One of your customers’ employees logs into their computer. They get an email from someone claiming to be their IT service provider, saying they must reset their password immediately (even though there wasn’t any warning beforehand). They click a link without checking the destination URL, go to a phishing site, and enter the credentials for their email. The criminal now has access to their email credentials and starts a spear-phishing campaign.
This scenario could have been avoided with a little caution. Solid security awareness training should have helped this employee think twice. Unfortunately, many businesses see training as a box they have to check for compliance. Employees often walk away and forget the training.
As a managed services provider (MSP), you can’t afford to be like most businesses. You must make these trainings as memorable as possible so employees remember what they have been taught. Beyond the security benefit, strong training helps reinforce your MSP brand and demonstrate the value you bring to the table.
Today, I’ll talk about what to include in security training. Just as important, I’ll talk about how to cover these topics.
Before I get into the “how,” let’s talk about the “what.”
First, decide the level of training you must give to your clients, and tailor your presentations appropriately. In some cases, you’ll focus on compliance issues like HIPAA, PCI DSS, SOX, or GDPR. In other cases, you simply need to teach users good security policies.
Regardless, most trainings should include at least the following:
There are certainly more areas to cover. However, these should get you started.
Training employees is one thing; helping them retain information is another. You’re aiming not just for knowledge here—you want behavioral change.
First, consider going on site to offer the training rather than doing it online. For starters, it’s a great opportunity for you to reinforce your brand and the value you provide to customers. But more importantly, you get to engage the audience in person, make sure people pay attention, and help reinforce the concepts. If people don’t seem to truly understand the content, you can’t adapt your explanation.
Second, don’t lecture—involve the group. This can reinforce learning. Ask questions about the training, and consider offering rewards for participation (like a branded giveaway).
One interesting tip—ask the group to explain what you’ve taught in their own words. This can reinforce retention, and it also gives you real-time feedback on your audience’s understanding. You can correct misunderstandings, help your audience learn more efficiently, and also get tips on how to improve.
Additionally, try to use real-life examples to reinforce concepts. The language that you use really makes a difference. A 20 year old may be more concerned with their social media account being hacked and not their retirement account.
Finally, have handouts and leave behinds ready to go. Posters and reminder cards may be old school but they really do work to create a culture of security. This can also be a great branding opportunity for your MSP
Many companies hold trainings only to protect them from liability or to meet a compliance goal, but service providers need to go beyond this. People are often the weak link. Employees make mistakes that expose organizations. As a service provider, you must do your best to not only offer security trainings but make them engaging so your customers’ employees retain the information and, hopefully, think twice before putting the company at risk.
Tim Brown is VP of Security for SolarWinds MSP. He has over 20 years of experience developing and implementing security technology, including identity and access management, vulnerability assessment, security compliance, threat research, vulnerability management, encryption, managed security services, and cloud security. Tim’s experience has made him an in-demand expert on cybersecurity, and has taken him from meeting with members of Congress and the Senate to the Situation Room in the White House. Additionally, Tim has been central in driving advancements in identity frameworks, has worked with the US government on security initiatives, and holds 18 patents on security-related topics.