In the modern digital landscape, human error is the leading cause of cybersecurity incidents. Channel pros who offer security services have an opportunity to upsell clients on cybersecurity training — a crucial step for enhancing security posture and avoiding “check-the-box” compliance.
This is critical for companies to obtain good cyber insurance, according to Ann Westerheim, founder and president of Westford, MA-based Ekaru LLC, a cybersecurity, data protection, and IT services firm.
After a cyber incident, insurance companies often ask for evidence of cybersecurity training. Regular training provides the documentation insurance providers require while helping clients strengthen their defenses.
To help clients develop a robust cybersecurity posture — and to ensure compliance with insurance requirements — MSPs need a structured, effective training program. But where do you start, and how do you ensure that training resonates with employees across all levels? Here are some tips from Westerheim and other channel experts.
Ann Westerheim
Teach the Basics
Ekaru starts by keeping things simple, Westerheim said. The firm’s cybersecurity training program covers things like:
- Inventory and secure all assets.
- Implement multifactor authentication (MFA).
- Stay current with security patching.
- Use and maintain strong passwords.
The main message is that every employee plays a role in cybersecurity, Westerheim explained. “This is protecting our company, this is protecting me, it’s protecting our clients, it’s protecting our co-workers,” she illustrated. “That’s when the training really has an impact.”
In addition, Ekaru’s training comes in short bursts rather than long lectures, Westerheim added. The firm also performs simulated phishing tests to make people aware of how they may fall victim to ransomware or a scam.
Make It Personal
To make an impact, it’s important to offer training that resonates with each employee, shared Travis “JT” Dill, vice president and co-founder of Sykesville, MD-based Cybervets.org.
JT Dill
Dill’s nonprofit provides training to transitioning active-duty service members and veterans, with the goal of transforming them into cybersecurity professionals. Early in the program, students must assess the state of their own security hygiene, he noted.
Students are asked how they defend their own home network, including their Wi-Fi, laptops, phones, and other devices. Then, students must think about what will happen if their smartphones are stolen or what, on an app-per-app basis, puts them at risk.
“We make it very personal for them first, and then get them into [practicing] good habits,” Dill said.
Talk About it Often
It’s important to ensure that the topic of cybersecurity stays top of mind for employees as well as clients.
Ekaru includes cybersecurity topics in its customer communications, posts related snippets on its social media channels, and leads lunch-and-learns as well as community discussions on the subject. “It’s around developing a culture of security, where it becomes a normal part of conversation,” Westerheim revealed.
Take, for example, the company’s weekly newsletter. Ekaru recently featured a piece telling clients they needed to reboot after performing a security patch. With that, it shared statistics from its remote monitoring and management (RMM) system that 21% of the Ekaru community need a reboot. This informs and has a call to action.
Group Training Drives Better Results
Shane Gallagher
Cybervets.org President and Founder Shane Gallagher argued that when people learn together, they’re more likely to retain what’s presented. So, his company’s program is based on a cohort model.
“You don’t train in a vacuum by yourself. You need to solve problems together,” Gallagher said. “Learning is social; you can achieve and understand more if you’re with each other, [rather than] doing it individually.”
Make It Worth Your While
Tools allow for some cybersecurity training to be automated, such as simulated phishing tests. But it’s important to supplement these experiences with actual teaching and discussion, Westerheim underscored.
MSPs must calculate the cost of the tools they’re using, as well as the labor needed to educate customers about cybersecurity. “Really understand what your true cost is to do it and figure out how to have a healthy margin around that,” Westerheim advised.
Ultimately, the ROI for offering cybersecurity training: It solidifies an MSP’s relationship with its customers. “If one of our clients has a cyber incident, we’re the ones that they were counting on to help protect them, whether they’ve adopted everything we’ve said or not,” Westerheim concluded. “It’s this whole notion of shared responsibility.”
Checklist for Building a Cybersecurity Training Program
1. Define Training Goals
- Identify key skills and behaviors employees need to improve.
- Align training objectives with compliance and insurance requirements.
2. Start with the Basics
- Cover essential topics like:
- Asset inventory and management
- MFA
- Regular security patching
- Strong password practices
3. Make It Engaging
- Deliver training in short, focused sessions.
- Use tools like simulated phishing tests to make it interactive.
4. Tailor Training to Employees
- Customize content to resonate with employees’ roles and responsibilities.
- Highlight personal relevance to boost engagement.
5. Promote a Security Culture
- Integrate cybersecurity discussions into regular meetings and communications.
- Share practical tips and reminders in newsletters and social media.
6. Utilize Group Learning
- Use team-based training sessions to encourage collaboration and retention.
7. Evaluate and Improve
- Monitor progress through metrics like phishing test results and employee feedback.
- Update training content regularly to address emerging threats.
8. Calculate ROI and Costs
- Assess the costs of tools and labor to ensure profitability.
- Set pricing with a healthy margin to sustain your program.
Featured image: DALL-E
