Reframing data resiliency: the ‘insurance policy’ pitch

Survival and real life

Benson Varghese, founder and managing partner of law firm Varghese Summersett, makes a self-evident point that isn’t always clear to clients: “Data resiliency isn’t just about IT. It’s a legal and business survival issue. I’ve worked with businesses that ignored data security until they got hit with a breach, and by then, the damage was done. They faced lawsuits, regulatory fines and lost customer trust overnight.”

Varghese is based in the US, a notoriously litigious culture, so lawsuits can be expected for firms that are slack with data resiliency. In the UK and Europe, we haven’t quite reached this point, but his comments still apply to this side of the world.

“One of the biggest legal pitfalls I see is businesses assuming they can handle data security on their own without understanding compliance laws. If you don’t follow the law, whether it’s HIPAA, GDPR or rules that are specific to your business, you could be fined a lot more than it costs to hire experts,” he adds.

Most businesses will hopefully be aware of the power of the UK Information Commissioner’s Office (ICO) to issue fines of up to £17.5m or 4% of a company’s annual worldwide turnover, whichever is higher.

Companies that operate at stratospheric levels of turnover will almost certainly have a good handle on the importance of data resiliency. For those with more modest turnover, Jacob Hausman, founder of Deltia’s Gaming, recommends walking potential clients through real-life scenarios.

“A ransomware attack, a server failure or an employee accidentally deleting critical files – those stories get people’s attention,” he warns.

The gaming industry is interesting in that it lives or dies by data resiliency. It’s been the target of many cyber attacks, including malware, ransomware and distributed denial of service (DDoS) attacks, resulting in financial losses and shredded reputations. So, it’s hardly surprising that at large the industry has upped its data resiliency game.

Another gaming expert, Kristijan Salijević founder of GameBoost, points to educational initiatives: “Most objections come from lack of knowledge or bad past experiences. Education is key. Clear documentation, workshops and proof-of-concept trials help companies see the benefits firsthand. Case studies showing real businesses that recovered from attacks or avoided major losses make a difference. The companies most hesitant at first often become the strongest advocates once they see results.”

The humble, but often overlooked, case study is certainly a powerful tool. You have peers talking to peers about the issues they were facing around data resiliency, how they overcame challenges and the benefits that have accrued such as protecting the business from ransomware and data loss, and instant recovery with minimal downtime.

A big challenge for the channel is that many businesses only look at the upfront price without calculating the cost of downtime, breaches or operational failures. Salijević recommends breaking down the cost of a single data loss to illustrate how poor data resiliency can be catastrophic.

“Breaking it down into real number – how much a day of downtime costs, how much it takes to recover after a ransomware – makes the value clear,” he says.

Certainly, there are more than enough examples and research to illustrate the damage caused by a ransomware breach, for instance. Figures can differ, depending on survey samples, but as an example, the recently published Global cost of ransomware study conducted by Ponemon Institute revealed that a phenomenally high 88% of surveyed organisations had experienced a ransomware attack.

The research further reveals that 58% of organisations had to shut down operations after an attack for an average of 12 hours. The average recovery cost was $146,000 (£113,000). Mainstream media leaps on big cyber attack stories, but there are far more attacks on smaller businesses, a point worth illustrating to clients. Cost aside, there’s also usually the loss of business and a stake through the heart of customer trust.

Vendor lock-in is another valid concern. Companies don’t want to rely too much on one provider, fearing they’ll be trapped. If a vendor pushes exclusivity with no way out, it’s a red flag to customers. Depending on the client and its needs, one way around this is to offer multicloud options and clear exit strategies which lets companies feel in control.

Dror Hevlin, CISO of Cynomi, recommends providing a clear cost-benefit analysis to clients: “Transparent communication with stakeholders about the long-term benefits, such as reduced downtime and regulatory adherence … helps to build confidence and drive adoption.”

Show or tell?

This may be a primary school lesson in communications, but transparency translates into show rather than tell. Slipping into ‘telling’ to convince a customer is often habitual. After all, you’re the expert, you know your business and you know what the customer needs, so naturally they should trust you, and this is how you’ve probably done business for a long time.

But data resiliency raises acutely sensitive issues around data and compliance. To some degree, a level of hand holding is required to let customers see what exactly you are doing to build trust.

Nirav Chheda is a co-founder and CEO at Bambi NEMT, a US company that focuses on the use of technology for private healthcare non-emergency medical transportation. Despite being in the US, its approach is certainly relevant for the channel, given that for years US private healthcare companies have been consistently blitzed by ransomware attackers keen to get their paws on the goldmine of patient data.

Chheda explains: “Customers need to see where their data goes and how it’s protected. That means encryption, clear access controls and compliance … but compliance alone doesn’t convince people. We made security visible, real-time audit trails, permission-based access and constant updates on how their data was being handled. Once they saw control wasn’t being taken away but enhanced, the trust followed.”

Sharecat Data Services, a SaaS provider, takes the same approach, with data services director Kristine Fossbakk adding: “Instead of just reassuring clients that their data is safe, we give them full visibility into our security protocols, compliance frameworks and real-time monitoring tools. This means they can see exactly how their data is handled, where it is stored and who accesses it.”

ROI has always been a sticking point for data resiliency in that customers rarely see upfront value which of course makes them hesitate. Yet, Fossbakk believes ROI can be measured. To counter concerns about cost and ongoing fees, the company introduced a performance-based pricing model for some of its clients.

This resulted in 60% reduction in data retrieval times which translated into lower operational costs, proving the ROI without a risky upfront investment. Similarly, adds Fossbakk, this level of transparency turned hesitation into full adoption for a large oil and gas client that has since saved over 40% in operational inefficiencies.

That said, for clients ROI can be a nebulous concept because they’re paying for something to protect against something that might not happen. However, with costs one of the main concerns for clients, working out what a potential ROI might look like can be persuasive.

Of course, this will differ from customer to customer depending on their business. For instance, John Beck, founding partner at Beck & Beck Missouri Lawyers, says: “I’ve seen firms cut legal and tax-related operational costs by 30% just by centralising document management and ensuring proper digital record-keeping.”

Mike Gray, channel lead with managed service provider Arctera, also points out data resiliency needs differ according to the size of a company and the industries they operate in: “The main focus of large retailers, fintech, telecoms, energy, healthcare and pharmaceuticals is data loss and costs of breaches, whereas SMEs are concerned with data protection, human error and legal implications.”

Alan Jacobson, chief data and analytics officer at cloud platform provider Alteryx, also raises an important issue: “There isn’t a single bullet for data resiliency, nor is there a single framework … it’s an ongoing process that needs to be monitored.” 

Threats, technologies and business requirements are constantly evolving, which means implementing things such as a multi-layered backup and best practise cyber security. It’s a point customers need to be aware of.

At the core, companies hesitate to adopt resiliency programs because they don’t fully trust the process. The key is showing them that security, compliance and cost can all be managed in a way that makes sense for their business.

Gray adds: “Customers will understand the need for data resiliency but are often faced with complex messages about technology options. They need a simplified message.”

Aim for simplicity

In short, simplicity is the key to reaching reluctant customers. Customers are much more likely to be receptive if channel players focus on business impact, not tech jargon. For instance, the meaning of “disaster recovery protocols, redundancy and failover systems” are clear and are not considered jargon in the industry.

But imagine a marketing agency that operates in the fashion industry – it’ll likely have no idea what you’re talking about. However, it will understand conversations about keeping the business running, even when unexpected events happen such as cyber attacks or system failure, so it doesn’t lose money or customers.

Abstract concepts are also deadening. Far better to highlight real-world risks, such as the tsunami of ransomware that shows no sign of abating, by pointing to real world instances, which illustrate the high cost of downtime, reputational damage and regulatory fines. There are certainly many examples out there. Stories about attacks in the industry that potential clients operate in can be a powerful tool.

In summary, Panayot Kalinov, a tech expert and senior software developer at Casinoreviews.net,  points to the fact that data resiliency is an insurance policy and clients will be far more receptive if they understand this: “While the road might involve overcoming trust issues, compliance challenges and budget constraints, the payoff for a customer is substantial: a secure, stable environment that protects data and keeps the organisation up and running, even in the face of the unexpected.”

When a client views data resiliency through the lens of an insurance policy, you can expect to see the trenches filled in, the dragon’s teeth tank traps removed and steel security doors opened wide.