The Case for Generating Revenue with Security Awareness Training
Many MSPs are coming around to offering their clients layered cybersecurity solutions that include services like user security awareness training.
With increasingly complex cyber scams emerging all the time, the ubiquity of employee-owned devices on corporate networks and the rising value of data—just to name a few reasons—employers and IT managers are growing painfully aware that endpoint protection alone is no longer sufficient protection.
With increased adoption come questions of how to package and sell these value-add services. In particular, many of our clients grapple with whether to include security awareness training as a way to reduce security incidents and, therefore, costs, or to charge for a service that is undeniably making their clients’ work environments safer.
Providing a Valuable Service
The effectiveness of security has been repeatedly confirmed by numerous articles and studies. Given that, according to the research-oriented Ponemon Institute, security awareness training delivers an average ROI of 37x, MSPs can easily rationalize offering it as a free, add-on service.
“If it reduces my incident costs and strengthens my overall security posture, why not roll out security awareness training as a part of my standard layered security bundle?” Or so the thinking goes …
But consider that Webroot data suggests educating employees on the threats they face online can reduce the number of user-enabled breaches by more than 86 percent over time. Or that the Ponemon Institute pins about 80 percent of all successful data breaches on human error. It becomes apparent that this is a hugely valuable service to provide clients.
What other service that provides so much value would be offered free of charge? And then consider that, for it to be most effective, security awareness training must be offered on an ongoing basis. The cost of organizing, running, and managing consistently relevant and topical phishing courses, or employee compliance education with each new hire, can add up over time. So, while bundling the service for free may seem like a favorable tactic in the short term, it may turn out to be less so over time.
Practical Pricing for Security Awareness Training
MSPs may also find there’s no single pricing model that works for all clients. Some may be immediately aware of the value of educating their employees to be their first line of defense against cyberattacks, while others may need more convincing concerning what they’re paying for and why.
Trialing clients who are lukewarm on security training—for the initial year of their contract, say—can go a long way toward turning them into believers. After this first year, administrators will almost certainly be able to demonstrate a reduction in phishing click-throughs and a reduced incident rate. Noting that the Better Business Bureau averages the cost per security incident at around $80,000 should help clients better visualize the ROI they’d receive from even a paid version of the service.
In terms or pricing specifically, the cost of subscriber-only content and access to a learning management system (LMS) should be among an MSP’s baseline costs for security awareness training. Administration costs should also be factored into the price on a per-user basis. Then, MSPs can calculate the ROI of the service per client by calculating the number of user-error incidents that occur per client and attaching a dollar amount to those incidents to find the average user-enabled incident cost.
You’ve made the important realization that end user training addresses a huge gap in clients’ security. Now, it’s time to be rewarded for your expertise.
Click here for information about Webroot Security Awareness Training. Or, to get your clients started with layered security, visit our Webroot Business Endpoint Protection trial page here.
This guest blog is part of a Channel Futures sponsorship.