Let's walk through how I handle that initial Cyber Score Card chat with a prospect. The goal here isn't just to show them data; it's to start a meaningful conversation, keep it simple, and honestly, to figure out if they're serious about cybersecurity right from the get-go.
First Up: Preparation
I like to have their scorecard printed out – a one-pager, maybe front and back. Makes it feel tangible.
Step 1: Keep It Simple - Start with Just Two Things
When you kick off the conversation, I want you to focus only on these two items from the scorecard:
Dark Web Breaches
Email Impersonation Protection
Seriously, just those two. Forget the website stuff and other technical bits for now. Why? Because these first two are the ones most small business owners can actually wrap their heads around without their eyes glazing over. We can dive deeper later if they show real interest.
Step 2: Tackle Dark Web Breaches – This is Your Best Hook
This is usually the easiest place to start because everyone's heard about passwords getting stolen in the news.
Here's how I explain the risk:
"So, you know how you hear about data breaches? A lot of the time, criminals aren't doing super complex hacking. They just buy lists online – lists of emails and passwords stolen from less secure sites, maybe like Canva or LinkedIn, places people use all the time."
"The criminals bet that people reuse the same passwords, right?"
"So they take that email and password combo and just try logging into the really important stuff – your Microsoft account, your bank, accounting software, you name it. It's called 'credential stuffing'."
Then ask them directly: "So, be honest – are you or your employees maybe reusing passwords across different sites?" (Expect a bit of a cringe or a 'probably').
Frame the solution positively: "Okay, no worries! That actually tells us there’s a simple, totally free way to seriously boost your security right away. We just need to get everyone using unique, strong passwords for everything."
Offer the easy way: "The most convenient way to do that is with a Password Manager – you know, like [mention your standard MSP offering, e.g., Keeper, Bitwarden]. We can even help you get started with one if you like." (Think about offering a free trial or setup – it’s a really sticky lead magnet).
Always mention MFA: "And of course, using Multi-Factor Authentication everywhere is huge."
(Extra Tip): You can make it personal using the Score Card details: "Looking here, it seems like [Employee Name]'s details might have been exposed in that [Breached Site Name] breach. We should make sure they've changed that password and aren't reusing it."
Step 3: Explain Email Impersonation Protection
Keep the risk simple: "This part here checks if it's easy for scammers to send emails that look like they came directly from your company – maybe pretending to be you, the CEO, or someone in HR."
Give a clear example: "If this shows a failure [point to it], it means someone could fake an email from your address to your employees. Think about an email 'from the boss' asking for an urgent wire transfer, or one with a link to a fake 'new company policy' that installs malware. It's a classic phishing trick."
Highlight the easy fix: "Seeing a failure here is definitely something to address. But the good news? It's usually free and only takes about five minutes to fix. It just involves adding some security settings, called DNS records, to your domain." (You can mention we handle this or point to instructions if needed).
Step 4: The MOST Important Part – PAUSE and Read the Room
Okay, after you've explained just those two points, I need you to stop talking. Seriously. Pause.
Watch their reaction: Are they engaged? Leaning in? Asking questions like "How do we fix that?" Looking genuinely concerned?
Or... are they looking bored? Checking their watch? Giving one-word answers? Seems like they couldn't care less?
Step 5: Qualify In or Qualify Out Based on Their Reaction
If they're engaged: Perfect! You've got their attention. They're likely interested. Now you can continue the conversation, ask more questions, and maybe start talking about other relevant findings on the scorecard based on what they seem concerned about.
If they're zoning out: This is your signal. They're probably not interested in investing in cybersecurity right now. Don't waste your energy trying to convince them.
Acknowledge it and pivot: Don't make it awkward. Just shift gears.
Ask for a referral: Try something like, "Okay, maybe this isn't top of mind for you right now, I get it. Based on this though, who else do you know that might want to see their own score?" See if you can get an introduction.
Bottom Line
Start with these two points, pause to see if they care, and then decide where to go. It makes the conversation easier for them and helps you figure out fast if you're talking to a genuinely interested prospect. Saves everyone time.