Security Central: Why MSSPs Should Make Security Awareness Training a Priority

Written by Security Joan
February 20, 2018

A new survey finds organizations want more awareness training to mitigate risk. So why aren’t you giving it to them?

What are security managers in the finance sector concerned about when it comes to shoring up defenses in 2018? End-user education and awareness. That conclusion comes from the results of a survey conducted by the Financial Services Information Sharing and Analysis Center (FS-ISAC) that was released this month.

For its 2018 CISO Cybersecurity Trends report, FS-ISAC asked security managers to weigh in on the most critical cyberdefense methods. Of the CISOs surveyed, more than one in three (35 percent) said that employee training is a top priority for improving security posture in the financial sector.

The Opportunity for MSSPs

It’s clear these figures offer insight for managed security service providers. The takeaway? Give your customers what they are looking for: security awareness training.

The awareness training service market is positioned to boom, according to a recent report from Cybersecurity Ventures, which claimed global spending on security awareness training (SAT) for employees will reach $10 billion by 2027. Still, at this time, many figures put overall implementation of SATs in U.S. companies at between 50 and 60 percent, so there is plenty of room for growth.

Are you offering an awareness training program as part of overall services? If not, why not?

There are multiple benefits of including a SAT program, including:

Awareness training can reduce security incidents. Research from Wombat Security Technologies and the Aberdeen Group found that changing employee behavior when responding to cyberthreats via social media, phishing and other popular attack vectors can reduce an organization’s risk by as much as 70 percent. Notice I said “changing employee behavior” — not just simply having an SAT. More on that later.
Awareness training positions you as a collaborative partner in your client’s overall, holistic approach to security and risk. Beyond simply offering technology and products to your clients, an SAT gives you the opportunity to have a larger discussion about strategy with your customers and to be seen as a key stakeholder in that overarching “big picture” when it comes to reducing risk for their organization.
Awareness training can increase your revenue. An SAT is an additional revenue source that can become part of your overall package of services and offerings.

Successful Awareness Programs

Remember earlier when I mentioned that changing employee behavior is the key? An effective, successful SAT will help with this. But simply implementing one offers no guarantees. What are the “must have” aspects of a successful SAT? Those that truly get employees to take note, buy in to the organization’s mission and make changes.

Chris Hadnagy

“All successful programs I have seen have a few key similarities,” says Chris Hadnagy, founder and CEO of Social-Engineer, an awareness consulting and training company. “When these are followed I have seen some amazing results.

Ashley Schwartau, director of operations and development with The Security Awareness Company, a training consultancy, also weighed in with her tips for a successful SAT.

Ashley Schwartau

What are those similarities and best practices? Hadnagy and Schwartau break them down into the following highlights:

Successful SATS are made personal. Train employees for situations that would take place not just at work, but at home. If examples can be something brought back to how it will impact their personal finances, home or family, it will mean more. “It helps the person not just in business but in their personal life,” explained Hadnagy.
Successful SATS are real-world. Sitting at a desk and watching an educational video about phishing or safe device use will only get you so far in changing user behavior. Simulated exercises to measure how well employees understand are also crucial. “Instead of just videos and tests, it needs to be actual phishing or vishing tests to help the person realize what it feels like when it occurs,” said Hadnagy.
Successful SATs are consistent. “A successful awareness program must be treated like a marketing campaign,” said Schwartau. “Regular, consistent, frequent and creative. Use a variety of messaging formats — don’t rely on one mandatory LMS training module every year. Mix it up with monthly newsletters and videos, quarterly games and modules, bi-annual company events, weekly emails.”
Successful SATs are for a broad audience. No one is above education, so a successful awareness program must provide content aimed at all users, including executives, technical staff and end users. “Security is a collective responsibility, and none of us [is] above reminders and additional learning,” said Schwartau.
Successful SATS find the right motivating tone. Going with fear and negativity won’t work, said Hadnagy. “The motivation must be education and positive reinforcement, not shame and negative pretexts.”

With a clear message from organizations that end-user awareness education will be a priority in 2018, MSSPs should heed the call and consider making programs part of their portfolio. But remember: Just simply checking the box on offering an SAT program isn’t an effective way to gain client confidence. Knowing the key elements of a successful program and helping customers access one that works for their organization should be a focus in the coming months.