MSP Training: How often and what kind?

According to Barracuda Network’s Evolving Landscape of the MSP 2024 report, 38% of managed service providers (MSPs) offer security awareness training (SAT). However, experts say that the percentage should be much higher because of the high return on investment (ROI), and SAT is also a good draw for new customers. The same report showed that 24% of MSPs reported that SAT was one of the time draws for new clients.

According to Keepnet Labs, cyber security awareness training led to a 70% reduction in security-related risks in 2023. According to CyberPllot, this training can result in an average savings of $149 annually per employee. Most experts SmarterMSP.com has spoken to say that cybersecurity training, done regularly, is the single most cost-effective way to prevent breaches. Most experts agree that the training should be engaging and fun and make the workers partners and stakeholders in the company’s cybersecurity.

Cybersecurity training as a critical line of defense

Anthony Haggarty, security engineer for an MSP, emphasizes the crucial role of security training. “Cyber attacks are rising, and the cost to businesses is escalating. Unfortunately, many of those attacks are successful thanks to a major source of risk for every business – its employees,” Haggarty says, noting that employees are a major driver of risk for businesses, from opening an email to clicking on an attachment to transferring funds. “But it’s a risk that can be mitigated effectively and affordably with a security education training and awareness plan.”

Haggarty points out that it is difficult to assign a dollar amount to the ROI of employee cybersecurity training when you’re measuring the effects of something that didn’t happen. Therefore, an MSP and its customers have to view cybersecurity training as a type of insurance policy that limits future damage. “With today’s threat landscape, a cyberattack is practically a given, so employee cybersecurity training is an insurance policy that isn’t optional.” He recommends MSPs conduct security training quarterly at a minimum.

Approaches to training

Jonathan Hansen, CEO of Washington State-based MSP, also emphasizes the importance of training.“We’ve seen firsthand how gamification and structured standards turn employees into a company’s first line of defense, reducing risk and strengthening its overall security posture. We’ve also seen the unfortunate consequences of businesses neglecting cybersecurity training.”

Paige Hanson, an IT expert, agrees that the best training is continual. “Cybersecurity training can’t be a one-and-done exercise. It needs to be ongoing, adaptive, and engaging.” He goes on to add that the best approach is to mix up the training methods throughout the year and use different methods to engage employees. Some of Hanson’s suggestions and thoughts about them.

• Lunch and learns: These are great because they spark discussions.
  Role-specific training: These programs make it relevant to that department and group instead of generic training, which may not be relevant to the people attending.
•  External speakers: A compelling speaker can bring in fresh insights
• Tabletop exercises: Prepare teams for incidents.

Hanson also says that MSPs can leverage the industry awareness days.“These are a great opportunity to engage!” Among them are:

• National Consumer Protection Week (March 2-8)
• World Backup Day (Mar 31)
• Identity Management Day (April 8)
• World Password Day (May 1)
• Cybersecurity Awareness Month (October)
• International Fraud Awareness Week (Nov 16-22)

Ongoing, engaging cybersecurity training for MSPs

Meanwhile, Mike Estep, VP of Communities at Denver-based MSP, Blackpoint Cyber, thinks cybersecurity training should be required for all employees. “Update time depends on the type of training, so for compliance frameworks, it should be annual unless a framework changes requiring any additional steps,” he states.

For product-specific training like Microsoft 365, Estep says Blackpoint gamified it and offered classes that were routinely updated every 90 days. When it comes to business skills training, Blackpoint tries to offer updates every four to six months—not really new versions, but updates. “For clients, we provide application training as part of our services. We believe that if our clients could use a product better, then they would consider efficiency help as a reason we were the best MSP,” he explains. Estep adds that compliance frameworks always had to go through other vendors for the reporting related to audits. “It’s the same for things like Security Awareness Training. The training is important, but your ability to survive an audit is why we like companies specializing in SAT compliance reporting.”

As the landscape of cyberattacks continues to evolve, ongoing, engaging, and personalized training is no longer optional but essential. Whether it’s quarterly sessions or gamified learning, regular updates and adaptive training methods can empower employees to become the first line of defense. Ultimately, MSPs prioritizing cybersecurity education will strengthen their security posture and build long-term success for themselves and their clients.

Note: The article originally appeared on SmarterMSP.com.