Managed Service Providers (MSPs) that deliver IT services to small and medium-sized businesses have a real dilemma when it comes to security awareness training. According to a forum post I read recently, the vast majority of MSPs believe that it is valuable, if not essential, to deliver security awareness training to the employees of their clients, which are typically small and medium-sized businesses (SMBs). However, their clients don’t seem to think they need it, so they don’t want to pay for the training or have their staff take the time to learn proper cybersecurity defensive skills.
The reason MSPs feel it is essential to have everyone trained on security awareness is that attacks such as phishing and social engineering are rapidly increasing across the board. The organization’s defenses are only as strong as their weakest link, and if there are dozens or hundreds of employees who can easily be tricked, they are highly vulnerable to phishing attacks that can lead to ransomware outages and data breaches. Over 90% of cyber attacks start with phishing email messages that target employee vulnerabilities.
Not only can security breaches and malware spread within a single business, but there is a risk that the MSP’s entire network of client organizations could be impacted. This could be very costly for the service provider, and could use up all available support resources to respond to the incident for an extended period of time.
Objections clients frequently use against security awareness training
There are several reasons that MSPs’ client organizations tend to resist paying for security awareness training:
1- I am not a target.
Many small businesses do not think they are a likely target for cyberattackers. The truth is that they can be, and often are, targeted as a stepping stone to their larger external customers and partners. Furthermore, Verizon Data Breach stats show that 43 percent of SMBs were hit with cyber attacks in 2019.
2- Awareness training takes away too much precious time from operational employees, impacting productivity.
Nobody wants to spend money on preventing something that “might not happen at all”. And forcing employees to spend any significant amount of time doing non-productive work is often seen as a waste of money. However, industry data shows that 60% of small businesses hit by cyber attack fold within 6 months of the incident. So, you might be productive for a while, but when (not if) you get hit with a cyber attack, there may never again be a chance at productivity…
3- Security awareness training is not effective
While it is easy to find data that shows employees don’t engage or absorb much knowledge from traditional security awareness training programs, almost all MSPs agree that awareness training is necessary. The “negligible expected return on investment” perceived by SMB managers is likely one of the key reasons they don’t see value.
However, if employees are able to experience security awareness training in an environment that is designed to build and reinforce defensive behaviors, the effectiveness of the training rises significantly. In this case, time spent learning to defend against cyber attacks is likely to pay off.
SMB’s must soon face the reality that attacks targeting employees are going to continue to rise, that it is essential that they train their employees in an effective way. Otherwise, they are living on borrowed time.
Options to consider
Here are two suggestions for MSPs to reduce risks associated with the vulnerability of their clients’ employees:
1- Some MSPs have begun to take the risks so seriously that, if a client organization declines to put a security awareness training program in place, they must sign a clause that says “all security incidents will be billed hourly”, meaning that the MSP will not carry the risk. Some SMBs might say they are going to get “cyber insurance” coverage instead of doing security awareness training. However, they may discover that cyber insurance companies are likely to require a security awareness program be in place. So, they will be back where they started, accepting their own risk. This might make SMBs think twice about declining the service.
2- If you’re going to have to spend money on security awareness training, one way or another, why not implement a program that is effective and actually changes culture? So, a gamified, defensive security awareness training platform that provides more effective and measurable impacts on employee vulnerability may be the best way to get everyone on board.
In the end, if you can show that the training provides value, SMBs are more likely to pay for it and commit to having their employees participate.