In this special edition of Commercial Integrator’s “The Service Desk” column, our editors ask six leading members of The ASCII Group to share their insights on security awareness training. The ASCII Group is, of course, the oldest and largest independent IT community in the world, boasting 1,300-plus MSP members from across North America. Our panelists are Felicia King, vCISO and security architect, Quality Plus Consulting (QPC); Zina L. Hassel, CEO, ZLH Enterprises; Carl de Prado, CEO and founder, A2Z Business IT; Mike Bloomfield, president geek, Tekie Geek; Joshua Liberman, president and founder, Net Sciences, Inc.; and Ron Cotsopoulos, operations manager, Kobus Technologies.
Together, they touch on a range of topics, including how they offer security awareness training, which tools they recommend and whether some clients still prioritize convenience over security. We hope you enjoy the conversation.
Commercial Integrator: Is security awareness training part of what you typically offer — or offer on request — to your clients?
Felicia King: QPC always recommends cybersecurity awareness training with phishing testing/training, dark web monitoring and training, and a company policy distribution and attestation system.
Every single organization’s cyber insurance policy requires security awareness training. It is not legally defensible for an organization to have no cyber awareness system in place, nor is it legally defensible for an organization to have a system that is functioning only in a theatrical way. This means that the system must be good, and all staff must be enforced — at the HR management level — to have ongoing, weekly participation that is meaningful.
Zina L. Hassel: Although we do not perform this service, we do regularly inform clients and prospects of the absolute importance of cyber security training. I make that distinction because there is also the physical security aspect, which does have an overlap but is oftentimes quite different. The awareness training is also something that many insurance companies are currently requiring.
Carl de Prado: Security awareness training is an integral part of our services. For small businesses, their employees are critical in protecting the company and their clients’ data and livelihood. We are so passionate about it that we offer it by default. Over the last three years, I have trained and educated more than 2,000 professionals on how to prevent costly cyberattacks in their businesses. It keeps in line with our company’s focus on our clients being able to sleep at night, knowing their business environments are protected.
Mike Bloomfield: Yes, security awareness training is a core part of what we offer to our clients. We believe that empowering employees with knowledge and awareness about cybersecurity threats is as crucial as implementing robust technical defenses is. We offer this training both as a standard part of our service package and on request, tailoring the program to suit the specific needs and risks faced by each client. Employees are the weakest link of any security program, so doing everything we can to train them goes a long way.
Joshua Liberman: User training is in our security plan, and that is included on every plan. However, even though it is available to all, at no additional charge, without the commitment of clients’ leadership, it does not gain traction. At best, we see 20% adoption of any training offering.
Ron Cotsopoulos: I feel that this is so necessary to businesses that I offer it in my base package. The first place a breach happens is with the people behind the screen.
Commercial Integrator: What tools or resources do you recommend — or utilize yourself — for security awareness training? Why are those particular tools worth recommending?
King: I am the vCISO of QPC Security, and I am also the incident commander. That means I lead security-breach investigations and response for QPC and clients.
The only thing that meaningfully alters staff behavior at clients is when there is a client company policy advocated and enforced by personnel managers.
The only effective security awareness training platform is one that has [methods to ensure] weekly participation. Phishing testing should be weekly, and training must be weekly. It could be only five minutes a week, but weekly is critical.
I have tested a lot of platforms, but the only one I am satisfied with is Breach Secure Now.
Hassel: We work with several third-party companies — as we don’t provide the service directly. The match of providers to our clients is on a case-by-case basis.
de Prado: We strongly suggest using a mix of interactive e-learning platforms, simulated phishing drills, tabletop exercises and regular updates on new threats as part of your security awareness training. These tools are handy because they have exciting content, realistic models of real-life situations, and the ability to track and measure progress. This makes them suitable for improving people’s knowledge and actions regarding cybersecurity.
Bloomfield: We utilize a number of platforms to provide robust training offerings to our clients. Currently, we are providing phishing simulation training and security awareness training from both ID Agent (Bullphish) and CyberGuard.
Liberman: We have tried six of them now, with uSecure [being] our current player. None has quite the right balance of engaging trainings, useful test phishing, reporting and ease of use [for the MSP], but we keep looking. I also do quarterly trainings for the few sites that allow it in person.
Cotsopoulos: My company has been using Cyberhoot for the past three years. We have instituted it for our own company. The ease of use for both us and our clients is amazing. It is intuitive and easy for my helpdesk to set it up and deploy.
Commercial Integrator: Have the ubiquitous stories about cyberthreats, security breaches and malicious hackers meaningfully altered most clients’ behavior? Or, conversely, are people still opting for convenience over security (i.e., using default passwords)?
King: Each time a client has a credential compromise or incident of some type, we perform a root cause analysis investigation.
Frequently, an issue could have been completely avoided by staff [having had proper security awareness training.]
Companies that fail to mandate weekly training for all staff, and [that fail to] hold all staff accountable to effective, provable participation, will have incidents.
Hassel: Unfortunately, many people still seem to be taking the wait-and-see approach. Not terribly thoughtful, but a non-decision or a decision not to pursue is still a decision.
de Prado: About three-and-a-half years ago, we started to run cybersecurity risk assessments for all our clients. This helped most of our clients become more aware of cyber threats because of how common they are and how likely it is they could fall victim to them. This has made them more engaged in their cybersecurity. It wasn’t 100% adoption; there is still a group of people who put ease and short-term costs over security and operational resistance. We have also seen a rise in cyberattacks and awareness in the last few years. So, that attitude is changing. Hopefully, it will get much closer to 100%. I have been called in on many breaches after the fact, [and what I see is] devastating.
For the most part, most breaches are preventable. [But preventing them] does require a change in the organizational culture. Any clients who do work with us must go through a risk assessment. We need to understand our clients’ businesses better than cyber criminals do.
Bloomfield: Regarding the impact of ubiquitous stories about cyber threats and security breaches, it’s a mixed bag. On one hand, heightened media coverage has certainly raised awareness and made some clients more proactive about their cybersecurity posture. They’re more willing to invest in security measures and training than they might have been a few years ago. On the other hand, there’s still a considerable number of individuals and businesses that prioritize convenience over security. Despite the risks, the use of default or weak passwords remains surprisingly common. And resistance to adopting multi-factor authentication — because it’s seen as an inconvenience — is still an issue we encounter. Changing behaviors and attitudes toward cybersecurity is a gradual process. While progress is being made, there’s still a long way to go.
Liberman: Users are generally more aware and “perform” better, but that is mostly due to them integrating a degree of critical reasoning into their daily actions. Endless stories of cyber doom create “security fatigue,” which works against us as IT security advocates in the long run.
Cotsopoulos: No matter the threats, people will always choose convenience and pricing over security. They generally, as a rule, don’t want to be bothered during their busy day to take five minutes to learn good security/safety hygiene.
Editor’s Note: Check our website archives for prior coverage of security awareness training and The ASCII Group.
