The cybersecurity landscape continues to shift rapidly. The number of attacks has increased, and the complexity of those attacks (which may involve high levels of social engineering and sophisticated phishing and email compromise techniques) has grown. Cybersecurity technologies have also evolved to meet these challenges because attacks are now harder to spot with traditional email and firewall security.
That is why it is easy to see modern cybersecurity as a continuing escalation of technological craftiness on both sides. In that context, MSPs with a security focus simply need to apply the right technology to their clients’ networks to ensure strong cybersecurity. But that approach overlooks one unchanging fact—the most vulnerable part of the infrastructure is still the employee accessing the network.
That’s why cybercriminals have shifted much of their focus from broad-based attacks to business email compromise (BEC) and other schemes that use psychology to trick end users into revealing passwords and other sensitive data and even approving fraudulent transfers of funds. With enough information gathered freely online or via low-level breaches of email accounts, criminals can craft email messages that are convincing enough to trick even somewhat skeptical employees.
That means security awareness training must be part of a holistic security offering. This ensures that the investment the client has made in advanced security technology will pay off and generates revenue and business opportunities for the MSP.
Discuss the Importance of Security Awareness Training
MSPs should have regular conversations about security training with their clients. New threats are constantly emerging, while new hires may be joining the network at a relatively rapid rate, and experienced employees may forget some security hygiene basics. The first line of defense against a successful attack is making sure employees can recognize phishing emails and have procedures to report them.
While BEC attacks (mentioned above) still account for less than 10% of spear phishing, FBI data indicates they are among the most expensive types of attacks, causing more than $26 billion in losses over four years.
For MSPs, highlighting various benefits can help convince clients to invest in security awareness training as part of their comprehensive services package. For example, a formalized program helps them track the training results (along with phishing simulation results and testing), so they can see their progress and better understand the ROI.
Leveraging training through a trusted MSP partner also saves the client time, provides access to well-developed training programs, and ensures that the training can be conducted by staff with specific expertise (which is often lacking internally). Because the MSP also provides security technology, the training can be easily dovetailed into application-specific content. After the training is complete, the MSP also has visibility into network behavior and security incidents to help identify critical areas for additional training. They can even tell which users may need more interventions by using phishing simulation and other network monitoring technologies.
MSPs can also provide ongoing reinforcement through email alerts, newsletters, gamified training exercises, and other resources that can take the training burden off the client, while providing a much broader array of support and resources that could be created internally.
Demonstrate Your Training’s ROI
For MSPs, selling security awareness training as a standalone product or part of a comprehensive suite of services will require emphasizing value upfront. With employees trained to recognize phishing, BEC, and other types of attacks, clients can reduce the number of successful attacks and improve productivity by avoiding costly downtime. They can also prevent some of the most expensive types of attacks, in which employees are fooled into approving wire transfers or sharing sensitive data.
MSPs should have data on hand to demonstrate how the cost of security incidents can erode their security ROI and how training helps spread the responsibility of security across the organization. They also need to factor in the cost of additional incident-related services they may be charged for.
For example, compliance requirements also play a role, and MSPs should be educated on industry-specific requirements (i.e. HIPAA and FINRA) that may emphasize the need for employee training. Then, make sure your training courses cover those requirements and regulations.
Phishing simulations are another critical component of security awareness. Utilizing these types of simulations can reinforce training and identify personnel who may need extra help in recognizing malicious emails. Data from these simulations can also demonstrate to the client how much education their staff may need and provide key performance indicators to show how valuable the training is.
Most importantly, a solid training program will raise awareness of cybersecurity issues across your client’s organization and help them achieve buy-in regarding new security technology, policies, and procedures. This combination of business benefits and security protections show why security awareness training should be a vital component of an MSP’s complete security stack.
Michael Mowder is the Senior Director of Global Partner Success for Barracuda MSP, a provider of security and data protection solutions for managed services providers, where he is responsible for the partner journey from on-boarding, to implementation, through professional services and finally, renewal.