As the threat landscape continues to grow increasingly toxic, it’s understandable that MSPs are redoubling their efforts to find the most effective endpoint security solutions they can. These solutions are characterized by their ability to combat a comprehensive range of threats (malware, phishing, ransomware, etc.), and can significantly boost the security MSPs provide to their clients.
Yet there is one aspect of client security that many MSPs tend to overlook: user education. The need for such education, offered by MSPs in the form of Security Awareness Training (SAT), has been highlighted in a wide variety of IT security-related reports and surveys:
- A 2015 research study produced by Wombat Security Technologies and the Aberdeen Group, “The Last Mile in IT Security: Changing User Behavior,” found that changing employee behavior can reduce the risk of a security breach by 45% to 70%.
- In its July 10, 2015, edition, Federal Computer Week (FCW) cited CEB/Gartner research that shows employee error contributes to 48% of all security incidents, while malware contributes to 20% and hacking represents just 11%.
- According to a recent poll by SolarWinds, 53% of federal IT professionals say careless and ill-prepared employees are the greatest threat to their agencies’ security.
The key takeaway? Users are your front line of defense. It doesn’t matter how good your security technology is behind that front line--if users are making a high rate of errors, then you’re going to have problems keeping those users secure.
It is this human element that cybercriminals so effectively target (phishing emails are an obvious example), and thus it makes sense that every MSP’s information security strategy should include a client SAT program. Not only will this increase your clients’ security, it can have a significant effect on your bottom line. As Jeff Reich, chief security officer at Barricade, put it, “The smarter the organization, the less you have to spend on security because it’s embedded within people that know the value of the data and where their vulnerabilities are.”
As more and more organizations embrace the value of SAT, demand for these training programs is growing. A Gartner analyst pegged the security awareness market at $1 billion back in 2014. A 2017 report from Cybersecurity Ventures characterizes employee training to recognize and defend against cyberattacks as the most underspent sector of the cybersecurity industry, and projected that it could reach $10 billion by 2027.
For MSPs, the business case for offering SAT is compelling. Not only will SAT improve the behavior of your client base, it also shares the security responsibility with those firms. After providing SAT to your clients, they won’t just see you as a service provider who simply handles all things security, all things tech, someone who is responsible for everything that plugs into the wall. They will look to you as a collaborative partner with whom they share a core responsibility for security.
SAT also provides a way for you to add a new recurring revenue stream. It’s an additional service that can be offered in a security bundle, or it could be included as part of an advanced suite of services. For example, SAT could be combined with DNS service as an add-on to an MSP’s basic package, or it can simply be sold as a one-off service.
While SAT gives you a number of options to add new recurring revenue, its most striking benefit may be its ability to significantly reduce the infection rates in your client base. SAT actually helps MSPs save time and save money because they’ll have a client workforce that’s improved their security awareness and is thus no longer prone to creating security risks for their organization that MSPs must then go out and help remediate.
Large enterprises understand well the comprehensive benefits of SAT, and have been conducting their own security awareness programs for a long time. It is the small firms and midsize firms that are under-educated. That’s where the real risk is—but that’s also where real opportunity exists for you to go out and work with your clients to implement an effective—and lucrative—SAT program.
To help MSPs take full advantage of such opportunities, Webroot has incorporated a cloud-based, multi-layered end user Security Awareness Training product. Offering IT security simulation, training and user education courses, this SAT will soon be integrated into the Webroot Global Site Manager console. Contact Webroot to learn more about Webroot and this new Security Awareness Training product coming out in October!
Guest blogs such as this one are published monthly and are part of MSPmentor's annual platinum sponsorship.