Cybersecurity breaches are expensive. Even if you provide industry-leading cybersecurity services, modern malware tactics are too sophisticated to guarantee 100% that your clients will stay safe. A single breach at a client site can spell countless man-hours lost to remediation and disaster recovery—not to mention the damage it does to the trust your clients place in you and your services.
Here are 10 reasons that stress the importance of security awareness training in today's cyber-climate.
1. End users are the weakest security link.
Let’s be honest: users are the weakest link in the cybersecurity chain. Hackers prey on human curiosity, trust, negligence, and even greed to introduce malware into networks. Additionally, while 79% of workers believe they can identify a phishing email vs. a legitimate one, 49% click links in messages from unknown senders while at work, 48% have had their data stolen, and many don’t take appropriate pre-breach precautions or post-breach action.1
2. End users are ALSO the first line of defense.
Users are generally an easy target for cybercriminals because they can be tricked into opening suspicious emails, downloading bad attachments, and visiting malicious URLs. With proper education about malware sources and training to avoid them, humans can become the first line of defense against cyberattacks. Trained properly, users learn to spot and report potential threats to security teams.
3. Training is a wise investment.
According to the 2019 Verizon Data Breach Investigations Report, 90% of malware delivered to businesses arrived via email.2 Per our own data, after 12 months of ongoing security awareness training and phishing simulations, end users are 70% less likely to click through on a phishing message.3 Taken in conjunction, those numbers underscore the importance of security awareness training.
4. It’s time for breaking bad (habits).
Technology alone cannot stop security incidents. But investments in security awareness help break bad habits by teaching end users about the critical role they play in keeping their organization safe.
5. No target is too small.
MSPs’ SMB clients often assume hackers only target enterprise networks. In reality, SMBs face the same risk as large companies. Not only do SMBs handle the private and financial data hackers want, but they are also less likely to have the resources to invest in the types of security programs large enterprises can afford. In some cases, hackers even try to break into larger companies’ networks through digital links with SMB partners.
6. The stakes are high.
Preventing cyberattacks isn’t just about avoiding malware infections. Depending on the extent of the damage, an attack can deliver financial and legal blows, erode customer loyalty and trust, and even threaten the survival of a business. For MSPs, an attack on a client is by extension an attack on their business, and poses similar threats.
7. Threats abound.
From phishing to drive-by downloads, malvertising to ransomware, social engineering to code injection, threats are so numerous and varied that users can’t keep up without education. Users not only need awareness training, they appreciate its benefits. With training, their own data is also less likely to be compromised, making it relevant to them on both a personal and professional level.
8. It’s always going to be a work in progress.
Cybersecurity training isn’t a one-off. The threat landscape is always evolving, making user education an ongoing endeavor. Make sure clients understand their users need recurring high-quality, relevant, actionable training.
9. Training helps ensure regulatory compliance.
Many industries, such as financial services, healthcare, energy, and others, require end user awareness training at least annually. Depending on their industries, your clients could face stiff fines for neglecting compliance training.
10. Embrace the trifecta.
Security awareness training is a win-win-win scenario. The user wins by becoming more aware and more secure. The company wins because its risks are measurably reduced and its compliance record stays in good standing. And the MSP wins by minimizing its remediation time and costs, providing relevant security service value to clients, and expanding its portfolio of revenue opportunities.
Webroot Inc. “Hook, Line, and Sinker: Why Phishing Attacks Work.” (September 2019)
Verizon. “2019 Data Breach Investigations Report.” (May 2019)
Webroot Inc. “2019 Webroot Threat Report.” (February 2019)