Improving Your Customer’s Cybersecurity Stance with Security Awareness Training

Part 2 in the blog series “The Business Case for MSPs Offering Employee Training and Enablement”

Your most critical service offering needs an upgrade that both makes the customer more secure and differentiates your business from your competition… all without adding burden to you.

Assuming you’re paying attention to the current state of cyberattacks, you already know it’s not getting any better. The increases in the number, frequency, sophistication, effectiveness, and impact of cyberattacks today are continuing to trend upwards with no end in sight. Despite advances in security solutions, we’re still seeing huge jumps in cyberattack numbers that show no signs of slowing down.   

For example, in security vendor VadeSecure’s Q3 2023 Phishing and Malware Report, they found that in Q3 of this year phishing volumes increased by 173% and the number of emails containing malware increased by 110%—all in a single quarter!

It’s evident that cyberattacks are something MSPs need to care about for their customers. 

The Reality of Cyberattacks on the SMB

Given that most of your customers are small and mid-market businesses, the valid question of “are they a target” still is asked year over year.  According to U.K. cyber insurer Hiscox’s Cyber Readiness Report 2023, there are plenty of cyberattacks that target small businesses. According to the report, there has been a steady increase over the last three years in the proportion of organizations with less than ten employees that have experienced a cyberattack. Three years ago, it was just 23% and today it’s 36%—that’s more than a 50% increase! 

While the small business is growing as a target, the midmarket’s cyber readiness appears to be in even worse shape. According to cybersecurity vendor Huntress’ latest report, The State of Cybersecurity for Mid-Sized Businesses in 2023, the midmarket is anything but ready:

  • 24% of them aren’t even sure if they’ve been the victim of a cyberattack in the last 12 months
  • 61% have no dedicated cybersecurity expert on staff
  • 47% have no incident response plan should an attack occur

So, there’s an obvious opportunity for MSPs to offer cybersecurity services. In fact, according to the Huntress data, only 41% of midsized organizations currently outsource cybersecurity to a partner…that’s a large market potential for MSPs! If you’re not already offering cybersecurity services (and we assume you are), you need to start. Immediately.

Offering Cybersecurity Isn’t Just Propping up Software Solutions

Even with a layered defense of MSP-centric security solutions in place, despite the efficacy claims, a material percentage of malicious emails and social engineering attacks still manage to evade detection. For example, according to HP Wolf Security’s latest Security Threat Insights Report, 1 in 7 phishing email threats make it past security solutions all the way to the Inbox. Additionally, attacks don’t even need to involve email; take the example of the IDAT Loader attack identified by security researchers at Rapid7—this attack uses a drive-by download approach leveraging a fake banner “requiring” an update to the Chrome browser to get victims to engage with their malicious executable. 

There are plenty of examples just like these that can be used to establish how the success or failure of cyberattacks may simply come down to whether one of your customer’s employees gets duped into clicking on a malicious link or attachment. So, what’s needed to further strengthen your customer’s cybersecurity stance is to get their employees to participate in the defenses.  

Enhance Cyber Readiness with Security Awareness Training

The cybersecurity services most MSPs offer involve a number of security solutions designed to create that layered defense. But employees play a role in either stopping attacks or aiding them when those attacks involve either phishing or social engineering. Whether we’re talking about malicious content found within email or on the web, all it takes is a single click from one employee and your customer’s environment becomes the next victim. To counter this, it becomes necessary to consider the addition of Security Awareness Training to your cybersecurity service offering. 

There are a few benefits to doing so.

Security Awareness Training Enhances Your Customer’s State of Cybersecurity

The use of Security Awareness Training helps to ensure employees are reminded of the need to remain vigilant when interacting with email and the web, are educated on good cyber hygiene and best practices, and are updated on various kinds of attacks and attack themes, so they can more easily spot an attack and help avoid becoming an unwitting accomplice.

This is accomplished with shorter periodic trainings used to be insightful to the employee and encouraging to continually maintain that vigilant mindset, as well as required trainings (as is necessary) should there be specific attacks or social engineering scams employees should be warned about.

The result is a more secure environment where those attacks that make their way past security solutions to an employee’s Inbox or within their web browser are rendered powerless…all because the employee sees the attack for what it really is and avoids engaging with it. 

Security Awareness Training Also Enhances the Value of Your Offering

In addition to making your customer’s cybersecurity stance stronger, the inclusion of Security Awareness Training also makes your service offering a more valuable option for customers; by including employees in the cybersecurity, your offering is more comprehensive than a competing MSP that only offers software solutions as a defense. 

Security Awareness Training Doesn’t Need to Be a Burden

As with any new solution, you ideally don’t want a steep learning curve that requires hours and hours of your techs’ time to be able to implement and manage it. Depending on the solution you employ, implementing this training in conjunction with the rest of your cybersecurity can be accomplished within minutes (that is, not all Security Awareness Training solutions are created equally). 

Security Awareness Becomes Just One Kind of Training Provided

Employees want to work for a company that wants to help them develop new skills, really learn how to use the applications they rely on daily, and grow their role within the organization. By implementing Security Awareness Training as part of a larger Employee Training and Enablement platform that benefits your customer well beyond just enhancing their state of cybersecurity, you help your customer shift from one who simply hires people to work into one that actually helps to develop their employees…which includes development of their cybersecurity awareness. 

Improving Your Cybersecurity Services with Security Awareness Training

It’s evident that cybercriminals are well-aware that the employee is the gap in most cybersecurity strategies. And, it’s only through implementing security awareness training as the compensating control that organizations can properly “patch” this “vulnerability.” 

Adding on Security Awareness Training helps to create a more robust, exhaustive, and valuable cybersecurity service offering. It can make the difference between a secure and insecure customer, as well as between a potential customer choosing your cybersecurity service over a competitor’s. 

In the next blog in this series, “The Business Case for MSPs Offering Employee Training and Enablement,” we’ll focus on how Microsoft 365 User Training can be used to augment your Management Microsoft 365 Services.