How MSSPs Can Use Security Awareness Training to Develop Savvier Clients (and More Revenue)
MSSPs know that the protection provided by even their most powerful and comprehensive security solutions can be quickly undermined by careless or negligent behavior of their clients. User education has always been a core component of an effective security strategy, and with today’s sophisticated cyberattacks the need for more threat-savvy end users has grown.
According to Ashley Schwartau of The Security Awareness Company, “Most data breaches that we hear about occur due to the bad guys being able to take advantage of employees who don’t know policy, aren’t security aware enough to think ‘oh this is a moment when I should be following policy,’ aren’t clued in enough to report suspicious activity, or don’t understand why they should care about their company’s security well-being.”
Fortunately, MSSPs can take advantage of an unlikely ally in their efforts to expand Security Awareness Training (SAT) throughout their client base. As regulatory requirements relating to data security issues become increasingly rigorous and complex, MSSPs have a golden opportunity to leverage their expertise and guidance by developing an SAT practice that helps ensure their clients’ compliance—and simultaneously create another stream of revenue.
While organizations may resent the bureaucratic red tape and time-consuming tasks that are often needed to satisfy governmental and industry regulations, MSSPs who offer SAT can allay that resentment by showing their clients how conforming to security-related regulatory requirements can actually result in significantly improved protection for their organizations.
What’s more, MSSPs with SAT services can help their clients understand and navigate the regulatory requirements which impact their specific business. As can be seen below, the list can be daunting. In this abbreviated version of a guide assembled by Bitsight Technologies (click for the complete guide), consider the U.S. cybersecurity regulations for seven different industry sectors:
1. Financial: The financial sector has a number of cybersecurity requirements set by federal and state regulators. The most common set of requirements is found in the Federal Financial Institution Examination Council handbook, or FFIEC-IT. That body is comprised of a number of booklets that contain resources and requirements financial institutions are expected to adhere to. There are also a number of different guidances that financial regulatory bodies put out.
2. Retail: The retail sector isn’t federally regulated, but it does follow regulations from the Payment Card Industry Security Council’s Data Security Standard (PCI DSS). This group issues security standards that any organization that processes payment cards or holds payment card data is required to follow.
3. Healthcare: The best-known standard for cybersecurity compliance healthcare is the Health Insurance Portability and Accountability Act. HIPAA establishes cybersecurity standards for healthcare organizations, insurers, and the third-party service providers medical organizations do business with.
4. Defense: As a condition of providing a service to the U.S. Department of Defense (DOD), businesses must meet cyber requirements set up in the Defense Federal Acquisition Regulation Supplement (DFARS) and Procedures, Guidance, and Information (PGI).
5. Consumer Data: Currently, 47 out of 50 states (and the District of Columbia) have enacted cybersecurity compliance requirements for organizations to notify states about security breaches that compromise customer data. The Federal Trade Commission (FTC) can also penalize organizations for failing to adequately protect consumer data.
6. Insurance: While regulations for insurance departments and companies vary state by state, many have issued requirements to protect consumer information.
7. Energy: The Federal Energy Regulatory Commission (FERC) has the authority to establish cybersecurity regulations over a number of electric utility companies and operators.
In Europe, the upcoming May 2018 implementation of the EU’s General Data Protection Regulation (GDPR) will bring a modernized process (the first in almost two decades) for protecting customer data—and GDPR will impose a significant penalty equaling four percent of an organization’s global revenue if it doesn’t comply with the GDPR’s rules and regulations.
With so many regulatory requirements to contend with, it’s no surprise that demand for SAT services is rapidly growing. According to a 2017 article in CSO, Andrew Walls, research vice president for security, risk and privacy at analyst firm Gartner, estimated the security awareness training market at more than $1 billion in late 2014. That article also cites a report from Cybersecurity Ventures which states that training employees on how to recognize and defend against cyberattacks is “the most underspent sector of the cybersecurity industry—a sector that can be worth $10 billion by 2027.”
MSSPs who have balked at offering user education on security best practices should reconsider the benefits—both to their clients and to their own bottom line—that a formal SAT practice can bring.