This content is part of the Essential Guide: MSP security essentials for every IT service provider

MSP security portfolios: How to offer security awareness training

Expand your MSP security portfolio by offering security awareness training, an important layer to clients' overall security initiatives.

As Ryan Giles sees it, security should be a core aspect of all businesses. Whereas at one time it was enough to install antivirus programs and firewalls, he believes with thousands of new viruses coming out every day, security must be a layered approach.

"One layer has to be end-user training, which I would argue is the most important layer. And you also have to have a solid desktop solution and, third, a network-level solution at the gateway," said Giles, CEO of AGJ Systems & Networks. So about three years ago, he and his partners decided to beef up the security offerings in their managed services provider (MSP) practice to help educate clients on keeping up with the latest threats.

Now, as part of its MSP security service, AGJ will go on-site and provide training to companies' employees. "Training your people is one of the very first lines of defense," he emphasized.

Every two weeks, the firm also emails clients tech tips, many of which are security focused. AGJ keeps up with the latest security trends in part through InfraGard, an association of public and private entities that have partnered with the FBI to share information on security concerns.

How effective is security awareness training?

Security awareness training is a burgeoning field for channel firms, which generally believe they have the skills in house to address security activities, even though it is such a complex field and covers so many disciplines, according to a new CompTIA report, Security in the IT Channel. Yet, 42% of channel companies believe they have some level of skills gaps, while only 4% believe that major gaps currently exist, the CompTIA report noted.

Additionally, some 85% of small channel businesses, in particular, have conducted internal training in order to build security skills. "Partnering is another strong option, showing that the many discussions about providers partnering with each other may be starting to bear fruit," the CompTIA report noted.

Users are now the first line in cyberdefense, and if they aren't educated, they are the weakest link.
Mary WhiteCEO and president, Security Mentor

That's where firms like AGJ come in. Because Giles believes that employees clicking on phishing emails is one of the biggest security concerns for companies these days, AGJ is in negotiations to partner with security company KnowBe4, which sends simulated phishing emails and tracks who clicks on them and provides security awareness training.

"The metric we've seen is when enterprises start working with these fake phishing companies … about 16% of their employees click on the email. And then after about a year, the number is down to 1%,'' Giles said. He wants to include this service in their managed offering at no extra cost to clients, he added.

Measuring the effectiveness of their training has been a bit of a challenge, he said, and an area where AGJ has learned a hard lesson.

"Early on we were getting our butts handed to us, quite honestly, with an all-you-can-eat plan,'' he admitted, because of the significant number of help desk tickets clients were submitting, although AGJ didn't break them down by type.

Through participation in peer groups -- specifically MSP coaching organization TruMethods -- Giles said they learned the importance of tracking tickets on a "per end point per month" basis. The goal now is to decrease the number of tickets submitted by half on a monthly basis, he said.

One of the benefits of working with KnowBe4 would be finding out the number of employees who click on phishing emails, since KnowBe4 tracks that. "So we're hoping we'll be able to work with them and reduce our potential security incidents," Giles said.

MSP security training: The value of partnerships

Security Mentor is another training company that offers online security awareness training. The company allows channel partners and clients gauge the effectiveness of the training by doing pre- and post-training assessments in their own environment, said Marie White, CEO and president.

But there are other methods, as well. "A core metric required for compliance is the tracking of training progress and completion,'' she said. "Trainee satisfaction -- how much employees like training -- is critical to the success of any training program and can be measured through employee surveys."

Currently, Security Mentor's partners sell the company's training as a standalone offering. "However, we are exploring relationships with multiple MSPs who are looking at including our training as part of their core offering,'' White said. "For security-centric VARS (value-added resellers), adding security awareness training is a great opportunity to expand their security practice by offering [a] holistic security ecosystem sale."

Most clients recognize the need for a strong security awareness program that covers all areas where employees make mistakes or where employees are vulnerable to attack by cybercriminals, she said. Some of the most popular training topics include information protection, phishing and email security, social engineering, and mobile security.

Security guidance vital to every organization

Most of Security Mentor's client companies that are midsize or larger have security staff, while smaller companies generally don't. But White said even companies with in-house security staff often don't have the time, content or tools to roll out an effective security awareness training program on their own, so they turn to them for assistance. Even if larger companies have an existing security awareness program, they sometimes come to Security Mentor because they recognize that their homegrown training is not as effective as it could be, she said.

For AGJ, only about 5% of their clients have in-house security, so they rely heavily on them for security guidance, Giles said.

Both he and White emphasize that training employees to do their part to avoid network breaches has never been more critical.

"Users are now the first line in cyberdefense, and if they aren't educated, they are the weakest link,'' White said. "Security awareness training is a critical linchpin in IT security."

Next Steps

Read why MSPs must focus on human error in security

CompTIA: Channel partners should deliver modern security offerings

Compare user behavior analytics with security awareness training

Dig Deeper on Employee Training and Development for MSPs