Security Awareness Training For MSPs: A Comprehensive Guide

A commonly used phrase during the conversation on security breaches is: “It’s not a matter of if, but when.” And, while this is invariably true, are security breaches always inevitable? We argue, no.

In fact, 99% of security professionals that experienced a breach at their organization within the last two years agreed that it would have been preventable with the right measures in place. And, as the most common answer, 71% said that better security awareness training for users would have helped minimize or prevent those breaches. 

In a nutshell, security awareness training consists of learning materials and simulations targeted at educating users on security best practices, threats they may face, and how to keep both themselves and their organizations safe online. And, currently, only 60% of MSPs offer it as part of their managed services offering. 

But with 57% of organizations outsourcing their cybersecurity solutions, should more MSPs be integrating security awareness training solutions as part of their wider security stack? After all, a secure client is a happy client, and happy clients keep returning. 

Throughout this article, we’ll cover what security awareness training is and some of its key features. We’ll also cover why MSPs should offer security awareness training, as well as how you can ensure an effective program.

What Is Security Awareness Training?

Security awareness training serves to educate users on the threats they face in their daily lives, as well as what to do—and what not to do—when they’re targeted by cybercriminals. This is primarily via online “lessons”, which might include bitesize videos, quizzes, interactive games, and more, as well as phishing simulations, which enable admins to test their users by sending simulated phishing emails and measuring which employees click on the links within them. 

Awareness training is important for organizations of all sizes, across all industries because everyone is a target. It is important to note, however, that some industries—such as healthcare and financial services—might require industry-specific training. But we’ll get into that a bit later.

First, let’s explore some of the current challenges in the cybersecurity market, so we can gain a greater understanding of why security awareness training is needed, and how MSPs can help combat some of these issues. 

Why Is Awareness Training Important?

Whoever said: “Crime doesn’t pay,” clearly had never met a cybercriminal. Cybercrime is set to reach a global cost of $10.5 trillion by 2025—which means that cybercrime globally will soon be more profitable than illegal drugs. And so, it’s hardly surprising that threats are continuously advancing and evolving—the incentive is certainly there for criminals to win big. Other challenges include:

1. Employees are human; they make mistakes. Research suggests that human error is accountable for 90% of security breaches. We can’t program or patch employees—and, ethically, we wouldn’t want to! But at the same time, untrained and unaware employees can be the biggest risk facing organizations from a security perspective. 
2. Technology alone can’t save you. Today, the innovative and cutting-edge security technologies offered by MSPs can be pretty impressive. But what happens when a phishing email slips through the cracks, or an employee uses “Password1” to secure a work account? An estimated 78% of security decision makers and influencers view training and technology in combination as equally important in their approach to dealing with security threats. 
3. Traditional security awareness training isn’t quite cutting it. Traditional awareness training usually consists of hours-long, unengaging PowerPoint presentations that not only disrupt users’ days but aren’t optimized for their learning. 
4. Remote working introduces new challenges. Not only does working remotely mean employees are no longer in the same building as their IT team if they experience any issues, but it introduces a whole new range of vulnerabilities—such as unsecured networks and devices and a reliance on online communications. 

So, how can security awareness training help to address some of these issues?

While an estimated 98% of organizations do run a security awareness training program, only 64% conduct formal training sessions. As well as that, a separate report states that half of SMBs do not run an awareness training program at all. 

So, why is this an issue? What are the benefits of running a security awareness training program that these organizations neglecting to train their users are missing out on? 

Why Should Organizations Train Users?

Well, aside from the fact that 80% of organizations have experienced a noticeable reduction in phishing susceptibility as a result of security awareness training—proof that it does work—, there are numerous other benefits that go hand in hand with this. These benefits include:

1. Strengthening the human firewall and creating an additional filter for phishing emails. Properly trained users are far more likely to not only recognize, but appropriately respond to attacks than those untrained. By training users, organizations can develop a “human firewall” that works alongside the technology they already have in place. 
2. Fostering a security-aware organizational culture. A desired outcome of training is fostering an automatic reaction to threats—causing systemic cultural change. Using awareness training, organizations can embed good security practices throughout their organization, so that they come naturally and unconsciously to employees.
3. Pinpointing vulnerabilities and understanding user behavior. Awareness training provides admins with an overview of user behavior—including those that pass or fail training, click on phishing simulations, or demonstrate risky behavior. 
4. Meeting regulatory compliance and satisfying insurance vendors. Awareness training is not only a requirement to satisfy regulations such as GDPR—where failure to comply can land an organization a fine of more than £10 or 2% of the past years’ revenue—but also can lower insurance premiums and in the event of an attack, prove to their insurance provider that they took adequate measures to reduce risk. 

So, now that we understand why organizations should be investing in security awareness training, what’s in it for MSPs? 

Why Should MSPs Offer Security Awareness Training?

It’s estimated that almost 75% of MSPs have a managed security offering—but only 60% include security awareness training. Despite this, there are a plethora of benefits that come with offering security awareness training as part of your security stack. Let’s run through some of them. 

1. Strengthening your overall stack. Ultimately, adding awareness training to your stack will not only make you more secure by complementing your current solutions, but will provide opportunities for revenue growth by offering an additional product to your customers.
2. Making you a differentiator in the cybersecurity market. Research finds that 84% of organizations not currently using an MSP and 93% of those currently using one would consider using or switching to a new MSP if they offered the “right” cybersecurity solution. Awareness training is a competitive edge for many organizations—by not offering it, could you be vulnerable to not only losing current customers, but potential ones, too?
3. Security awareness training is a growing market. The awareness training market currently exceeds $1 billion annually, and grows at a rate of 13% per year.
4. Demonstrating you understand your customers’ risks and cover all bases. Trust is everything when it comes to professional relationships. And if your customers don’t trust you, soon enough they’ll start to look elsewhere. Let your customers know that you leave no stone unturned and that their security is safe in your hands. 
5. Minimizing the strain on your resources. Incidents and attacks can be draining on your resources as an MSP. A reduction in these ultimately translates to fewer tickets, service calls, remediation actions, and effort needed to address both minor and major incidents.
6. Protecting yourself against potential legal issues. Research finds that in the event of an attack, 69% of SMBs would hold their MSP accountable at some level, and a concerning 74% would take legal action against them. Providing a robust security awareness training program can help reduce the likelihood of a client being able to legitimately start a lawsuit. 
7. Meeting legal requirements and complying with regulations. Awareness training is a requirement for compliance with regulations such as PCI and GDPR, and standards such as ISO 27001. Failure to comply with these can result in a huge fine. 

Key Security Awareness Training Features for MSPs

There are an array of providers and programs that you can choose from when it comes to security awareness training. So how do you choose the right solution to offer to your customers? 

Let’s run through the top features you should look for when selecting a security awareness training program. 

Comprehensive And Engaging Training Material

Content needs to not only be relevant to the threats that each employee faces—both in terms of cyberattacks, and in relation to their job function—but also engaging and interesting for users. In fact, research finds that users who view awareness training as interesting and engaging are more likely to change their behavior, report suspicious content, and spot threats. For example, 79% of users who find training “very interesting” can spot a spear phishing email—while only 38% of users who find training “boring” can spot these. 

For content to be engaging, it’s important that the provider offers a range of learning media—including quizzes, interactive minigames and simulations, bite-sized video content, stories and narratives, that should be engaging and ideally: fun. The goal is for users to voluntarily self-enroll and share content with their colleagues. “Humorous stories are the things we repeat—and the more often you’re willing to share and repeat, the more ingrained it becomes,” Hook Security Co-Founder and CEO Zachary Eikenberry says. 

As well as being engaging, training content should be suitable for a variety of audiences, to support specific workplace threats and roles, as well as fully customizable and white-labeled. Some organizations might wish to create their own modules or modify content to better reflect their own organization’s specific practices and procedures. In terms of content, any well-balanced and comprehensive training program should include modules that cover phishing, ransomware, mobile device security, password best practices, and safe web browsing, to name a few. 

You should also keep in mind the industries that your clients exist in, and the specific regulatory compliance they must adhere to. For example, any business that takes credit card payments from its customers must be PCI compliant, while healthcare services must comply with HIPAA and GDPR. It’s a good idea to bear this in mind when selecting a solution and to search for providers that offer modules on these, if this is relevant to your current or future client base. 

Simulated Phishing Campaigns 

When it comes to cybersecurity, simply being aware of threats is only half the battle. For secure practices to become truly ingrained as part of a users’ hesitation phenomenon, they need regular simulated practice of dealing with threats in a safe environment. 

Phishing simulations offer exactly that. They work by sending simulated emails to users that mimic real-life threats, to test how they react. We recommend looking for a provider that offers an Outlook plugin as part of their solution, as this not only provides a way for users to report suspicious content—both simulated and genuine—but also a way for admins to measure which users report phishing emails, as well as the overall effect of the training. On the flip side, if a user doesn’t recognize the email as suspicious and clicks on any of the links or attachments within, some solutions can be configured to administer immediate refresher courses and “point of infraction” training. Administering training in this moment makes it more relatable, and therefore memorable for the user.

It depends on the provider, but with many solutions, sending simulated emails is simple and can be done in minutes. Many solutions come with access to libraries of up-to-date, pre-built, and customizable email templates—admins can simply select one, set a targeted group of users, and then schedule it for deployment. They can also usually set up year-long automated campaigns, if they would rather not send each email individually.  

Robust Reporting Capabilities 

Reporting and user metrics are a vital part of any awareness training program—because how can organizations improve what they aren’t measuring? 

Most solutions offer a centralized dashboard where admins can not only assign training to certain groups or individuals and set up phishing campaigns, but also create and view granular reports on individual users’ training progress and pass rates, statistics on clicks on phishing emails, and often, the organization’s overall risk level. In tracking these metrics, admins can identify risky groups, departments, or individuals and select further training for those, as well as create reports for C-level executives and upper management, to demonstrate improvement in behavior and effectiveness of the program. 

Additional important admin features are the ability to easily create policies, simple user management, and the ability to create clear learning paths. 

Easy Deployment and Configuration

Admins and security teams have some of the most demanding and time-consuming roles within their organizations—so when it comes to rolling out a solution, they want something that works out of the box.

We recommend that MSPs look for cloud-based solutions, as they are generally quicker to deploy, scalable, and easy to configure and manage. As well as this, we’d recommend seeking a solution that integrates with many different systems and databases—including Office 365 and Azure Active Directory. This is to ensure user onboarding is seamless, and as pain-free as possible. 

Any good solution will provide an exclusive MSP portal that provides support in customizing and administering the solution to clients. This portal should enable you to control billing and set tiered pricing levels, as well as activate free trials and manage subscriptions. 

As well as this, you should look for a provider that offers white-labeled content that’s easily customizable, so you can brand training material with your own logos and colors. Some providers might also offer marketing and sales support, as well as white-labeled marketing materials to help you promote the solution.

Some providers might also automate and manage the solution on you and your clients’ behalf. This means little upkeep from yourself as an MSP, meaning you can allocate your resources and effort to other high-priority areas of business. 

How Can MSPs Ensure An Effective Security Awareness Training Program?

So, you’ve done your research. You’ve chosen your provider. You’ve marketed the solution to clients and signed a few contracts. You’ve administered the solution. But now, there’s one more thing to consider: how can you ensure the program is effective so that you get the results for your clients? 

Prove Its Value

First thing’s first, clients want to be kept in the loop about the effectiveness of the program. After all, for them it’s an investment—and they need to ensure it’s paying off. As an MSP, you should prove its value by providing granular reports on user engagement with training content, phishing simulation clicks, strengths, weaknesses, and risky behaviors. To add value, you should implement continuous improvement initiatives and feedback loops to ensure you can regularly improve and adapt the program to suit users’ evolving needs. 

Avoid Overwhelming Users

Another thing to consider is the frequency that training content is administered, as well as its length. You should avoid solutions that overwhelm users with long-winded, time-consuming, unengaging content that disrupts their day and is administered all at once, annually. It’s best to train little and often, using snappy, bite-sized snippets that are more memorable and digestible for users. 

Teach; Don’t Trick

Also key to creating an effective program is to ensure that phishing simulations are in place to teach and not trick your clients’ users. To successfully establish a security-first organizational culture, the program should make users feel supported, rather than caught out. We recommend that you strive to reward users for good behavior, while supporting those who need further training in a positive and welcoming environment.

One Size Does Not Fit All

While we recommend that it’s important to train everyone within an organization—no matter their job function—it’s important to recognize that the level of training that, say, a CEO might need, will differ from the training that a security team member might need. As well as this, the most effective training solutions steer away from the “one-size-fits-all” approach, and instead looks to train users based on competency and identified risk areas that are personalized to them.

About Hook Security 

Founded in 2018, Hook Security is an innovative security awareness training provider that seeks to revolutionize the way users engage with their awareness training programs, as well as transform organizational security cultures. Offering training that not only educates, tests, and trains users on the threats that they face and security best practices, Hook Security also focuses strongly on user engagement. They focus specifically on targeting the right parts of the brain—the parts that recognize and respond to threats—through the use of humor, non-punitive environments, positivity, engaging content, and storytelling. 

Hook creates high-quality, humorous video training content monthly, reflecting the latest threats while entertaining users—something they call “edutainment”, that is, education plus entertainment. Training content aims to be less than two minutes, focusing on only one or two key takeaways, and making content more digestible and memorable. Content is also designed for compliance, meeting standards such as NIST and CMMC, while they’re soon releasing HIPAA and PCI training. Hook Security’s phishing simulations are realistic and customizable, and are sent to users monthly to test their responses. Hookmail, their phishing reporting plugin for Office 365 enables users to safely report suspicious emails and admins to track reporting statistics. Users who fail these simulations can be automatically enrolled in “point of infraction” training. Hook Security also offers robust reporting capabilities, including behavioral data reports, user analytics, in-depth reports, and more. 

Hook Security works with hundreds of MSPs, agents, distributors, Managed Security Service Providers (MSSPs), and Value-Added Resellers (VARs) via their partner program. This program enables partners to leverage a full “done-for-you”, end-to-end training service, meaning that Hook Security manages testing, training, and reporting on your behalf—so you can focus on active threats. Additional features include partner training and certification, marketing and sales support, priority support, monthly billing, and discounted pricing. 

Hook’s security is cloud-based and deploys instantly, and easily integrates with an organization’s existing tooling. To upload users, organizations can upload users via CSV or one of their integrations—including Active Directory. Hook Security is the ideal solution if your clients are SMBs or Enterprises, and are looking for a comprehensive yet optimized and engaging solution to train their users. 

Summary

Security awareness training should be a vital part of any MSP’s security stack. It not only increases security and helps transform user behavior, but decreases the likelihood of issues with compliance, lawsuits, breaches, and attacks. 

We strongly recommend that MSPs partner with providers that offer a combination of engaging training content, phishing simulations, and robust reporting capabilities, to ensure the maximum effectiveness of their awareness training program. After all, results will speak for themselves—selecting the right solution is key.