Tabletop Games a Route for Growing MSPs

Managed service providers have two main choices for growing their business — they can add new customers or sell new services to their existing customers.

Both avenues can have their issues. Pursuing new business means targeting businesses with existing budgets for managed services. Upselling to existing customers means convincing them that what they have today isn't enough, and they need to allocate more budget to managed services. This isn't easy, especially if the MSP has been doing a good job and everything is ticking along nicely.

The problem with upselling is that it's often focused on better versions of what the MSP is already providing to the customer. Improved security, perhaps, or more comprehensive backups. The objection that MSPs often come up against is that their customers tend to view these services in binary terms: either protection is in place, or it's not, and if protection is in place, why bother with any additional protection?

Finding the Gaps

MSPs do have ways of showing their customers where their disaster recovery plans may be lacking — and convincing them that backups are more than just a binary problem.

It's important for businesses to realise that backups alone aren't enough, that they need to be part of a full incident-response plan. And just as any disaster plan needs to be evaluated, like a fire drill, the incident-response plan needs to be put through its paces, too.

Related:The Ultimate Disaster Recovery Plan Checklist

A "tabletop" or "war game" may conjure images of pushing small painted armies around a miniature battlefield, but here it's a different imaginary scenario being played out. What if the worst happened, the disaster that we all hope to avoid? How well would the business cope? Would it cope at all?

The idea of a simulated cyberattack or similar disaster can seem quite daunting. Some recommendations involve creating a copy of a live IT environment, having "red teams" infiltrating and "blue teams" defending, and timescales of months. But just as more traditional tabletop games run from simple to complex, it's better to start simple.

The difficult part of a tabletop should be getting buy-in from everyone who could be involved in disaster recovery, all the way up to the CEO. The exercise should focus on a single realistic scenario and assess the existing response plans against it.

As much focus should be on management response as technical response:

The exercise should explore the scenario in detail, with discussions covering every part of the response.

The purpose of a tabletop exercise is to fail, and to learn from those failures. An exercise that goes seamlessly is, in itself, a failure, unable to identify the inevitable gaps when creating any incident-response playbook. Part of achieving buy-in will be to prepare participants for this failure. Gaps and problems can feel as though the person responsible has failed to do their job properly, so there needs to be a collaborative, supportive atmosphere rather than one of blame.

What's In It for the MSP?

With their understanding of incident response, it's possible for MSPs to run tabletops for their customers, either by themselves or in partnership with a specialist. These activities are uncommon in smaller and medium-sized businesses, so it's likely to be a new concept when presented to the customer. As such it may be difficult to make it a regular and highly profitable part of the MSP business, at least to start.

However, there are many advantages to running a tabletop with a customer. There is the potential of selling a more comprehensive backup solution, of course, if what the customer has is found to be lacking, unless the need is shown in a practical exercise. But there's also the wider effect of focusing attention and creating a better understanding of what cybersecurity and backup means.

Tabletops can educate customers on what disaster recovery means, beyond the idea that any backup solution means the business is protected. Faster recovery times, more restore points, and backing up cloud services can seem unnecessary

Another point to add to the recovery plan is instant recovery isn't the key, especially after a cyberattack. Why? Because if you don't know what type of attack you're under, putting instant recovery into play could cause even more damage and delays — you could be restoring malware back into production or contaminating the crime scene. This is a reason a sandbox (an environment where the data can be scanned first before restoring back into production) on a separate network is a good idea.

There's also the opportunity to educate on the need for cybersecurity more broadly, and bring senior management beyond the CISO into the conversation on why it's important to have more than the basics. A CEO who better understands what disaster recovery involves will be more likely to invest in better systems, both within the organisation and from suppliers.

MSPs should consider offering tabletop exercises to their customers to help them better understand their backup and cybersecurity needs, their communication strategies in the face of disaster and to help promote the solutions that can help fill in the gaps in the recovery plan. But it is also a way to build a stronger bond with customers, identifying and solving problems rather than relying on fear and uncertainty to upsell services.