THREE MINUTES a week, plus 45 minutes at the start of every year.
That’s all the time Onetech360 asks its clients to commit to cybersecurity awareness training. Even though that’s a fraction of the time employees, and even the boss, are likely to spend on YouTube or Instagram during a workday, many don’t understand the importance. That’s why Onetech360 works to make security awareness training part of the culture for all our clients.
Our professional services clients, which today are primarily law and accounting firms with 25-75 seats, are in industries that have continual learning requirements or testing for recertifications to make sure their skill sets are up to date and that they’re following the newest laws. Cybersecurity awareness training should fall into a business’s continual learning requirements as well—no matter what industry they’re in.
We know that even with our robust security stack, humans are the weakest link. For smaller businesses in particular, if an employee clicks on a bad website or a bad link the results can be devastating. As an MSP, it’s our job to not only convey the critical nature of ongoing training, but to build it into our service offering.
When I launched Apontech in 2017 after years of working as the service desk manager for an MSP, and then as director of IT for a real estate firm, I decided to purchase top-tier RMM and PSA tools so we wouldn’t outgrow them. I took the same approach with our security stack. Today, Onetech360 (our rebranded name after merging with another MSP) keeps the security stack modular because we’re always on the hunt for security products that will keep us apace or ahead of attackers. My partner, Whawenst Duvet, and I want the ability to switch in new solutions easily and transparently, so we don’t disrupt clients. We will not take on clients that are not willing to use the entire cybersecurity stack. We want to redefine managed services!
Vetting Security Vendors
- Price. It needs to fit our modular pricing model, so we can swap it into our stack with minimal effect on our bottom line while increasing value to the client.
- Centralized management. We need to have one portal that we log in to, to see the entire state of all client networks. Product integration into our toolset allows that single pane of glass
- Effectiveness. We often find that some products start off with a lot of noise, then slowly taper off as system maturity takes place. If a product falls too silent, we poke and tweak in the background to confirm that it is still doing its job effectively.
- Vendor relationship. Are they making a sales call, or are they trying to get to know me and our company? I want to be on a first name basis so that they fully understand and participate in our culture.
Onetech360 chose PII Protect from Breach Secure Now as our security awareness training platform, which includes templates for computer use policies that you can customize in the training portal. When a user starts a session, if a computer use policy has been updated they must view and acknowledge it. This is something cyber insurance providers are starting to require. PII Protect also includes phishing simulations, dark web scans, and risk assessments.
Deploying Training
Getting buy-in from the users requires a top-down approach from the business owner, who owner needs to understand that we are not just trying to sell another service. Rather, we have conversations about why he or she needs to be the “chief” of cybersecurity and play an active role in pushing training compliance to all the levels of the organization.
Once we set up the training program, we have each user take a 15-minute assessment to evaluate how much they know about good security practices. Then the ongoing training consists of an annual 45-minute class, plus the weekly micro training. These may include phishing emails. If the user clicks on a link, they’ll receive feedback on why it was suspicious, detailing some of the telltale signs.
Our technicians monitor the training portal every week. They’ll do a “soft” reach out via email to those individuals who received low scores, requesting that they take some additional training and include the appropriate links where they can find it.
Once you get the employees past the hurdle of having to learn something new, building the time into their day, or being afraid of getting a question wrong on a test, they begin to understand it and adopt best practices. We know we’ve reached the tipping point when they start forwarding us emails with a message of “This looks like spam” or “This looks like social engineering.” We know they “get it” when they use the correct terms. It’s a beautiful thing!
And I can sleep a little better at night.
