As a managed service provider (MSP), you can deploy the best possible security protocols in the world for your small and medium-sized business (SMB) clients, and their top vulnerability will remain intact—human error. SMBs simply cannot fully achieve cyber resilience without security awareness training (SAT).
When you broach the subject, however, you’re likely to encounter two obstacles in discussions with your clients:
- Confusion about statistics and the impact of human error
- Myths about the effectiveness of SAT
Help Your Clients Make Sense Of Cybersecurity Statistics
Cybersecurity statistics make great headlines, but they also can confuse customers that aren’t statisticians. You can help them put the flurry of cyber breach numbers in context with some simple points:
- Cybercrime is occurring too fast to track uniformly. Cybercriminals are having so much success, so fast, that tracking statistics can vary significantly in a brief period. Large-scale events, like the Solar Winds debacle or the recently discovered China-linked attack, can impact tens of thousands of organizations. Even without headline-generating events, cyberattack tallies are rising at a rapid rate. SMBs, for example, are breached at a staggering rate, accounting for 43 percent of all attacks.1
- Causal attribution varies from one study to another. Measurement points, tools and “cause” attribution also vary. One study might define human error by breach type and allocate human error primarily to phishing. Another might look more comprehensively at human involvement in security patches and other human-controlled factors.
- Sponsored studies and spin contribute to data mishmash. Sometimes, vendors focus on statistics and attributes that make the best possible case for their solutions, which may not include SAT. (This is yet another reason why it makes sense to partner with a security provider that delivers the spectrum of cyber resilience solutions, giving customers with the right protection at the right time.)
- The impact of human error is so significant that knowing which statistic is correct doesn’t matter. Whether you count human error only as a factor in phishing breaches, which account for a third of all breaches1, or more broadly as a factor in 90 percent to 95 percent of breaches, it’s still a big number. SAT is the solution either way.
Address Security Awareness Training Myths Head-On
In addition to being confused by stats, many SMB customers hold faulty beliefs about their security protection and the need for SAT. It’s best to address them upfront:
- Myth: [Insert technology solution] has us covered.
- Reality: Many companies vastly overestimate the ability of point solutions they have in place, like antivirus or firewalls. Antivirus solutions, for example, are essential to reducing malware threats overall, but most successful phishing attacks occur on systems with antivirus protection.
- Myth: Security awareness training is ineffective.
- Reality: Not all SAT solutions are equal. Solid SAT programs initially can cut phishing clicks by 50 percent2 and continue to drive those numbers down significantly over time.
- Myth: Security awareness training is burdensome and time-consuming.
- Reality: Good SAT programs are easy to administer and train users through microlessons that take less than 10 minutes each. In fact, brevity and repetition are key to SAT’s successful outcomes.
- It All Comes Down To Picking The Right SAT Partner
- A good vendor can help you demonstrate the importance of SAT in your SMB clients’ cyber resilience initiatives. Look for a security awareness training provider that simplifies the exercise with comprehensive solutions addressing technical and human vulnerabilities.
1 Verizon Data Breach Report
2 Webroot Customer Campaigns in June 2020.