Training Every Employee

As an MSP, one of your many jobs is to keep your clients' networks safe and secure.

Easier said than done, right?

In reality, the job is more about putting the right technical tools, training and processes in place, such that your clients are as safe as you can control. There is always plenty left to human error - from tinkering with firewall settings to clicking on phishing emails to falling for social engineering scams.

The Training Challenge

We're a security awareness training company, and we're going to stay in our lane on this one.

So what happens when a compromise occurs? Post-breach, your client usually looks to their cybersecurity insurance policy to cover the costs of the incident. Insurers are now quick to look at third party providers to see if there were any gaps in service versus contractual obligations.

Security awareness training is all too often one of those gaps.

It’s not because your MSP doesn’t have a training vendor. It’s that it can take a lot of work to make sure it’s in place for every user at every client. And let's be honest, things sometimes slip through the cracks.

Here’s a scenario:

You’ve got 25 clients, including a local paper company called Dunder Mifflin. Naturally, they’re an awesome client, and we love them!

Six months ago Dunder Mifflin added 8 new employees to handle their growth.

But yesterday, one of those eight employees (we’ll call him Ryan) clicked on a phishing email and downloaded ransomware.

Bad news!

You engage your incident response plan and get to work remediating their environment. This isn't your team’s first rodeo, so they do a stellar job, getting the Dunder team back in action within 48 hours.

Unfortunately, there were a lot of costs associated with that remediation, including disclosure of the breach to all clients and government authorities.

The regional manager (let’s call him Michael) contacts his cyber insurance carrier with the damages claim. The insurance company requests a bunch of information, and Michael diligently delivers.

Then there’s a problem.

From Dunder Mifflin’s security awareness training reports, the insurance company notices that the last 8 employee hires were never enrolled in training. It was Ryan, one of those new hires, who caused the breach.

The insurance company now turns its eyes on the MSP, subrogating the claim.

What is Subrogation?

Subrogation is the process in which an insurance company seeks to recover the costs of a claim from a third party who is deemed to be responsible for the loss.

In this case, if the insurance company can prove that the MSP failed to properly train ALL of the client's employees on security best practices, they may seek to recover the costs of the claim from the MSP.

This is brutal.

All the other employees were actively enrolled in training. It was just these 8 users who were somehow missed.

This can be a serious risk for managed services providers, as the potential costs of a subrogation claim are significant. Not only will the MSP be responsible for reimbursing the insurance company for the costs of the claim, but they may also be responsible for covering the costs of any legal fees incurred during the subrogation process.

How do we avoid this?

Automation.

Your best bet is automation throughout the lifecycle:

  • Syncing active users
  • Sending training courses to every user
  • Tracking and re-sending training to users who don’t finish
  • Phishing every employee regularly
  • Tracking and re-targeting risky employees
  • Reporting on every step of the process

If done manually, that's a lot of work. And if it goes wrong, that's a lot of risk.

Fortunately, automation is exactly what INFIMA does.

And the best part - we make it easy with our fully automated Security Awareness Training platform, built for the MSP community.

If you're an MSP and want to learn more, go check out how we work with Partners here. If you like what you see, book a time to chat!

Photo by Husna Miskandar on Unsplash

Disclaimer: our attorneys make sure we remind you that none of the above is legal advice, and all services are governed by our Terms of Service and End User License Agreement. Also, we love you!