As a Managed Service Provider (MSP), you know your customers are serious about defending against cyberattacks. That’s part of the reason why they hired you. Data breaches are all too common these days, costing Small to Medium-sized Businesses (SMBs) an average of $108,000 in 2021 while Enterprises can pay up to several million dollars. In fact, 99% of security professionals that experienced a breach at their organization within the last two years agreed that it would have been preventable with the right measures in place. And, as the most common answer, 71% said that better security awareness training for users would have helped minimize or prevent those breaches. Currently, only 60% of MSPs offer it as part of their managed services offering.
What Exactly Is Security Awareness Training (SAT)?
In a nutshell, security awareness training consists of educational material and simulations targeted at educating users on security best practices, threats they may face, and how to keep both themselves and their organizations safe online. SAT is primarily done through online “lessons”, which might include bitesize videos, quizzes, interactive games, and more, as well as phishing simulations. Phishing tests allow admins to measure their users by sending simulated phishing emails and seeing which employees click on the links or submit data within them.
SAT services are often coupled with additional tools and services related to a company’s users including:
- Dark Web Monitoring Services – detect if any company email addresses or domains involved in a data breach, notifying administrators the data exposed tied to an individual email address.
- Policy Compliance – guiding users through cybersecurity governance policies. Send out policies to your user’s inboxes and track and report automatically on compliance.
- Risk Assessments – assess and identify your company or customer’s threats and vulnerabilities in administrative, technical, and physical domains.
- Sales Module – Assess your potential customers, educated them on their security risks, and bring them under your wing as their MSP
Importance of Security Awareness Training (SAT)
Research suggests that human error is accountable for 90% of security breaches, and growing. Untrained and unaware employees can be the biggest risk facing organizations from a security perspective. Innovative and cutting-edge security technologies offered by MSPs can be pretty impressive, but what happens when a phishing email bypasses spam filters or an employee uses “Password123” to secure a work-related account not set up for multi-factor authentication? An estimated 78% of security decision-makers and influencers view training and technology in combination as equally important in their approach to dealing with security threats.
It’s important to be using the right delivery method when doing security awareness training for your staff. As previously mentioned, bitesize training videos with quizzes at the end are the best practice. Moving away from the 60+ minute ‘cybersecurity awareness’ PowerPoint presentations performed by an IT professional has been proven exceedingly effective; too many people doze off during training that lasts longer than 5-10 minutes. Having monthly security training, 3-5 minutes long, with brief quizzes to test awareness, sent directly to a user’s inbox is the easiest, most effective, and friction-less SAT method today.
Why is Security Awareness Training (SAT) so Critical?
Creating A human firewall, Adding an additional filter for phishing emails
No technology ever created to protect your organization is perfect, therefore users are your last line of defense before a breach. Properly trained users are far more likely to recognize and respond properly to attacks than untrained users. Trained users become your “human firewall” that works alongside your technology protections to defend your business.
Building a Security-Aware Culture
Using awareness training, organizations can embed good security practices throughout their organization, so that employees react appropriately to threats. SAT repetition is no different than sports repetition; the more you practice, the better you become.
Pinpointing vulnerable Users
Awareness training provides admins with critical insight into their user’s behaviors. If an Admin knows who passes or fails phishing simulations, or demonstrates risky behavior, they can go address the weakest link in their human firewall. Repeat offenders can have career-limiting consequences in well-run companies.
Meeting regulatory compliance and insurance requirements
Awareness training is a requirement to satisfy regulations such as HIPAA, PCI, FINRA, CMMC, and ITAR. Compliance failures can lead to significant fines. High compliance with SAT can lower insurance premiums by proving to insurance providers that you’re investing appropriately in your cybersecurity program development and risk reduction strategies.
Friction-less Security Awareness Training (SAT)?
CyberHoot helps alleviate the risks mentioned in this article by giving users engaging, short awareness training. Twelve monthly videos can be assigned to users in under 60-seconds via our programs module.
Login Friction Eliminated
All CyberHoot training is sent directly to each user’s inbox. Users click a link and are instantly training; no user login to a website is required. This eliminates a common point of friction for end-users that leads to much lower compliance.
Open Platform eliminates boredom friction
Most SAT platforms are closed. You get their single flavor of ice cream for as long as you use their product. This significantly harms user participation the longer you play the same flavor of awareness video to your clients and users. CyberHoot eliminates this boredom through our open platform allowing us to provide you with novel content, always current to emerging threats, from the best online sources, orchestrated for you so you don’t have to track anything.
Productivity Tools Training Eliminates support friction for MSPs
CyberHoot’s open platform allows MSPs to embed product training with their project deployments. Imagine the reduction in helpdesk calls when you automatically asynchronously train your client users on Teams during your project rollout? Users are happier learning how to put the new tool to use too adding MSP value to your client relationship.
CyberHoot includes over 60 product training programs for free to help users become productive with tools like Microsoft One Drive, Sharepoint, and Teams (most other Microsoft products too) as well as security products like LastPass, 1Password, sales tools like HubSpot, Salesforce, finance applications like Quickbooks and ADP, and much more.
SAT without Testing is a mistake
One CyberHoot client sent its first phishing test after 3 years of security awareness training. The results of this test seemed to call into question the value of SAT because dozens of people clicked the phishing test links and 7 people provided their credentials in this test. Shocking! Why?
The answer is interesting. Users had the knowledge proven by all subsequent tests where not one person provided credentials ever again, and less than 5 users clicked the fake website in these phishing tests. It turns out the users had the knowledge all along but failed to apply it as they were never tested on it. This is why phish testing quarterly is so important. It holds your users accountable without becoming a burden (more phishing tests are less productive).
CyberHoot can test your employees by sending one of more than 50 phishing simulations to your users. Test them to see if they fall for a fake email by clicking on a link, or submit data to a fake landing login page. CyberHoot uses many popular brands and companies with realistic real-world phishing emails emulating Amazon, LinkedIn, Microsoft, UPS, Fed-Ex, Docu-Sign, and more!
Guide Employees when Technology Can’t
CyberHoot provides all your cybersecurity governance policy needs in our cybersecurity Policy module. Send governance policies directly to users’ inboxes, have them read through, and electronically sign their signature to acknowledge and track user compliance. CyberHoot provides over 25 ready-made cybersecurity policy templates that can be easily customized for each customer.
Cybersecurity Maturity Assessments
Would you like to know how mature your organization’s security is? CyberHoot offers a robust set of cybersecurity assessments/surveys, allowing MSPs and Businesses to get a maturity score on themselves. Our assessments identify common vulnerabilities that must be addressed. CyberHoot has different levels of NIST-based risk assessments that can be sent directly to anyone’s inbox. You can even publish a survey on your website to assess potential customers!
Know your Employees Dark Web Exposure
CyberHoot includes Dark Web Scanning for all of its customers. CyberHoot leverages two dark web databases to see if an email address has been exposed in a data breach. New exposures are monitored for and reported to administrators who can escalate to end-users. Admins are provided with detailed response instructions to make reporting easier.
Eliminate Compliance Friction
Many SATs suffer from poor compliance. CyberHoot eliminates compliance friction by automating most of these processes with zero administration. User compliance is improved by automatically emailing each Manager when their employee does not complete an assignment. Follow-up reporting is improved with weekly recursive management compliance reports.
Security Awareness Training (SAT) Platform Conclusions
Modern cybersecurity SAT SaaS offerings do more than cybersecurity awareness training. When you are searching for your own solution to this user training issue, CyberHoot recommends looking for a tool that eliminates as many points of friction as possible. Consideration should be given to these common friction points in SAT:
- User login friction (password-less)
- User attention friction (open platform)
- Admin friction (automated programs)
- Compliance friction (automated escalation and reporting)
Once you find a tool that eliminates these points of friction you should be ready to begin your cybersecurity program development journey. Good luck, it’s never been more important than today.
Sources:
Additional Reading: