Verizon and IBM both report that some 30% of email recipients actually open phishing messages. Meanwhile, Forrester’s 2016 data security report found that a full 41% of data breaches that year were from internal incidents, making it the largest source of successful attacks.

Most internal incidents are unintentional. Some 65% of attacks come from users giving up their credentials, or blindly installing malware. Simply put, these end users do not know any better. That is because they have not been taught.

These nefarious approaches work. “As many as 81% of hacking-related breaches over the last year leveraged stolen or weak passwords, according to Verizon’s 2017 Data Breach Investigations Report, and 1 in 14 users admitted being tricked into following a link or opening an attachment they shouldn’t have,” wrote Michelle Drolet, founder of data services provider Towerwall in a CSOonline blog

As an MSP, you are asked to protect computers, and clean up when something goes amiss. An RMM makes remediation possible and installs patches and updates to protect from attacks. Despite these efforts, users still open malicious messages, click on dangerous links, and are tricked into disclosing logons and passwords.

The answer? Security Awareness Training, which you can offer as a separate service or roll into a security service making it infinitely more robust, and asking a premium.

Chances are the employees that drive your MSP are well versed in security. If your clients gain the same acumen, countless breaches and attacks can be thwarted.

While you may have a deep security bench, your tech pros are not teachers. Instead of crafting your own security awareness training service, think about working with a third party, whether a software vendor or consultancy.

Webroot, for instance, has a Security Awareness Training offering that MSPs can implement. “With ongoing, relevant, engaging cybersecurity awareness training-such as phishing simulations, courses on IT and security best practices, and data protection and compliance training where relevant-businesses can significantly reduce the risks they face due to user error. Webroot Security Awareness Training ensures that people, processes, and technology are all harnessed effectively together to stop cyber criminals,” the company explains on its web site. “To maintain success and grow profits, today’s MSPs need automation and simple, low-maintenance management. “Whether you need to run a compliance program, phishing simulations, or continuous user education to reduce infection rates, our integrated training makes running a fully accountable and continuous security awareness programs simple and straightforward.”

Forrester analyzed the value of security awareness through an in-depth interview of a KnowBe4 customer. The payback was impressive. “The interviewed customer experienced three-year, risk-adjusted benefits of $413,634 versus costs of $182,125, resulting in a net present value (NPV) of $231,509,” the report found. “Reduction in breach remediation costs ($102,778). This benefit centers on the reduction of breach events stemming from phishing attacks on users.”

However, shops do not pay for training for economic payback – they do it to stop breaches. “The reduction of breaches proportionally reduces the time and effort related to remediation tasks such as workstation reimaging and server recovery. The customer highlighted that these events reduced from double digits each month prior to adopting KnowBe4 to low double digits, single digits, and finally to zero within one year of deploying KnowBe4,” the researchers concluded.

One MSP, AGJ Systems & Networks, is making training headway, according to an interview with TechTarget. "Training your people is one of the very first lines of defense," said Ryan Giles, CEO of AGJ.

AGJ rolled training into its MSP security service, and goes on-site to train. It also sends out an email with training tips every two weeks.

Another third party, Security Mentor, offers security awareness training which it is looking to sell through MSPs, said Marie White, CEO and president. “We are exploring relationships with multiple MSPs who are looking at including our training as part of their core offering,'' White told TechTarget.

Experts suggest that you use several approaches to deliver training. On-site is ideal, but on-line works as well, as do email lists, and pointing clients to websites with crucial resources.

Track and test your training. Here you want to make sure that clients actually completed the work, and then test the effectiveness by tracking breaches, attacks, incursions and incidents. You can also send out quizzes to students to measure what they have learned and what you have left to teach.

• phishing
• social engineering
• resisting malware
• password practices
• use of portable devices
• physical access issues such as care of key cards
• the use of encryption
• how to avoid and recover from a data breach