Webroot: Security Awareness Training Is The Key To Resilience
‘Small and medium businesses are in front of threats day in and day out. The Trojan horse is the employee inside that business that just doesn’t know what’s going on,’ says Webroot’s Braden Sawyer.
Security awareness training is the most worthwhile investment MSPs can make to strengthen their clients’ defenses against ransomware and other cyber threats, according to Webroot.
Businesses can save money and mitigate risk by having their employees go through a small amount of security awareness training, which can dramatically reduce the likelihood of workers clicking on phishing emails, according to Braden Sawyer, senior channel manager at Webroot, an OpenText company. The training also facilitates more strategic conversations between MSPs and their customers, Sawyer said.
“Small and medium businesses are in front of threats day in and day out,” Sawyer said Tuesday during XChange+ 2021, hosted by CRN parent The Channel Company. “The Trojan horse is the employee inside that business that just doesn’t know what’s going on … The most important layer of cyber resiliency in my mind is security awareness training.”
[Related: eSentire Exec: ‘Not Every Single MDR Is Created Equal’]
Paying upfront for security awareness training will save businesses money in the long run by reducing the likelihood of compromise and associated costs such as MSP overtime and the acquisition of a forensics tool, Sawyer said. By evading a cyberattack, Sawyer said clients will also avoid the costs associated with litigation initiated by irritated customers or investors.
Sawyer said MSPs can get results from as little as 45 minutes of security awareness training each year, which is broken into three-to-four-minute video segments users are instructed to watch each month. The videos include a little bit of gamification to boost employee engagement and participation while still keeping things fun, according to Sawyer.
A mere 45 minutes of security awareness training each year reduces the likelihood of employees clicking on phishing links from 40 percent to just 10 percent, according to Sawyer. In fact, Sawyer said a few companies Webroot has worked with have gotten their malicious click rate down to just 3 or 4 percent.
At a 10-person company, Sawyer said the training could translate into three or four fewer clicks on malicious emails over the course of a year, which could in turn save the business $30,000 to $40,000. In addition, Sawyer said cyber insurance vendors have started offering lower premiums to policyholders who require all their users to complete security awareness training exercises.
“You‘re talking to a business owner about return on investment,” Sawyer said. “You’re talking to a business owner about saving money and the mitigation of risk, not to mention the money that they might be able to save on cyber insurance.”
Security awareness training is often a compliance requirement in regulatory frameworks such as NIST (National Institute of Standards and Technology) and what’s laid out by the Texas Department of Information Resources (DIR), according to Sawyer. And even if customers initially sign up for security awareness training to check a box, Sawyer said MSPs can turn it into something more.
“If we do get closer to them, if we do have those leading conversations about their money, what we understand is that they‘re going to go deeper with you, with the MSP,” Sawyer said. “They’re going to get more products. I believe that this is a real threat, and they have a get handle on it.”
Interested MSPs can reach out to Webroot for a demo of their security awareness training platform, and Sawyer said the company is even willing to deliver the training on behalf of very small MSPs who lack the personnel to do it on their own. MSPs that put in the work and talk with their customers about security awareness training will become stickier and earn that trusted advisor status, Sawyer said.
“It [security awareness training] leads to a reduction of breaches and infections and maximizes that ROI,” Sawyer said. “Organizations that back up their data, that train their people, that protect the network, protect their end users, and have the ability to restore, they‘re not going to be down and they’re not going to be mad at you.”
SingleSource IT includes security awareness training as a standard part of its managed services bundle, according to Michael Hart, solution architect at the Louisville-based solution provider. Users who’ve completed the security awareness training have gotten better at catching phishing emails, Hart said, and robust C-suite support from customers has driven high levels of employee participation in the training.
“End user training is definitely a necessity,” Hart said.