So, I read a post on social media where a gentleman was asking if there was a risk management document out there that could be submitted to application owners, business owners and system admins who after a consultation decide not to purchase Cyber Security or business continuity solutions? My first thought was, why? But then I got to thinking that this guy had a good reason to ask.
I’m going to guess that he was probably a hired consultant who had advised his client that what they were currently using for data protection wasn’t sufficient. But, after paying for and listening to his advice, his client probably still decided to do nothing. Most likely leaving the business vulnerable to bad actors, scams and ransomware attacks. Could this client possibility hold the consultant accountable for the damage done?
I can’t tell you how many times when we talk about options for Data Security or Backup & Disaster Recovery with prospective clients how many people never make the decision to purchase. Not from us. Not from our competitors. They simply decide that doing nothing is much better than making a huge mistake of possibly selecting the wrong solution or the wrong vendor or maybe paying too much. It’s FEAR at its best!
So, how do you convince someone to do the right thing ? Have you ever heard the old saying, “knowledge is power”? Well, it’s not, for those who have it and don’t take action. Knowledge alone is fine but the only way to have power from that knowledge is to do something actionable with it.
So, suppose we had a formal document (like our consultant asked for) acknowledging that the client is not willing to do anything and is willing to accept the risk. Would it cause them possibly change their mind? Here’s an example:
Thank you for the opportunity for ABC Company to help XYZ Company find a solution to address your concern over your current disaster recovery strategy. We’ve found these vulnerabilities (list them) regarding your current backup & disaster recovery solution. The solution which we’ve recommended and outlined in page 1,2 & 3 would prevent you from losing your data, allow you to recover your data both locally or in the cloud & provide bi-coastal redundancy. That the proposed solution would minimize the damage from a disaster that could be catastrophic, to simply becoming a small hiccup in your day. We have both agreed that a solution like this would solve your problem however, you’ve decided not to move forward with a new solution. You acknowledge that by not doing this, that you are in danger of losing your data forever, and according to your stated recovery time and recovery point objectives, by not implementing a solution that your business could be forced to close its doors. You’re acknowledging that you’ve declined all options and will not hold ABC Company responsible for any and all data loss should you experience a disaster, whether from human error, malware, ransomware or natural disaster. You also acknowledge that once your data is gone, ABC company cannot assist in getting your data back.
I wonder if perhaps seeing it in writing would jolt people out of their fear or indecisiveness and compel them to take action? Would it make sense to do this even when you’re not being paid for your consultation? There are so many businesses who already, through compliance & regulatory regulations are forced to “do something” because not doing something usually comes with a stiff fine or a penalty. But for the companies who have been given the knowledge but are not forced to take action? What’s the penalty? Wouldn’t you believe that they could see that losing all of their data would be paying the ultimate penalty?
How would you convince someone to take action?
I’d love to hear your thoughts on this.
For more Information contact Lesilie@thinkgard.com