

Paul Green shared a compelling analogy from his personal life: after his home was burglarized, neighbors in his community suddenly took home security seriously, installing alarms and upgrading locks. Why? The burglary made the threat tangible.

Similarly, MSPs must show clients how cybersecurity risks can directly impact their business. Statistics like “70% of small businesses experience cyber incidents annually” don’t resonate because they’re abstract. Instead, MSPs can use tools like dark web monitoring to personalize the risk:

• Show leaked credentials associated with their domain.
• Explain how attackers use automated tools to target small businesses indiscriminately.

Seeing their name or their company’s credentials on a dark web report creates an emotional connection to the risk.

Avoid Fear, Uncertainty, and Doubt (FUD)

While it’s tempting to scare clients into action, relying on fear alone often backfires. Instead, Paul and Doni advocated for building awareness through tangible examples and relatable scenarios. For instance:

• Use real-life ransomware cases to demonstrate the potential consequences of an attack.
• Share stories of businesses that suffered reputational damage or lost customers due to data breaches.

By presenting cybersecurity as a safeguard for their reputation and livelihood, MSPs can shift the conversation from abstract risks to personal stakes.

2. Repetition is Key: The Power of Consistency

Even when clients understand the risks, maintaining their attention and commitment is a challenge. Paul Green emphasized the need for MSPs to repeat their cybersecurity messaging consistently, likening it to radio promotions: people need to hear the same message multiple times before it sticks.

Breaking Through the Noise

The human brain has a built-in filter, the reticular activating system, that prioritizes information deemed relevant. To make cybersecurity a priority for clients, MSPs must:

• Bring it up regularly: Incorporate cybersecurity discussions into every quarterly business review (QBR).
• Use multiple touchpoints: Reinforce messages through emails, newsletters, and meetings.
• Highlight new developments: Keep clients informed about evolving threats, such as ransomware-as-a-service or phishing kits becoming more accessible.

Over time, this repetition ensures that cybersecurity remains at the top of everyone’s mind.

Security Awareness Training

Repetition isn’t just for decision-makers; it’s crucial for employees, too. Cybersecurity awareness training, including phishing simulations and regular exercises, prepares staff to recognize and mitigate threats. While some employees may find these repetitive, consistency builds habits that reduce human error—one of the most significant vulnerabilities in any organization.

3. Remove Choice: Establish a Mandatory Security Baseline

One of the more controversial strategies discussed during the webinar was the idea of removing choice when it comes to cybersecurity. Paul Green argued that MSPs should set a non-negotiable security baseline for all clients. Why? Because offering options often leads clients to choose the cheapest, least effective solution, leaving them and their MSP exposed.

The Case for Mandatory Security

Just as doctors prescribe treatments based on their expertise, MSPs should take the lead in defining their clients’ cybersecurity standards. For new clients, this could mean requiring:

• Multi-factor authentication (MFA) for all users.
• Advanced endpoint detection and response (EDR) solutions.
• Regular backups with tested recovery plans.

For existing clients, MSPs can present upgrades as essential for protecting their business. This might involve:

• Bundling security into standard packages: Include advanced security measures as part of your baseline offering.
• Opt-out upgrades: Automatically upgrade clients’ security measures and require them to opt out if they don’t want the improvements.

By framing these measures as standard practice, MSPs can eliminate the perception of optionality and ensure a consistent level of protection across their client base.

Practical Tools for MSPs

Doni Brass shared several tools and strategies MSPs can use to make cybersecurity tangible and actionable for their clients:

1. Dark Web Reports: Generate reports showing leaked credentials associated with a client’s domain. Highlighting real risks creates an emotional connection.
2. Security Checklists: Use visual aids, like checklists of recommended security measures, to demonstrate gaps in a client’s protection. A physical checklist can also serve as a decision-making tool during meetings.
3. Ransomware Show-and-Tell: Some MSPs use decommissioned laptops infected with ransomware as a teaching tool. Seeing the effects of an attack firsthand can be eye-opening for clients.

These tools help bridge the gap between abstract risks and concrete actions, motivating clients to invest in their cybersecurity.

The Human Element: Selling to Hearts, Not Just Minds

Both Paul and Doni agreed that selling cybersecurity is about more than just logic. Business owners don’t make decisions solely based on facts; they rely on emotional cues and trust. To connect with clients:

• Emphasize your role as a trusted advisor, not just an IT provider.
• Focus on the emotional benefits of security, such as peace of mind and the ability to protect their customers.
• Highlight the reputational risks of a breach and how your services safeguard their brand.

By appealing to clients’ emotions, MSPs can create stronger, more lasting partnerships.

Building a Secure Future

This webinar reinforced an essential truth for MSPs: clients won’t prioritize cybersecurity unless it feels personal, relevant, and unavoidable. By focusing on emotional connections, repeating key messages, and setting mandatory security standards, MSPs can not only protect their clients but also build trust and loyalty.

The insights shared by Doni Brass and Paul Green are a call to action for MSPs to rethink how they communicate cybersecurity. In a world where cyber threats are more accessible and pervasive than ever, MSPs have a critical role to play in bridging the gap between awareness and action.

If you missed the webinar, stay tuned for more events from Guardz, where we empower MSPs with tools, knowledge, and strategies to protect their clients and grow their businesses.