Selling Security In A Contracting Economy

Written by: Walter Scott, CEO, GFI Software

Why is it so important that customers invest in security in a contracting economy? How do you convince business owners to spend hard dollars on a product that, in their eyes, may have no immediate return; or a product that does not fall under the traditional “anti-virus, anti-spam” security umbrella?

Up to a few years ago, vendors were united in a single battle cry: your business is at risk… unless…! Scaremongering, often boosted in the media, worked to a certain extent but it soon became obvious to many organizations that vendors were crying “wolf” far too often. The result has been a growing level of suspicion among SMBs and a tougher challenge for vendors and the channel to convince them otherwise.

Looking at the wider picture, cyber criminals have honed their skills using technology to defraud people. Their modus operandi continues to evolve daily and while financial gain and access to corporate data is a primary reason for their activity, we are witnessing a new development that goes beyond monetary gain.

The up-and-coming generation of cyber criminals, social engineers, and hackers are now driven by political and economic ideology; a growing resentment for everything Western and the perceived threat of cultural and economic imperialism has created a breed of hackers whose sole interest is now to cause damage to businesses and governments. Whichever angle you choose to look at the problem, the outcome will be one that hits businesses’ pockets hard.

This is worrying and with hindsight I have come to the conclusion that our messaging and strategy for positioning security to SMBs needs to change. Granted, we need to continue creating awareness on the myriad threats that exist out there, but we also need to focus on issues that are of greater interest to businesses: how security (or lack of) hits their profits.

Business owners are shrewd and can see a good deal when presented with one. They don’t want to be told how a security threat could possibly affect them but they do want to be told how an email management system — set up with minimal cost — will save thousands of dollars by cutting down the number of unproductive hours managing the unmanageable.

They want to be told how a small investment will safeguard their data and prevent their organization becoming another victim of data leakage or corporate data lost through portable storage devices, social engineering attacks and unmonitored endpoints.

The point here is that we need to correlate security to productivity cost throughout the sales cycle. Every human intervention using technology has both a security and a productivity cost element to it. Employees in the majority of organizations today use paid work time to browse the Internet at work, check their home email, use corporate email for private matters, connect their personal devices to the network, chat on instant messaging and download software.

Obviously there are security risks but what about the costs associated with the above?

Are businesses aware that they are losing hundreds of dollars in nonproductive, nonwork-related online activity when productivity can be drastically improved if that activity is control and monitored? Research has shown time and again that employees become more productive when they know they or their activity is being monitored and controlled. So why aren’t businesses doing it when so much is at stake?

Do they realize that employees downloading or watching videos on YouTube is hogging up bandwidth, bandwidth they are paying handsomely for every month? If your bandwidth utilization constantly exceeds a specified threshold you will be faced with a financial penalty or asked to purchase a higher committed information rate from your ISP. For many small businesses this can be prohibitive and a cost business can do well without.

If eight employees spend an hour a day on social networking sites, the business has lost a full day of productive work. Taking the average hourly rate to be $18, this translates into a nonproductive cost of $144 a day or $37,440 a year (260 working days). What if all your employees spent an hour a day browsing the Internet?

Do businesses factor in the costs involved if they had to be caught napping and were unable to produce emails requested in a legal suit, let alone the burden on IT administrators to manage growing demands for additional storage space and the nightmare to keep track of employees’ PST files?

Instant messaging, employees checking their personal email accounts throughout the day, or downloading music to one’s personal storage device are activities that businesses are paying heavily for in terms of lost productivity, increased business risk and salaries.

I have no doubt that many SMBs are ignoring these facts and this is probably one reason, among many, why security issues are not given proper consideration. Combined with their lack of awareness on how security threats are evolving (and targeting SMBs) it is not surprising that businesses continue to equate security to spam and viruses.

And this is why we need to change our approach to positioning security. Securing business will depend on how effective we are in explaining to customers that failing to address security in today’s ever-changing environment is costing them money — far more than if they were to spend a few hundred dollars in the first place!

We need to change our battle cry once and for all. Security is a cost of doing business but a worthwhile cost if it will safeguard a business’s profits and existence.

Walter Scott is CEO of GFI Software