Managed services providers (MSPs) are a skeptical bunch. Because vendors and channel experts abound, many MSPs and IT service providers tend to tune out content from vendors. If you’re going to try and sell MSPs on an idea, it better be value-driven. And you need to get to the point—fast.
If someone came to your business and said, “I can help reduce your customer support calls, improve your customer relationships, make your customers more secure, and help them get closer to GDPR-readiness, for little money,” most MSPs I know would respond politely with, “I’ve got a meeting right now.” (And they might not even be that polite.)
But for your customers, such a solution does exist—it’s employee security awareness training. While certainly not a silver bullet, it is a low-cost way for your customers to improve their security. It may even be a crucial part of protecting your clients’ businesses from fines when the General Data Protection Regulation (GDPR) comes into effect in 2018. If your MSP does not offer your customers an employee security training program, you’re missing a big opportunity.
Why is employee security training so important? Quite simply, it helps prevent cybersecurity incidents that could be caused by user error. It’s essential to provide for clients that already pay you for security services.
If your customer falls victim to a high-tech or low-tech cyberattack, they could either lack the funds to pay you or they may dispute or question your competency. Regardless of the incident’s cause, some blame may fall on your MSP services. However, if you’ve delivered a security training program, this can help mitigate the perception that the problem rests solely on your shoulders. And of course, if employees practice good security, the likelihood of a successful cybersecurity incident is reduced.
With GDPR set to come into full effect on May 25, 2018, the security training you provide could help them prevent attacks aimed at stealing Personally Identifiable Information (PII) data (and it could help them avoid situations where cybercriminals attempt to trick employees into fraudulently transferring money). Unauthorised disclosure of PII under GDPR may carry severe penalties and hurt the reputation of the business. In short, a data-breached customer is bad for business.
Four out of the five top cybercriminal losses in the United States were accomplished without rising to the level of a “sophisticated” cybercriminal attack. For example, business email compromise, fraud and romance scams, nonpayment and nondelivery scams, and investment scams accounted for over $840 million in losses for people over 40 years old1.
What’s sad about these statistics is that, in many cases, there isn’t an easy technical solution—user security awareness training could sometimes be the only option. This is also true for the infamous tech support scams, where someone fraudulently claims to be from a technical support company. IC3 reports, “IC3 has received thousands of tech-support-related fraud complaints. Victims have lost millions of dollars to the perpetrators. In 2016, the IC3 received 10,850 tech support fraud complaints with losses in excess of $7.8 million.”2
When an MSP delivers employee security training for their customers, it helps reinforce basic, smart cybersecurity decision making. When properly executed, this training improves employees’ security on both home and work IT environments, which provides value to your customers’ employees as well as to the business.
And finally, it’s often required by law. Virtually all compliance regimes include a requirement for a security training and awareness program3. This includes the GDPR, which calls for a wide range of measures to reduce the risk of a PII data breach, and requires that the data protection officer, “monitor compliance…including the assignment of responsibilities, awareness raising, and training of staff involved in processing operations.”4
Ultimately, providing user security awareness training provides immense value to your customers without overburdening your staff. You’ll reduce the risk of a data breach while also helping in your customers’ efforts toward achieving GDPR-readiness.
Please note that this content represents an opinion and that nothing contained in this content constitutes legal advice in any way. We recommend that you speak with legal experts on the matter to help ensure you are GDPR-ready and help protect your business from any potential fines.
1 “2016 Internet Crime Report,” Federal Bureau of Investigation. https://www.fbi.gov/news/stories/ic3-releases-2016-internet-crime-report (accessed October 2017).
2 “2016 Internet Crime Report,” Federal Bureau of Investigation Internet Crime Complaint Center (IC3). https://pdf.ic3.gov/2016_IC3Report.pdf (accessed October 2017).
3 “Security Awareness Compliance Requirements,” SANS. https://securingthehuman.sans.org/media/resources/business-justification/sans-compliance-requirements.pdf (accessed October 2017).
4 “Art. 39 GDPR,” General Data Protection Regulation (GDPR). https://www.privacy-regulation.eu/en/39.htm (accessed October 2017).
Search your ‘data at rest’ for risk areas and start the data mapping you need to get ready for GDPR. Click here to start a Risk Intelligence trial today.
© 2017 SolarWinds MSP UK Ltd. All Rights Reserved.