SolarWinds MSP recently released the results of its survey into the cybersecurity preparedness and experiences of 400 SMBs and enterprises across the U.S. and the U.K.—you can read the blog post here for the full story.
In this series of posts we will be unpacking the most significant findings from the report. And to help companies, managed service providers (MSPs), and other IT professionals get a handle on growing security threats, we’ve highlighted seven areas from our survey where businesses need to improve to help boost their chances of not getting breached. Over the next few weeks we’ll publish a look at each of these areas in detail.
Last week we looked at how companies are applying security policies “Inconsistently” across the board, and this week focuses on “Negligence.”
Despite all the commentary around the importance of security, our survey found that only 16% of the 400 companies that responded considered user security awareness training a priority.
Instead, it found that a large majority (71%) were just paying lip service to the concept—either including security awareness as a one-off event as part of their employee on-boarding process or just reinforcing it once a year. The remaining 13% admitted that they do nothing.
The stats suggest that companies are being blasé and almost reckless with their security. By not having an awareness training program, they are failing in this key area. And this is undermining their ability to effectively protect their assets because cybersecurity protection begins with people who are working with the data.
While this shows complacency on the part of companies, it also represents a huge area of opportunity for managed service providers—and could well be the clarion call they need to start pushing security services to their customers.
A look at the changing regulatory landscape shows that more needs to be done here. Increasingly security awareness training is becoming part of the regulatory requirements of different sectors. For example on March 1, 2017, the New York Department of Financial Services’ (DFS) Cybersecurity Regulations came into effect, requiring covered entities to implement a comprehensive written information security program, of which user awareness training is a key component. There is also a regulatory requirement for user security awareness training within HIPAA.
Elsewhere in the world, security awareness training will be a crucial part of the requirements of the European Union’s GDPR. On top of this, PCI DSS compliance requires that organizations must train their employees on data-handling best practices.
This is clearly a huge opportunity for MSPs since they are well positioned to offer enhanced security options to their customers. This capability can not only help their customer meet potential regulatory compliance, but it also helps increase security and prevent a breach from occurring.
Offering security awareness training as a loss-leader is an excellent way to help MSPs open the door to new customers and help them to grow their business.
If you want to find out more about security awareness training, check out these two blogs:
Want to read the full survey?
Next week’ blog post will look at how companies’ “Short-sightedness” is affecting the security landscape.
Click here, to find out more about how SolarWinds MSP can help you protect your customers.