Episode 20: If your MSP is hacked you’re screwed

In this week’s episode

• It’s devastating for any business to suffer an IT security breach, but when it happens to an MSP it could mean ‘game over’. Following a huge story in the channel about the foiled hacking of an MSP, Paul explains how talking about your security measures could improve relationships with clients and prospects alike
• Also this week, and on the subject of security, how a simple phishing test could lead to increased monthly recurring revenue
• There’s also a fascinating conversation with a special guest about how to see IT buying from a client’s point of view. And a great listener question on how to build trust with prospects

Show notes

• Out every Tuesday on your favourite podcast platform
• Presented by Paul Green, an MSP marketing expert
• Read the article from CRN about the three vendors that foiled the hacking of an MSP
• While talking about security training, Paul mentioned Knowbe4 and also the phishing test from Phishing Box
• Order your free copy of Paul’s book Updating Servers Doesn’t Grow Your Business
• Paul’s guest was Tracy Pound from Maximity talking about the best way to converse with prospects
• Thank you to Raffi Jamgotchian from Triada Networks for the question about how to build loyalty with prospects
• The guest on April 7th will be the IT Business Growth Expert Richard Tubb (find out more here) talking about how to value your MSP
• Please send any questions, ideally in audio-form (or any other feedback) to hello@paulgreensmspmarketing.com

Episode transcription

Voiceover:
Made in the UK for MSPs around the world. This is Paul Green’s MSP Marketing podcast.

Paul Green:
Hello and welcome to episode 20. Here’s what’s coming up in this week’s show.

Tracy Pound:
We can’t bandy around those types of terms, not knowing whether or not the receiver of our message really understands what it is that we’re trying to say.

Paul Green:
We’re also going to be talking about a great tool that will help your clients and prospects to self-identify if they need phishing training, and we’ve got a question from an MSP about how to build trust with prospects.

Voiceover:
Paul Green’s MSP Marketing podcast.

Paul Green:
I think one of the scariest things you can talk to any MSP about is the prospect of you being hacked. I mean could you just imagine how business ending it would be if you got hacked and through you, the hackers accessed your clients? There’s virtually no way back from that. I’m looking at an article on crn.com back from February and the headline is, “I’m Selling Access To An MSP: How Three Vendors Teamed To Foil Hacking Plot.” Now, you’ve probably heard about this. It’s how Datto, Huntress Labs and ConnectWise found an MSPs access credentials up for sale on the dark web, and they work together to find the suspect. The suspect was arrested, which is absolutely great. But maybe it’s the thing that keeps you up at night.

Paul Green:
I had this discussion a few weeks ago with my MSP Masterminders. These are small groups of noncompeting MSPs. We meet in the UK and we meet once a month, We sit around a table and we talk about everything that grows the business, and we talk about things that get in the way of growing the business. The fear of being hacked is such a huge one that we came up with a bit of a mini list of things that you could do to secure your RMM, for example. So simple things like enabling multifactor authentication and of course, making sure that that MFA is not email based and of course, it’s not text-based, because of course, SIM jacking is very much a thing.

Paul Green:
We talked about things like removing the ability for someone to click on “I forgot my password,” because if they’ve breached one of your staff’s email accounts and someone could go and click on, “I forgot my password” and reset the password link. We discussed that instead, having a couple of admins with the ability to manually reset passwords when required would be a better thing. We discussed removing things like “trust this device” capabilities. Even me, a layman who’s not a tech has looked at … I think it’s Xero, the accounting software system, is do you want to trust this device for 14 days? Even I’m thinking no, because what if I lose the laptop? Whereas if I have to generate a code every single time I log in, that seems safer.

Paul Green:
We talked about forcing stricter password requirements even on your staff using random password generators. Of course, using passwords management tools, at least minimum 12 character mixed passwords, or using pass phrases or sentences. Some of the other more technical things that my Masterminders discussed were setting IP restrictions for host access and admin, which apparently, is done through the admin console. You still have to be careful if get locked out of your RMM on that. But the point being that there’s lots of things that you can do within your business. Actually, all of those things that we’ve just been talking about there, aren’t they the things that you would want your clients to do?

Paul Green:
There is a concept and you’ll have heard it, it comes out of Apple, but when Steve Jobs was running it the second time round, which is do you drink your own Kool-Aid? The goal with the first iPhone and with the iPods and with the Macs was that those computers and those phones have to be good enough that Apple could use them every single day as their main devices. You think about 15 years ago, they wouldn’t have actually used their own devices because they just weren’t good enough. So do you drink your own data security Kool-Aid? Have you got multifactor authentication everywhere, proper MFA? Do you remove the, “forget my password” and “trust this device” capabilities? You recommend it to your clients. Okay, some of them ignore it, but are you doing it within your own business?

Paul Green:
I would say, as a series of basic things that you should do, you should just do those things. In fact, you should be telling your clients that you’ve done those things, and you should be recommending it as your standard best practice data security checklist. Maybe even you’d put one together and you’d say to your clients, “Look, we’ve got this basic checklist for data security. This is what we do. We run through this with every single one of our devices, every single one of our staff. We highly recommend you do the same.” Because when someone sees their supplier, their trusted partner doing something, and it’s the same things that they recommend that they do for them so that the seller, the vendor is doing the same things as the client is, that engenders a huge amount of trust and an enormous amount of goodwill. So this isn’t just good for security, this is actually good for marketing and sales as well.

Voiceover:
Here’s this week’s clever idea.

Paul Green:
They’re on the same vein. I’m sure you’ve recommended to many of your clients that they have phishing training whether you buy and resell the one that’s bundled into ID Agent or Continuum, or of course, there’s KnowBe4. There’s loads of phishing training out there, so you don’t have to physically go on site and do it. But of course clients go, “Nah, we don’t need that. We wouldn’t make that mistake.” Well now, there’s a tool that you can use. In fact, you can embed it into your website to show them whether or not they actually need to do some phishing training. It’s a website we found called PhishingBox.com, and if you go to phishingbox.com/phishing-iq-test … We’ll put that URL into the show notes on my website.

Paul Green:
I’m just on that website now and I’m looking at it. It says, “Is the image below of a real email or a phishing email?” It says it’s from QuickBooks. I’m just looking at the domain name, donotreply@quickbooks.com, and it’s about recent changes to your credit card. Yeah, that looks all right, so I’m going to mark that as a real email. The next one we’ve got is the image below of a real email or a phishing email, and we’ve got the same one here. This one says it’s from Wells Fargo, but it’s got a … ah, it’s got a secure mail attachment, but the word attachment that’s been spelled wrong. So I’m going to mark that as a phishing email. I’m 20% completed, so it looks like there are 10 questions in this. It’s quite clever because it’s making me have a look at it. So this next one from the email address, noreply@dropboxteam.com, so I’m going to say that that’s a phishing email. Be really interesting to see what score I get out of this.

Paul Green:
Anyway, this is a service that you can buy from PhishingBox. I believe that you can embed it into your website. I’m just having a look on the pricing. For a single company, it’s not a huge amount of money, so clearly you can sell this training. But the fact that you can embed that test into your website and actually use that as a way to show your clients, “You’re not as good at phishing as you think you are.” So often its the person at the top who tends to be a little bit more rubbish at phishing than some of the staff, but certainly a tool like this is a good way for them just to see how good or bad they are as an organisation, which is going to help you to actually sell some phishing training.

Voiceover:
Paul’s blatant plug.

Paul Green:
Surprisingly this week, my blessing plug isn’t going to cost you any money because it’s something that I would like to give to you. You see a couple of years ago, I wrote a book. It’s called Updating Servers Doesn’t Grow Your Business. As the title suggests, it’s about the need to work on the business rather than in the business. In fact, it contains within a whole series of suggestions, a whole bunch of advice, a whole load of marketing ideas for you to grow your MSP. Now, this is a physical print book. I had 5,000 printed in the UK, and we’ve given away around about 1,800 of those so far.

Paul Green:
The big news is we’ve just had some printed in the United States as well, because we all know that no one ever really reads PDFs. They just sit on laptops. We’ve been sending PDFs to the States for the last year, and now we’ve actually got physical print copies that have been printed somewhere just outside of New York City, and we are posting those around the US as well. So if you want to just go onto my website, you go onto paulgreensmspmarketing.com and right there on the homepage, there are details of how you can get a free copy of my book, Updating Servers Doesn’t Grow Your Business. Go on, go and get your free copy now.

Voiceover:
The big interview.

Tracy Pound:
Hi, I’m Tracy Pound, and I run a business and own a business called MaximITy, which is all services around IT and technology, but my background is I’ve been in the IT industry for 35 years. I sit on the board of directors for CompTIA worldwide, and I’m also part of the CompTIA Executive Council here in the UK. So I do a lot of work in and around the channel as well as with end users.

Paul Green:
I want to talk to you today Tracy, about how difficult it is for most MSPs to look at their business from the decision makers point of view. Yet that’s a critical skill that we have to develop, isn’t it?

Tracy Pound:
It is, absolutely. I think, in today’s world, end users and decision makers are much more informed about technology than they ever have been in the past, they want to know that their suppliers and the people that they work with understand their business. Not just the technology that supports it, but understand their business and their industry. That’s quite a hard thing to do for managed service providers because they’ll be looking after lots of different organisations and lots of different industries. So they’re going to have to become more chameleon-like, for want of a better phrase, in being able to use other industries’ language and terminology and really understand what technology means for the end user business.

Paul Green:
But doing this in a way where you’re not using jargon. I mean we know that even the word “the cloud” is jargon to people outside of our world, because the cloud can mean lots and lots of different things to them. What are some of the things that you see MSPs doing which almost moves them further away from a sale rather than moving them closer?

Tracy Pound:
That’s a really good question. Still talking about technology is really disengaging from an end user’s perspective. They don’t want to know that they need a such and such router or they need this speed of broadband. What they want to know is that they’ve got continuous protected connection to the internet, and they want that in their own words, so that it means something to them within their business. So you cannot use jargon in any way, shape or form. As you said, people talk about the cloud.

Tracy Pound:
People outside of the IT industry have a different perception of what the cloud is. Some people understand it, some people don’t, but we can’t bandy around those types of terms not knowing whether or not the receiver of our message really understands what it is that we’re trying to say. What are the pain points in the end user’s business and addressing those pain points. So people want to feel secure, they want peace of mind, they want to know that the technology that they are investing in is actually going to help move their business forward, or it’s going to help them avoid a painful situation. So you need to talk about what that pain is, not what the technology is that sits behind it.

Paul Green:
What’s the most effective way to gain access to their pain points? How do you understand their business when, as you say, there are hundreds, thousands of different types of businesses out there?

Tracy Pound:
There are. I mean there is some generic classing that apply across all businesses. So all businesses have to sell, they need to market. They either have products or services. They’ll have internal admin. They’ll buy stuff and they’ll need to account for it. So understanding the basic principles of how businesses work gives you that common ground, but it’s having conversations that assist at that business level that are more strategic, so being able to talk to somebody who runs finance. It could be the owner manager, it could be a finance manager, it could be somebody who isn’t from the industry that their business is from, but being able to talk on common terms. So talking about profit and loss, talking about balance sheets. I know that can sound a little bit off putting because then an MSP might think, well what do I know about that?

Tracy Pound:
But as a business, the MSP also needs to understand their balance sheet and their profit and loss and financials and how they work. So it’s finding opportunities to share that common ground, but being inquisitive. A lot of people I know who are in tech, they like to learn. So being able to learn about another industry is as fulfilling as learning about the technology that can be supplied into that industry as well. MSPs, they have help desk staff, they have engineers who might go out on site. They are great salespeople because they’re not seen as a sales person. So they’re not seen as threatening, which means that people will talk to them about what those pain points are, what’s going wrong. If you can teach your staff to listen out for warning bells that somebody might be struggling because they’re not using technology properly, they are great leads then.

Paul Green:
So how would you train your staff to look for those, bearing in mind that your staff are technical and are inclined to talk about things from a technical point of view? What’s the most effective training that you’ve come across?

Tracy Pound:
Anything to do with customer experience. I’d have to say 2020 seems set to be the year of customer experience, and there is a lot of training that’s been developed around that, so a lot of vendors will run training programs around how to improve customer experience. Distribution is changing and a lot of distributors are now adding the soft skills to their training programs. It’s not just about the product, but it’s also about how you deliver a good service. So I’d start with vendors, I’d start with distribution and Google, good old Google. There is so much information, there’s a wealth of knowledge about what represents good customer experience, what doesn’t for people to learn from and apply that within their business. So I’d have a culture of customer experience within an MSP practice too. It’s not just doing it because somebody said it’s the right thing to do, or because it’s the current vogue. It’s doing it because actually as a business, you want to give a good customer experience. You want your end users to be sticky and to recommend you to other clients.

Paul Green:
Tracy, thank you. What’s the best way for us to learn a little bit more about you and get in touch?

Tracy Pound:
LinkedIn is probably the best first point of call. You can look me up, Tracy Pound on LinkedIn or my website, which is maximity.co.uk. That’s M-A-X-I-M-I-T-Y.

Voiceover:
Paul Green’s MSP Marketing Podcast. Ask Paul anything.

Raffi Jamgotchian:
Hi, this is Raffi Jamgotchian from Triada Networks. How do you build trust with prospects?

Paul Green:
Oh, that really is a great question. Thank you very much, Raffi. It is so important to build that trust with prospects, because the sales cycle is very long one for MSPs, and prospects come into it’s almost as suspects. They’re suspicious because technology is a massive thing to them. They don’t understand it. They don’t really like the idea of being so reliant on technology, but they are, and they know that choosing the wrong MSP could utterly devastate their business. For that reason, the better the relationship you have with them, the more likely you are to sell to them.

Paul Green:
I believe there are two distinct phases of someone being a prospect and two distinct ways to build relationships with them. The first distinct phase is before they’ve made that decision that it is time to switch from one MSP to another one. At this stage, there may be some level of dissatisfaction. There may be doubts in their mind, but they’re not yet at that point that we’re going to take action, but this is the point at which you want to get to know someone. This is the point you want to get them to join your audiences. That’s to join you on LinkedIn, be connected to you there, to be connected to you on Facebook maybe, to join your email list.

Paul Green:
If you go back over previous editions of this podcast, we talk about all these things and how to grow these audiences. This is the point to do more and more content marketing, so to put more of your stuff in front of them. That’s daily posts on LinkedIn. Thought leadership is a great thing, you taking technology and translating it for them. It’s about more articles onto your blog. It’s about videos on your Facebook. It’s about sending out a weekly or even twice weekly email to your email list. Because all of this stuff is what builds a relationship with prospects before the point at which they’re ready to have a conversation with you. In fact, we call this one to many because it’s you or someone on your behalf doing all of this stuff and you can send it out to potentially thousands of people using the tools like your CRM and LinkedIn and scheduling stuff with Hootsuite and things like that.

Paul Green:
So it’s one to many at this stage, and you won’t need thousands in your prospect list. For most MSPs, just having 500 prospects at that content marketing stage is enough, but then it changes. The point at which you actually start a conversation with someone and they have entered the phase of looking for an alternative supplier, the relationship needs to change, because now you can’t do one to many. Now, you need to do one on one. This is where things like impact boxes, which we talked about in the podcast a few weeks ago, which is a box of physical stuff, that’s a great way to build a relationship with someone. Sending them stuff by direct mail is great. Literally right down to printing off an article that you’ve seen on the web that you think would be of interest to them because it’s relevant to them in their situation and posting it to them. Yes, I know you could email it to them, but posting it to them will have a greater impact.

Paul Green:
Of course, there is the person relationship as well. There’s sitting, meeting with them, having conversations, talking about their business. You should be talking more about their business than your business. It’s building that relationship. The key thing to remember is that people buy from people, and before they’re ready to actually start to make that buying decision, it’s okay to hide behind email platforms and social media platforms and all that kind of stuff. But at that point they’re looking to do the switch, that’s when you’ve got to roll out the people. It’s got to be senior people. They’ve got to be likeable, and you’ve got to give the prospect time. Some prospects make fast decisions, some of them make very slow decisions. One of my MSP Masterminders recently told me it took them 18 months to get through this stage with a client. 18 months to win one client because that was the speed the client was working at, but it was a big contract. They’ve won it for three years, and we all know they’ll probably keep it for 10 years, so it is worth doing.

Paul Green:
So essentially, the more relationship building activity you can do with your prospects, the closer they are to making a decision, the more likely that is to pay off. What’s wonderful is if you’ve been in business for a few years already, you already do this. The challenges for you is to systemise this so as your business gets bigger, and even the point of which you personally stop doing all of this and you start hiring other people to do it for you, as a business, you carry on building relationships in this way. So it’s not haphazard. It’s not relying on people remembering to do stuff. It’s a systemised process that builds relationships day in, day out without anyone having to worry whether or not it’s happening.

Voiceover:
How to contribute to the show.

Paul Green:
I’d love to know what you thought about today’s show. Why don’t you drop me an email? It’s hello@paulgreensmspmarketing.com.

Voiceover:
Coming up next week.

Richard Tubb:
How can they look at extracting sales from the business so the business is actually worth more without them?

Paul Green:
That’s Richard Tubb. He’s an IT growth expert, and he’ll be here on next week’s show to tell you exactly how much your MSP is worth if you were to put it up for sale tomorrow. We’re also going to be talking about KPIs, key performance indicators. Which one should you be tracking to make sure your business grows? And we’re going to be talking about overcoming objections at sales meetings. See you next week.

Voiceover:
Made in the UK for MSPs around the world, Paul Green’s MSP Marketing Podcast.