Many managed IT providers believe that, no matter how hard you train the end users, they will still click the links, download the malware, provide account information, or simply send corporate money to the malefactors. End-user training is, indeed, not a panacea. However, it aims to decrease the chances of a successful attack or intrusion.
And, believe it or not, it will decrease them. In this end-user training guide, we will overview the areas you can and should train your users in and whether or not you should do it yourself.
Why End-User Training Is Essential
There are two main reasons behind end-user training. On the one hand, there is the obvious need to educate them in order to enhance corporate security. On the other hand, the more your users understand about the IT environment they work with, the less work you have to do daily as an MSP. Don't get us wrong, though; there is no one course that will cover every case. We will discuss possible training courses later in the article.
The security standpoint is somewhat obvious, and yet some MSPs fail to recognize the dangers of having uneducated users. So, here are the statistics:
- According to Verizon, 43% of data breach victims are small businesses. In other words, no client or company is too small for attackers.
- Varonis found out that 53% of companies have over 1,000 sensitive files accessible to every employee. On the one hand, that's an issue for companies that fall under some sort of compliance. On the other hand, it is also a huge security hole. Why? Now, let's imagine that some employee gets hit by ransomware. What will happen with sensitive data then? Correct; it will be encrypted, which is, in terms of any compliance, a data breach.
- According to IBM, 24% of data breaches are caused by human error.
Further reading 17 Convincing MSP Statistics
Fewer User Requests
Apart from security, there is the other side of end-user training – educational. As a managed IT provider, you install and maintain IT solutions aimed at boosting your client's business efficiency. However, while some solutions are destined to stay hidden and be maintained by your tech team, the others will be accessed by end-users on a daily basis - multi-factor authentication (MFA), email and file-sharing, printers, and copiers, to name but a few examples.
If the users are neither trained nor have educational resources, they will bury you in level-1 support requests.
End-User Training Programs
Below, we list the most popular end-user training programs that many MSPs provide. But what should be included in a typical training course?
- A presentation or a video recording, with you, your team member, or a hired professional as a trainer.
- Follow-up materials. These can include written or video guides, articles to read through, infographics, etc.
Remember that a training program is not a ”send-it-and-forget-it” type of activity. Check your customer's end-users’ knowledge and provide additional presentations at least once a quarter to refresh that knowledge. That will show your client that you provide them with a quality, thought-through service, and also reduce the number of security incidents and support requests.
Training Program Examples
So, what kind of MSP training programs are there?
- MSP solutions know-how. We have already mentioned that if you train your users to use your services correctly, you will lower the number of support requests and user-based failures. This end-user training is typically included in the client onboarding process free of charge. In the event that your client needs more training sessions, bill them according to your hourly rate.
- Basic security training. Many end users are not familiar with or do not care about, basic security considerations. (Things like sharing their passwords or working from open Wi-Fi networks without a VPN are already a joke among the IT crowd, and yet the huge majority of successful data breaches happen as a result of such obvious issues.)
- Anti-phishing training. Verizon has found out that 90% of malware comes from phishing emails, which is why it is necessary to provide separate training on anti-phishing practices. Educate your users on types of phishing and the most common hooks used by malefactors. It is also good practice to perform a phishing test scenario from time to time for all your client’s users.
- Compliance training. If you are working with companies from financial or healthcare sectors, your clients fall under strict compliances that govern the way IT security and data flows should be managed in the organization. If a company fails to comply with the legislation, it will be fined. If there is a data breach, there is a good chance that you, as an MSP, and the company will be fined. So, you should both prepare your client’s infrastructure client for compliance audits and train users to manage sensitive data correctly.
End-User Training Outsourcing
End-user training materials should be thought through and constantly revised, and the training sessions themselves should be repetitive if you want to reach the hearts and minds of your users. That means you need to dedicate time and money to develop them.
If you don’t have time, you can spend more money and outsource it. Outsourcing companies typically specialize in security (Breach Secure Now, defendify.io, KnowBe4) or compliance (HIPAA Secure Now, Compliancy Group). These companies will provide you with presentations, videos, posters, and, depending on the package you buy, penetration, and phishing simulation testing.
With the constant rise in phishing scams, malware attacks, and the number of different services and solutions that end-users need to work with, it is obvious that end-user training sessions are essential to a modern managed IT provider’s offering. It only remains for you to define whether you will provide the training yourself or outsource it.