In the past year, global ransomware debilitated entire sectors of some countries’ economies. Equifax was breached, exposing more than 140 million records. Yahoo owned up to losing control of 3 million users’ data. So, it’s no surprise that the cost of cybercrime has steadily risen each year for the past two years, to an average cost of $11.7 million per business.
According to the research firm Gartner, untrained users click 90 percent of links within emails from addresses outside the enterprise, resulting in 10,000 malware infections. By their calculations, the infections led to an overall productivity loss of 15,000 hours per year, which, at a cost of 15,000 times $85 (average wage), equals $1,275,000 in losses. Verizon's annual Data Breach Investigation Report backs up Gartner's findings, pinning 90 percent of successful network breaches on users taking the bait in phishing attacks.
But cybercrime and its associated costs can be reduced when end users are trained to be their employers’ first line of defense. Security awareness training results in reduced risk, businesses that are better protected against breaches, and more profitable MSPs.
Beyond the fast facts cited above, here are some tips for selling security awareness training as an add-on service to clients, helping you expand your business and widen margins.
1. Sell Outcomes, Not Products
Though cybersecurity is a hot issue in business today, many small- and medium-sized organizations don’t invest in security until it’s too late. What’s more, they tend to focus on security technologies and underestimate the power of the “human firewall.” Most security breaches are the result of human error, and security awareness training can be the single most impactful practice for decreasing this risk. MSPs selling the reduced-infection outcome should start with security awareness training as the best defense against threats.
2. Be the Key to Compliance
In many sectors, security awareness training isn’t just smart business. It’s required by law. Financial services, healthcare, energy, and others require end user education on at least an annual basis. Depending on the industry, organizations face stiff fines for neglecting compliance training. Plus, with the General Data Protection Regulation (GDPR) act coming into effect this week, security awareness training will be necessary for compliance for all companies holding data in the European Union. For these prospects, security awareness training may be an imperative, not an option.
3. Prove the Need with Phishing Simulations
Phishing attacks are the number one cause of data breaches worldwide, and 1.4 million new phishing sites appear each month. This stat becomes even more alarming when you consider how large a percentage of employees fail their company’s first phishing simulation. In fact, failure rates are typically around 18 percent, but this number can be significantly reduced through training. By offering free phishing simulations, the value of security awareness training becomes abundantly clear to prospects, with practically no cost to you.
4. Know the Business Model
Many MSPs offer security awareness training as an add-on paid service, since the proven value of security awareness as an additional layer of defense against breaches is so high. Others are including end user education as a standard component of their bundled security offerings, alongside endpoint security and patching services. With this pricing model, MSPs calculate that the savings from dealing with fewer incidents and service calls after customers have begun leveraging training courses and phishing simulations can actually improve the profitability of their offerings. In either model, both MSPs and their customers win.
5. Nurture Customers and Prospects
For prospects and customers who haven’t adopted security awareness training, place them into lead-nurture programs that provide steady alerts on the latest threats, and reinforce the value of training to combat them. Email drip campaigns and newsletters are ideal materials that keep your business top-of-mind for when prospects are ready to commit to an overarching cybersecurity strategy.
Handpicked for you:
By Lily Teplow
By Brian Downey
By Dave LeClair