Should MSPs offer cyber security training to clients?

Toby Nangle, global partnership and channel lead at Field Effect

Small and mid-sized businesses rely on MSPs like you to keep them covered. Over time, the scope of your role has grown significantly. Whether to stand out from the opposition or impress a lucrative prospect, sometimes MSPs will bite off more than they can chew. Security training used to be a nice-to-have in any managed security service but, in part due to the competitive nature of your industry, it has quickly become a must-have.

Modern MSPs should offer training with their managed security service, and there are a few critical reasons why. The good news is adding training is easier than many think, and it has a wide range of advantages for both you and your clients. 

Key reasons to add training to your managed security service

1. An organization’s people is its first line of defence

In recent years, companies have spent more time reducing cyber risk by implementing, configuring, and properly managing their IT infrastructure. They’ve put more budget toward cyber security solutions that identify unpatched software, legacy hardware, and other security gaps. These investments have led to fewer technology-related vulnerabilities for threat actors to exploit for access.

Meanwhile, employees have been and continue to be a prime opportunity for attackers. The SANS 2022 Security Awareness Report even stated that “people have become the primary attack vector for cyber attackers around the world” and that “humans rather than technology represent the greatest risk to organizations.” There are a few reasons why employees are such a prized target.

Phishing emails are harder to detect than ever

Phishing scams have been around for a long time, and many elements are largely unchanged. Attackers are still primarily money motivated—they’re asking for wire transfers, banking information, corporate credentials, and other valuable data. The scams also continue to exploit natural human emotions, such as curiosity or fear, to pressure the victim into responding. 

One thing about phishing scams, however, has evolved significantly: their sophistication. 

Many broad phishing campaigns—when attackers send basic malicious messages out en masse—now appear to come from real organizations the victim is likely to communicate with. For example:

  • You receive an email from a government department saying you’re eligible for a new benefit, and they need your social insurance number to issue it.
  • You receive a text from the bank saying you have a $438 wire transfer pending, and you need to click the link and log in to accept it.

In some cases, attackers are doing a great deal of reconnaissance before launching an attack on their target. They may look at the person’s social media accounts and online presence, researching the organization they work for, to build a highly targeted and personalized phishing message. This attack tactic, called “spear phishing,” disproportionately targets those in positions of power, such as finance personnel, administrators, and executives at organizations. 

Cyber criminals go to great lengths—even building their own mail servers and infrastructure—to make their malicious emails indistinguishable from real ones.

Cyber attacks on employees yield good results

During a cyber attack, all it takes is one click to undo months, even years, of hard work establishing a powerful defence. One phishing email to a distracted employee can halt your client’s entire operations. 

Modern cyber security solutions do a great job at protecting systems, but not necessarily the people who operate them. Major vendors have worked hard to combat malicious email-based campaigns, yet these messages still find their way into our inboxes. 

This is exactly why the average employee is one of the largest cyber security risks to your clients and why offering training is imperative to reduce this risk as much as possible. However, there’s another less malicious reason that cyber security training is essential—and that’s the fact that humans are prone to innocent mistakes. 

Humans also make mistakes (and those have consequences)

Security issues aren’t always the result of a malicious outsider bombarding employees with malicious emails; they’re often caused by minor slip-ups. An unintentional error, such as sharing passwords or internal documents with others, can put a business at risk.

It’s unfair to assume that all employees understand basic cyber security hygiene and best practices. Think about it: unless an employee undergoes proper training, the bulk of what they know about cyber security probably comes from online websites, word-of-mouth, or a corporate announcement from the IT department.  

2. Offering cyber security training is better for the MSP’s bottom line

MSPs that offer cyber security training for their clients and end users will see positive changes to their bottom line for two main reasons.

Fewer service calls and requests from clients

Proper cyber security training leads to fewer service calls. MSPs are the go-to source for any client needs, whether they have a question about sharing corporate passwords or if they can connect to public wi-fi.

MSPs are also the first call a client makes if they notice suspicious activity, are unsure about the legitimacy of an email, or believe there has been a security incident.

Well-trained users won’t need as much support from you because they will better understand cyber security best practices and make fewer mistakes. Remember: your client is their own first line of defence. Improving their security knowledge creates an additional defensive layer.

What’s more, you will have more time to put toward strategic initiatives if you’re spending less time responding to daily requests or confirmed cyber attacks. 

It can help you attract and retain clients

Including cyber security training creates a well-rounded managed service package that attracts new clients and retains existing ones. Training is a competitive edge, a tool for MSPs to differentiate themselves from the competition.

In fact, only about 60% of MSPs located in the Americas include training as part of their managed security offering—meaning nearly half of MSPs are missing out on this growing opportunity. 

Similarly, clients with better cyber security habits are less likely to experience a security incident that inevitably damages the reputation of the MSP that was supposed to protect them.

According to Verizon’s 2022 Data Breach Investigation Report (DBIR), 82% of breaches involve the human element. This figure, down from 85% of breaches in 2021, shows that technology alone can’t solve the cyber security problem.

Instead, companies need better training to encourage better behaviours and practices, but what should that training include?

What kind of cyber security training should MSPs offer?

MSPs have their choice of learning materials. Monthly webinars, videos, quizzes, in-depth guides or handbooks, even phishing simulations are all great ways to deliver effective training that resonates with the client. 

Providers will need to customize their training based on their client base, but cyber security awareness, compliance, and phishing training are must-haves.

Awareness training

Technology alone can’t stop all cyber threats, and unaware employees can be one of the biggest risks to an organization. That’s why investing in cyber security awareness is imperative. 

This type of training can focus on cyber threats specific to your client base, such as social engineering, ransomware, and malware. You may also want to focus on cyber security best practices, including elements of a strong password and how to configure multi-factor authentication properly. 

However, one-off training isn’t enough. It needs to be consistent and practical so that cyber security best practices become second nature to your clients. Offering consistent learning opportunities and recommendations will help entrench good cyber security hygiene and a “security-first” mindset so safe behaviour becomes natural.  

Compliance

Cyber security compliance is a major priority. Depending on your clients’ industry—healthcare, finance, education, public service, and similar—they may be in scope of certain regulations and regular security audits. Similar regulations may apply depending on your clients’ geographical locations.

For example, the General Data Protection Regulation (GDPR) requires any organizations that collect personal data of those in the European Union (EU) to follow certain cyber security best practices and standards, or to face a regulatory or legal fine. 

MSPs may wish to offer their cyber security clients additional training and guidance when it comes to compliance. Regulations can be difficult to navigate, particularly for smaller businesses without legal staff or compliance experts. 

Phishing simulations

Huge strides have been made to detect phishing campaigns, but threat actors are getting crafty and coming up with new approaches that bypass these measures. One way is to gain access and leverage a trusted account. Modern phishing messages look real but, by using the account of an actual employee in the organization, the messages actually are real. 

The most effective way to teach someone to detect phishing attacks is by training in a controlled, simulation-based environment. Phishing simulations reflect recent threat actor techniques, offer visibility into overall preparedness, and deliver insights to address gaps.

Phishing simulations will create more resilient employees who are better prepared to defend against social engineering. Executives will see how risky untrained employees are and can use the results-driven insights to improve their cyber security.

How can MSPs offer clients cyber security training?

MSPs face two specific challenges when offering cyber security training.

The first: not all MSPs have cyber security professionals on staff. The demand for cyber security talent is far greater than supply. ISC found that there is still a gap of almost three million positions and estimates that the cyber security workforce must grow 65% to “effectively defend organizations’ critical assets.” 

Let’s also not forget that when demand exceeds supply, costs go up. Hiring even one cyber security professional is out of reach financially for many businesses—MSPs included.

The second: even if you know the material, documenting it takes time. Creating and supporting training content is too resource intensive for MSPs already busy with existing clients and services.

Regularly refreshing content with new threat techniques or best practices takes time and money. At the end of the day, your core business services get priority—despite all of training’s benefits.  

Partner with an experienced cyber security company

It’s a lot to take on yourself. Instead, outsource your cyber security training to a company with specialized experience. By partnering with a vendor that offers enablement resources that support training initiatives, you can offer cyber security training as part of your managed service package and receive all the benefits that come with it.

Field Effect, a global cyber security company, offers a free Cyber Security Starter Kit full of important information that can help anyone master the cyber security basics. Download this no-obligation bundle of their most popular eBooks and webinars and start sharing them with your clients today.

Or check out Field Effect’s Partner Momentum Program. Field Effect partners gain unlimited access to monthly expert-led webinars, co-branded guides on dozens of critical cyber security topics, and so much more—perfect for MSPs that want to offer cyber security education to their clients.