The fact that cybercrooks exploit humans as much as machines and infrastructure isn’t news. Humans present soft targets in today’s threat landscape. No matter how strong your clients’ IT infrastructure defenses are, they can still be compromised by malicious actors who trick unsuspecting employees into clicking on malicious links or opening malicious attachments.
You’ve undoubtedly noticed that phishing remains omnipresent despite the emergence of security awareness training (SAT) programs that can help employees combat cyberthreats. A survey by Webroot found that 29 percent of employees worldwide admit to having clicked on at least one phishing link in the previous year.
As it turns out, the problem is that, even though SAT is effective, it isn’t widely deployed. That presents both a challenge and an opportunity for managed service providers (MSPs).
The case for SAT remains solid
The value proposition for SAT is straightforward: Teaching employees about today’s cyberthreats and how to spot them helps to make organizations more cyber resilient. SAT also helps employees understand their role in protecting company data and assets. As the saying goes, knowledge is power. And there’s solid proof that it works. When deployed, SAT reduces malware encounters by up to 90 percent compared to endpoint protection alone. That can take a lot of heat off other cyber resilience layers.
So, what’s the problem, then?
On one level, MSPs admittedly struggle with fitting SAT into their product lines. Only 45 percent even offer SAT even though 97 percent of surveyed MSPs that offer it report benefits from their training efforts.
But at its core, lagging SAT adoption is much more a matter of demand than supply. The top three reasons MSPs don’t deliver more SAT are rooted in client disinterest (or at least indifference):
- Lack of client interest in conducting SAT regularly (which is essential to success)
- Lack of client interest in conducting SAT at all
- Challenges in demonstrating value to clients
Reframing SAT for success
Since it’s clear that SAT can make a sizable difference in cyber resilience efforts but MSPs and their clients both struggle with it, some reframing is in order. On the client front, using numbers from surveys – as we’ve done here – can help you break through. In fact, we’ve prepared an overview on pitching SAT to reluctant clients that walks you through the ins and outs of using data to demonstrate the added risk they’re taking on by not deploying SAT in their organizations.
If you’re an MSP that’s struggling to fit SAT into your lineup, here are two quick options that may help:
Review how other MSPs are deploying SAT. Fortunately, you don’t have to dig for it. We’ve pulled it from the Webroot survey for you:
- 4% of MSPs make it a core offering with additional charges for more training
- 8% treat SAT as an add-on with the same training for everyone
- 24% have made SAT a core offering with the same training for everyone
- 26% have made SAT a core offering customized for individual clients
- 38% offer SAT as an add-on customized for individual clients
Consult with your provider partner. A strong provider partner can provide you with one of the main benefits your MSP offers your clients—insight into what works and what doesn’t for clients just like yours. If you’ve got a good channel team at your disposal, you can learn how MSPs like yours (read: scope, value proposition and verticals served) are succeeding in the marketplace.
The bottom line is that SAT is essential to reducing phishing risk, and MSPs and their clients need to work it into their business routines.