Security Weekly

How to Help Customers Understand Security

Cleanshot 2023 11 30 At 14.14.30

Published:

Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Week 17

We talked about security responsibilities in the 11th issue of Security Weekly. This week, let’s take a closer look into how the security responsibility should be communicated to the website owners, so they would understand why it’s important for them to invest into security.

A quick side note, this topic was requested by the TAB community. As a reminder, if you have any specific topics you’d like to see being covered in the security weekly, please let us know.

As web developers and digital agencies, one of the primary responsibilities—aside from creating visually appealing and functional websites—is ensuring that these websites are secure and well-maintained. This is true for all sites built with open-source software like WordPress. With great power, comes great responsibility – this applies really well to open-source.

Communicating the importance of security and regular maintenance to clients can sometimes be challenging, particularly if those clients are not very tech-savvy. Let’s explore some of the ways that could help explain why investing in website security and maintenance is crucial and why considering a partnership with a professional can be beneficial.

Start with the correct mindset

When ever agencies have reached out to me because they are struggling to get their customers on maintenance plans, I mostly notice the same pattern. Maintenance plans are mostly being offered as an add-on and sold from an angle of “what you should have” instead of “what is needed”.

Everything that is optional doesn’t seem important. Making security and maintenance optional by default gives signals to the customers that even you as an agency don’t think it’s essential. Take airliners as an example – I’d say we’re psychologically wired to opt out from everything that is optional.

Based on my experience, this is a fundamental mistake which keeps undermining all future endeavours to make customers understand the importance of security and maintenance. If you don’t believe they need it, then they won’t either.

Once security & maintenance is included in your services, the communication shifts. It merges with your core offering and it allows you to use security as your unique value proposition. This will also turn all conversations about security & maintenance much more natural, without giving out the vibes of fear based sales.

I highly recommend including at least 1 year of essential security & maintenance with every website you build. Make sure to have tiers to your maintenance plans, so the essential tier only includes the most important things which you can automate as much as possible (software updates, backups and vulnerability management/protection).

Don’t eat up the cost. Including something in your base service does not mean that you have to cover the costs with your margins. Add the maintenance plan as a separate line on the invoice and just give the customer a 10 – 30% discount for the first year.

How to talk about it

When you talk about security and maintenance give the customer a clear understanding why it’s needed. One simple way to do this is by connecting it with what they value a lot – performance and marketing ROI.

Security and maintenance is what keeps performance and marketing ROI afloat. Without security, the performance is at risk and without security the marketing ROI may also become net negative. Customers also care about their brand and reputation.

Here are some ideas which you can use when talking about security:

  • Use metaphors and switch the attention towards your (agency) responsibility to offer professional service. “Would you trust an automaker that would sell cars without seatbelts?” and “Would you be comfortable to buy a home that comes without any locks”, etc.
  • State the inevitable and act as an older brother who helps the customer to stay safe. You can say “Welcome to the internet, where everything is a target” and “Unfortunately, everything you put online is immediately a target, but that’s why our service always includes security.”.
  • Use statistics that support your claims. Link to third-party research, so what you say doesn’t feel biased. “It’s important to have regular maintenance to act on security updates before hackers get to exploit them”, “it takes just a couple of hours until hackers automate mass-exploits to try take over every website that is not patched”, “up to 30% security vulnerabilities don’t get official patches in time, so real-time protection on top of maintenance is essential”. I’ll add some stats to resources.
  • Refer to case-studies and “war stories”. This must be something that is not made up, but most of the people who build WordPress sites professionally has had to deal with a hacked site. Tell the customer what the worst case scenario is. For example, in Patchstack, we’ve had a customer come to us in the past who had nearly $100,000 of ad spend sent to a landing page which was infected with malware and redirected to scam sites. Cost of a breach is not just a few hundred dollars spent on a clean-up service – it’s potentially lost revenue, downtime, a damage to SEO and loss of brand and customer trust.

It’s important to talk about security with open cards and avoid talking about it as if you’re selling them something. This is why it’s important to include security by default and just prepare explanations when customers have questions. You’ll be surprised to learn that many customers won’t even question the importance of it.

Show, don’t tell

It’s always better to show examples, case studies, statistics, etc. that help customers make decisions on their own. When communicating the importance of security & maintenance to a new customer, try to use statistics and case studies in the way that is relatable to them.

Here are few examples of what you can show your security & maintenance plan covers:

  • Average number of annual WordPress core updates
  • Average number of annual WordPress core security fixes
  • Plugins vulnerability & threat statistics

Once you’ve onboarded the customer, make sure to also give them a regular update about the value you’re providing. Another mistake I’ve seen companies make is that they are not proactive about communicating the delivered value back to the customer.

My recommendation is to start with monthly reporting and offer to switch to quarterly after the first 3 months. The report should include statistics about everything maintenance & security related on the website.

Here are few examples of what you can report to your customers:

  • Number of software updates performed (past month/Q)
  • Number of security vulnerabilities resolved (past month/Q)
  • Number of threats blocked (past month/Q)

You can always add more things there based on what is included on your maintenance plans, but when it comes to essential WordPress maintenance, these are the three most important and easy to understand metrics which gives customers a quick insight into the value they receive. Doing so will also significantly increase your chances to get them extend the maintenance plan for the next year.

Conclusion

If you want the customers to understand the importance of security & maintenance then make sure you’re not giving out mixed signals. Every website built on WordPress needs regular maintenance and security.

Next week, let’s take a closer look at how to structure security and maintenance plans into different tiers. If you’re an agency or a web developer offering maintenance plans, let us know how you’re doing it at the TAB facebook group.

Resources:

Join the Conversation!

There's a dedicated thread on this post inside of The Admin Bar community. Join in on the conversation, ask questions, and learn more!

Group Thread
Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Brought to you by:
Logo

Patchstack auto-mitigates security vulnerabilities found on WordPress core, plugins and themes. Patchstack is the leading vulnerability intelligence provider in the entire WordPress ecosystem and has the largest collection of vulnerability specific vPatch rules that provide precision protection without any performance hit nor false positives. Patchstack is the go-to security provider for many of the leading agencies such as 10up, Valet, SiteCare and others.

Never Miss an Issue!

Subscribe and have Security Weekly delivered to your inbox every week!

Care Plan Toolkit

Save time, boost profits, and confidently manage client websites with proven tools, tips, and resources.

Bento Toolkit

More from Security Weekly

Week 47

Why Use Virtual Patching for WordPress Security?

Virtual patching is a security strategy that involves applying protective measures to the WordPress application without …

Week 46

What Role Does AI Play in WordPress Security?

We can’t ignore the power of LLMs and AI when it comes to security. At Patchstack, …

Week 45

Where to get your WordPress plugins and themes?

As of writing this article, it’s a hot topic. Some plugins which have been available on …