4 Reasons Why Providing Security Education Can Boost Vendor Sales to SMBs

Even with a great product or service, vendors face hurdles when it comes to selling to SMBs. It can be hard to stand out among other vendors. It can also be difficult to convince smaller-sized companies that aren’t as focused on security that they need your product. In this article, we will discuss 4 reasons why being an educational resource can boost sales to SMBs.

#1 Educating SMBs on why security matters can prove to them your solution is useful

A difficulty vendors may face when trying to sell to SMBs is that smaller companies may not be seeking vendor solutions. They may not have any kind of security implemented at all. Offering education can inform these companies that they need to think about security and consider purchasing tools and services. More statistics to help educate SMBs on the importance of security can be found in our article on why cybersecurity is necessary for SMBs.

Reasons why SMBs might not seek vendor solutions (and how to combat these)

1. They feel they don’t have anything of value to hackers. There is a misconception among many SMBs that hackers only target large enterprises. These are the attacks that make headlines. Enterprises also have more money to be extorted and hold more customer credentials.

The reality, though, is that SMBs do have data that hackers want. Many SMBs hold Personally Identifiable Information (PII) of their customers. This data is valuable to hackers. Companies that have PII breached face expensive customer reparations and reputational damage. Even if a company does not hold PII, hackers may want to steal employee credentials.

Hackers also often launch ransomware attacks on SMBs. SMBs are less likely to use safety best practices such as data backups and incident responses. This makes ransomware attacks much more harmful and makes it so SMBs are more likely to pay the ransom. The costs of not doing so may be enough to put SMBs out of business. The overall lower security postures SMBs tend to have compared to enterprises makes them an attractive target for hackers.

2. They feel their company’s minimal solutions are enough. In the past, companies may have been able to get by with just having antivirus software and a firewall. While these tools can still be good to implement, cyberattacks have increased in capabilities. A hacker who wants to get past those minimal lines of defense will be able to. A good way to combat this assumption is to provide education on everything that should be included in an efficient tech stack. 

(Example of areas a tech stack should cover from the NIST Cybersecurity Framework)

3. They are unaware of different attack vectors addressed by your product or service. As a vendor, you exist for a reason – to protect against a real threat. If companies are not aware of that threat they may not understand the need for your product. For example, phishing attacks through email became the most common attack vector during the pandemic. Upwards of 90% of attacks start with a phishing email. Educating companies on this fact would be helpful for any vendor offering employee security training and testing. 

Examples of successful vendors who offer education

If you look at successful vendors you can see that they are taking this approach. They offer education catered to their product. For example, if they offer DDoS protection services they have articles relating to DDoS attacks, and if they offer employee security awareness training they offer free tests to show their potential clients that they are at risk. Many of these companies also offer general cybersecurity insights and blog posts. Most of these insights are written with the purpose of showing how their solution can help, but that does not detract from the fact they are also informing companies who may be unaware of cyber threats.

– Cipher offers podcasts, blogs, and hosts events.

(Example of education offered by Cipher)

– Cisco offers many cybersecurity training courses (most of which are free) for individuals, partners, developers, and organizations. They also offer product training to make implementing their products as easy as possible. Cisco also hosts events and webinars.

– Checkpoint has a blog and holds events.

– Cyberark has learning resources focused on how to succeed with their product.

– Imperva has a cybersecurity blog that frequently posts articles relating to cybersecurity.

–KnowBe4 offers many free tests relating to phishing, passwords, ransomware simulators and more.

–CloudFlare has a learning center with lots of resources relating to DDoS attacks and security in general.

#2 Being able to explain how your solution can solve company specific problems may be necessary for the sale  

Heads of IT have many responsibilities. Security is only one concern of many. Because of this they are looking for solutions that can quickly integrate with their own to boost security. On the subject of vendors’ pitches, Andy Ellis, advisory CISO at Orca Security, says, “This is my biggest feedback to all vendors out there. You all have great solutions, although a few have snake oil. Security teams would be well off if they used your solution, but it takes time and energy to do so, and that’s why you get a “No”. It’s not the money. It’s the time and energy on the security team’s side that is, I think, the single biggest blocker. So you need to spend the least time on the security team to get some value, and once you’ve done that, now you can move up the value chain.”

IT leaders need to minimize the time and resources that the rest of the team needs to spend to implement the tool. Service vendors also benefit from taking the time to understand the business they are selling to. William Klusovsky, Global Industry Cybersecurity Lead at Avanade, says about what a good vendor partnership looks like, “Partnership upfront, before the sale, not just about the sale…. helping understand your business and providing you thought leadership and guidance on all things security, not just what they sell. The ability to support your projects through the entire process from strategy, design, implementation, and management.”

Another reason why education may be necessary to sell to SMBs is that the head of IT needs to be able to justify their purchases to executives. This is especially true at SMBs that do not have a culture that promotes security. Executives may view security as an expenditure that is unnecessary and not an efficient use of funds when trying to grow a company. If heads of IT can provide executive leadership with not only what your product helps with, but also how it can be done and an idea of the ROI, they will be more likely to purchase.

#3 Educating can build connections in the community that let you stand out

Vendor interaction with the community is highly valued by many cybersecurity leaders. This can look like general outreach. But it’s even better if representatives of your product can go in and offer knowledgeable insights that prove to these leaders you have a deep understanding of cybersecurity.

Of general outreach to cyber leaders Geoff Belknap, CISO of LinkedIn, says, “pre-pandemic, I’d tell you Black Hat and DEF CON are a fine place to put together some people, and especially in those situations you’re prime for that. If I’m going to a Black Hat or DEF CON, I know that I’m going to interact with vendors. And honestly, I’m looking to be like, ‘Great, I’m going to connect with some vendors and hear about them in a hopefully low-pressure scenario where I’m going to see a bunch.’ If there’s not that, and I understand Black Hat and DEF CON and RSA are not things that are easy to do right now because of the pandemic, I’m looking for opportunities like that.”

Opportunities to meet with cybersecurity leaders include conferences, Linkedin, and cybersecurity communities such as the one building around PeerWise. As we have seen from successful vendors, hosting your own events is a tactic many use to offer education and bring awareness to their solution.

Dallas Haselhorst, founder of TreeTop Security, talked to PeerWise on the subject of how vendors can get noticed. He told us, “So the underlying question is how do you go about making the cut in the first place? Well, through product exposure, relationships, and building trust. These can happen via numerous avenues including some you already alluded to — attending conferences, attending CISO/security meetups, showing support for the infosec community, or even having their team members contribute knowledge to the community. That is how you make a connection with an infosec leader who is known for building well-respected security teams and programs.”

While these quotes are related to cybersecurity leaders at larger enterprises, it is also important for selling to SMBs. That is because many smaller organizations don’t have the time to vet vendors as in-depth as larger enterprises. They instead often rely on reputation and logos. If you can build a good reputation with larger clients, SMBs will follow suit.

Adam Erstelle, VP of technology at Sercante, talked to PeerWise in a recent interview about reliance on vendors’ reputation and logos. He says, “There’s just an inherent level of trust for startups. That’s pretty much as far as you’re going to go. You trust them or you don’t. You use it, or you don’t. Now larger enterprises might have a security team. They may have the capacity of actually working with that cloud provider and saying prove to me that you’re secure either by having some sort of standards compliance or answering our security questionnaire…. I know that there’s large companies that are using them that likely have stronger security concerns than I do. And for me, that’s good enough.”

When we asked about whether he puts more weight on logos or compliance badges he says, “It would be the logos. Because I would assume that those logos have the security teams that have looked at the badge and that have asked all the right questions.” 

While Adam just provides us with one VP of technology’s view, his opinion is not out of the norm. Education not only catered to SMB’s with minimal security knowledge, but also to security leaders at enterprises, can boost sales to SMBs. Increased reputation can go a far way in getting noticed by these businesses where the heads of IT don’t always have the time to go out and search for the perfect vendor.

#4 SMBs will turn to MSSPs for their tech stacks if vendors don’t have enough outreach

Clients often want to have education and training available to them. If they are spending money on a product it makes sense they should want to be able to make the most of it. The push by clients of cyber insurance companies to receive additional education highlights this want. A study found that 71% of respondents want their cyber insurer to give recommendations to minimize risk exposure, and that 48% would like cybersecurity awareness training for employees.

Beyond being a want, it is sometimes a need to have additional education given to get a product. 35% of SMBs are found to use MSSPs for the direct purpose of implementation consulting of services and vendor products. Partnering with MSSPs can be a great way to get more clients. But the SMBs that are going to MSSPs that are not using your product represent a large number of potential clients that could be directly buying from vendors (such as yours) should they have more information on how to implement tools. 

The increased complexity of cybersecurity needs, and with it cyber tech stacks, makes it necessary for vendors to offer increased amounts of education with their products. Understanding implementation and compliance issues surrounding tools is beyond the scope of many IT departments resource constraints as well as being outside of their expertise. 

How PeerWise can help

PeerWise is building a community where vendors can have outreach to both cybersecurity and IT leaders. This can encourage interaction in a way that is not just a sales pitch, but instead allows vendors to offer guidance and input on our insights. Further, PeerWise puts out many educational resources for SMBs that can be utilized by vendors to help educate these companies on the cyber threats that exist.