No matter how hard you try, there’s no way to guarantee that your clients’ data will be 100% protected. Wherever and whenever people get involved in the creation, storage or retrieval process, there will be some level of risk.
In fact, despite all the front-page news on data breaches and compromised personal information, and a continuous stream of education to eradicate a host of bad practices, humans remain the weakest link in the IT security chain. From ignoring company passwords and web policies to connecting unapproved devices to corporate networks, employees can extremely creative at overcoming security protocols.
Some enjoy the thrill of beating the system. You know the type: people rebelling against authority by ignoring the rules and dancing to their own tune. They don’t care, so MSPs are often forced to address the issues and vulnerabilities they create.
IT professionals must take a firmer stance with all their clients’ employees ‒ both good and bad ‒ when it comes to data protection and compliance. End-user training should be a “day one” requirement. Think of it as an opportunity (if not duty) to help your clients proactively address issues that leave them vulnerable to cybercriminals ‒ as well as the huge potential fines and financial damages that can result from their negligence.
With the steady growth of industry regulations and compliance rules, training support is more valuable than ever. Solution providers are in the best position to help the SMB ‒ as solo practitioners or in collaboration with third-party training partners ‒ based on familiarity and comfort.
Simplify the Delivery Process
Cybersecurity training is where MSPs can leverage their “trusted advisor” status to the greatest effect. Trust is key to getting your clients to implement the educational programs, exercises, and tests that raise employee awareness and help break bad email and online protection habits.
Coaching and educating end users on the risks associated with their bad behaviors requires finesses and structure. Some employees never think work policies apply to them and ignore any professional advice. Success requires a “carrot and stick” approach, and many providers (and their SMB clients) don’t have the resources or skills to manage effectively.
In other words, end-user cybersecurity training isn’t easy. If you can hire the right professionals and implement effective programs, it can be a lucrative business practice for MSPs. On the flip side, there are numerous partnering options available to those who prefer to provide oversight instead of owning the training process.
Make it Stick
The hard part comes after selling your clients on end-user programs. You must then build a consensus around the company’s acceptable risk level and develop appropriate policies for each specific business. The final step is never-ending ‒ pushing the message to employees while strengthening the training curriculum and supporting technologies.
Enforcement and compliance can also be difficult. Without the support of management, MSPs may have a tough time keeping their clients’ employees on task. That top-down commitment is essential to the success of these programs.
Fortunately, cybersecurity training experts have been sharing best practices over the past few years, including tips providers can use to gain buy-in from the most resistant end users, such as:
1. Setting the stage: ensure your clients understand the risks associated with bad online habits. Hold a “kickoff” meeting to review the issues and the reasons their employer is implementing cybersecurity training and encourage everyone to contribute to the discussion. Stress the risks to the SMB and explain their role in preventing costly and potentially fatal attacks on their business.
2. Strengthening good behavior: if you want your clients to follow good cybersecurity practices, show them the way in a positive manner. Repetition is crucial. Successful trainers frequently reconfigure and enhance the curriculum and highlight the correct actions taken in various scenarios.
3. Assessing: what does training success look like? Periodic testing helps you and your clients understand which employees understand the risks and vulnerabilities, as well as the best practices for prevention ‒ and highlights those who don’t comprehend those concerns. Training professionals can measure a program’s success based on trends in end-user scores, and then suggest corrective exercises and continued education for those falling below the established standard.
4. Rewarding results: the carrot is as important, if not more crucial, than the punishment delivered to non-compliers. MSPs should rank and encourage their clients to incentivize those who perform well on tests and in security audits. Some companies post the results in common work areas or create contests with prizes for the top achievers. Security training can be a daunting task for employees, but there’s nothing wrong with making it a fun and rewarding competition.
The bottom line of any program is ensuring your clients have the resources and ability to protect their data and the privacy of their employees and their customers. Cybersecurity training is a long-term commitment. These programs take time away from what some business owners may consider to be “more productive” activities.
The ultimate responsibility for training falls on your clients, who must ensure their employees remain committed to the schedule and adopt learned best practices into their normal work activities. As an MSP, you can build effective and easy-to-follow programs and educate users on all the requirements, but end-users still have to accept and step up to the challenge.