Here’s a thread that doesn’t add up:

1. Phishing statistics are abysmal. A Webroot survey found that 29 percent of employees admit to having clicked on at least one phishing link over the previous year.
2. Security awareness training (SAT) can reduce malware encounters by up 90 percent compared to endpoint protection (EPP) alone. In other words, SAT dramatically reduces risk even amid world-class, automated solutions that bolster endpoint security deployments.
3. Even though phishing risks keep their clients up at night, MSPs report significant difficulty getting them to adopt SAT. The challenge is so great, in fact, that less than half of MSPs offer SAT.

That’s a big disconnect. To help you give your clients some education about education (of the security variety), we’ve detailed three approaches to help you get your clients off the dime.

Approach One: Let data make your case

Here are some stats from the Webroot survey that you can use to drive home the importance of SAT:

• 53%: The number of SMBs experiencing phishing/social engineering attacks. That’s more than any other type of attack, including web-based attacks and general malware.
• 29%: Global workers that admit to clicking on at least one phishing link the previous year. That jumps to a full one in three users in the U.S.
• Up to 90%: Reduction in phishing clicks with SAT deployment.

Other documented benefits of SAT include:

• Lower support costs
• Increased satisfaction of compliance requirements
• Lower click rates on simulated attacks
• Fewer security incidents in general
• Fewer phishing incidents
• More suspicious emails reported by users

Approach Two: Share top reasons companies adopt SAT

Use cases can make a big difference with some clients. To that end, here are some of the primary reasons businesses are adopting SAT, according to G2 Crowd reviews:

• To achieve compliance: “We need to comply with PCI and GDPR, and awareness training is a requirement.”
• To identify high-risk users: “Helps us identify end users that easily fall for phishing schemes.”
• To stop risky behavior: “Drastically lowered the number of users who have given their email credentials out.”

If, like most MSPs, you have some cyber resilience [CF4]customers using SAT and others who are reluctant, using some of your own experiences can help, particularly among like businesses (think: size, scope, vertical industry, etc.). And if you’re working with a provider partner with a solid channel team, call on them for some examples, too.

Approach Three: Cite SAT as a factor in cyber insurance

Cyber insurance requirements may be your most potent motivator among some clients. The nascent cyber insurance industry has been something of a wild west as it’s established a foothold, but some standards and preferences are starting to emerge. SAT training is one of these areas[CF5]. Some experts think SAT will become a requirement for coverage even though it’s not there yet, but even if that doesn’t transpire, it’s already a known booster when applying for coverage.

SAT’s emerging role in cyber insurance offers two potent discussion angles for driving adoption:

• First, for customers that already have or plan to get cyber insurance, you can point out that SAT is an emerging coverage factor and getting it deployed ahead of new applications and renewal reviews is likely beneficial.
• Second, even for customers that may not be pursuing cyber insurance, the emerging focus on SAT in insurance applications speaks to its efficacy. Insurance companies are notoriously numbers-driven. If SAT didn’t move the needle, insurance companies wouldn’t care about it.

The Bottom Line

Nobody knows your customers better than you, and only you can decide which of these approaches—one, all or none—is appropriate in each instance. And, on a final note, it’s probably worth connecting with your provider partner’s channel team—particularly if they help MSPs close SAT deals—to find out which factors deals have been closing on lately. That kind of insight can dramatically shorten your learning curve.