It’s cliché by now, but people, specifically your clients’ employees, are still often the weakest link in a layered security strategy.
According to the 2023 Verizon Data Breach Investigations Report, a shocking 74% of all data breaches include a human element, either via error, privilege misuse, use of stolen credentials, or social engineering. Many of these incidents include successful phishing attacks, targeting well-meaning employees who end up clicking malicious links or believing deceitful emails.
These increasingly effective attacks are precisely why security awareness training is so essential for your clients’ employees. By providing it as part of your security offerings, you will not only help clients reduce risk, but you will add another revenue source to your MSP business.
Why Security Awareness Training Is Necessary
“Email is the No. 1 vector for attacks right now. It’s important to secure it as much as possible, but what we really want to do is empower the users,” says Eric Grewe, CEO of ForeverOn Technology Solutions, an MSP in Hagerstown, Maryland. “The employees are on the front lines; they’re the ones getting the emails. Instead of making them the weakest link, we want to empower them, make them a fortress around the business. We can do that through security awareness training and constant education.”
The fact of the matter is that phishing attacks are getting more sophisticated every day, and unaware employees are a huge threat to your business. Scott Beck, CEO of Canadian MSP firm BeckTek, recalls speaking with Kevin Mitnick, the legendary hacker: “I said, ‘Kevin, if your team comes up against my team, there’s no way they’re breaking through our security. We’ve got great stuff.’ He said, ‘Scott, you have to understand. We’re just going to pivot and go after the people instead.’ That’s when a light bulb went off for me. How are we going to help the people?”
That’s where security awareness training comes into play. By teaching employees secure protocols and showing them what suspicious emails look like, your clients’ overall security improves tremendously. “As much as we want to put in all the technology that’s going to help keep people protected, actually training people to do the right thing is a very important part of the equation,” says Ann Westerheim, founder and president of Ekaru, an MSP in Westford, Massachusetts.
Showing Clients The Training’s Value
You understand how essential security awareness training is, but that doesn’t mean your clients will get it. In fact, Grewe says that’s one of the biggest challenges. “They don’t think they need it… until they need it. There usually has to be some sort of pain before there’s action.” For example, it took one of Grewe’s clients getting his email hacked to show him the importance of cybersecurity.
That said, some clients just need to see the value of the security awareness training in action. Simulated phishing tests are a great way to do this. “Everybody thinks they’re not going to click on that link,” says Westerheim. “When you run a simulated phishing test, what you see is there are always a few people who will click on the link. It’s eye opening.”
By pairing phishing tests with monitoring, these MSPs maximize value in the eyes of their clients. “It’s shocking for some business owners to realize how click-happy their staff are,” agrees Beck. “Some staff will fail the phishing test month one, month two, month three, etc.”
Making The Material Engaging For Employees
To ensure that your clients’ employees are getting the most out of training, make sure that the solution is engaging.
When Bryan Longworth, general manager of Port St. Lucie, Florida-based A Faster PC, was looking for a new vendor, he vetted some he had met at an industry conference. “I contacted each of them; I watched their presentations,” he says. “I also spoke with other MSPs and asked which vendors they were using.”
For Grewe, efficiency is key when choosing the right tool: “It has to have excellent support and be efficient for the MSP,” he explains. “The less work we have to do, the better. Automate as much as possible in that product, and you know the customer will also want to adopt it.”
One key strategy many security awareness training vendors are using is gamification. The vendor Longworth uses starts employees with a low score, then encourages them to compete with quizzes and leaderboards to see who can end up on top. Westerheim’s program consists of two- or three-minute lessons, with prizes and top spots on the leaderboard encouraging employees to participate.
Adding The Training Into Your Security Stack
The MSPs interviewed for this article are split on whether to make the training optional or not, or to bundle it into the security stack or offer it as an add-on.
For Beck, it’s mandatory. “If a client really pushed back hard and said, ‘We’re not doing it,’ we would have a risk-acceptance letter and a conversation, because there’s good odds that something will go wrong and somebody will click on something they shouldn’t have,” he says.
Beck’s firm also includes security awareness training in their bundle. “When I go to a bakery to buy a chocolate cake, I don’t stop and ask what all the ingredients are,” Beck explains. “I’m not a baker. Our clients don’t know how to bake ‘IT Security.’ We can explain to them why the different ingredients might be in there, but they don’t get to pick and choose the ingredients.”
Grewe’s firm, however, offers the training as an optional add-on. “Every customer is a little bit different in their budget and their needs,” he explains. “I always offer it because I think it’s important. Most of them will take it because they see value in it and it’s not a huge cost for them.” In his experience, the small businesses with only a few employees are usually the ones who decide not to do the training.
Security Awareness Training Is A Key Step In Cybersecurity
“[Security awareness training] is one of the most important steps in cybersecurity,” says Longworth. Obviously, all the other things we do are important, but if someone lets the bad guy in, you’re limited on what you can do to stop that. Training the employees prevents threats and makes your job a little easier; they’re on the front lines helping you protect their networks.”
