October is Cybersecurity Awareness Month, and it’s a good reminder that we all play a role in keeping the digital space safer. All month long, Sherweb is sharing practical ways to reduce risk, from recognizing threats to building better everyday habits.
You’ve been there: you roll out a security awareness training program for a client, check all the compliance boxes, and a month later, an employee clicks on a phishing link anyway. It’s a frustrating cycle for MSPs who know that even the best technical defenses can be undone by a single moment of human error.
The truth is, security awareness training is critical, but it isn’t a “one-and-done” solution. With human error being a factor in 74% of all data breaches, according to Verizon’s 2024 Data Breach Investigations Report, a simple annual video just won’t cut it. While employees are often the weakest link in the security chain, they also have the potential to be the strongest defense when properly equipped.
As an MSP, you’re in a unique position to help clients build a genuine culture of security that moves beyond simply checking a box for compliance. Here are five proven ways to make security training stick and actually reduce risk.
-
Make it relevant and role-specific
One-size-fits-all training rarely works because it doesn’t connect with an employee’s daily tasks. When content feels generic, employees tune out and the lessons don’t stick. To make training effective, the content must be tailored to the specific threats employees are most likely to encounter in their roles.
For example:
- The finance department needs to be prepared for sophisticated invoice fraud and wire transfer scams.
- The HR team is a primary target for social engineering attacks aimed at accessing sensitive employee data.
- IT staff should focus on recognizing credential harvesting attempts and protecting administrative access.
As their MSP, you can add significant value by helping clients segment their training programs by department or job function. This doesn’t have to be a manual process. Modern platforms that deliver security awareness training for MSPs are designed for this kind of customization. Solutions like Hacware allow you to assign specific training modules based on an employee’s role, ensuring the content is always pertinent to the risks they face.
-
Use real-world scenarios and simulations
People learn best by doing. Abstract lessons about security threats are quickly forgotten, but the experience of identifying and flagging a simulated phishing email creates a lasting impression. Regular phishing simulations are one of the most effective ways to build “muscle memory” against real-world attacks.
These exercises create a “safe to fail” environment where employees can make a mistake, learn from it instantly and be better prepared for the real thing, all without any actual risk to the business. To be effective, simulations should be run regularly, not just during an employee’s onboarding.
Solutions like Proofpoint offer automated phishing simulations with real-time feedback, so employees know immediately when they’ve clicked on a suspicious link or entered credentials on a fake site. Over time, this kind of practice builds instinct and helps employees spot threats before they become breaches.
-
Keep it short, ongoing and bite-sized
A single, hour-long training session once a year is a recipe for failure. The “forgetting curve” is steep, and most of that information will be lost within weeks. A much better approach is to deliver learning in small, digestible pieces over time. This method, often called micro-learning, respects employees’ time and helps reinforce security concepts through spaced repetition.
Think about incorporating:
- Short, 5-minute videos
- Quick monthly quizzes or security tips
- Brief, interactive modules
- Timely reminders sent via email or Microsoft Teams
As an MSP, you can help clients establish a consistent schedule and automate these touchpoints so that learning happens continuously in the background. The result? Better retention, less fatigue and a stronger security culture over time.
-
Go beyond phishing to manage total human risk
Phishing is a massive threat, but it’s just one piece of the human risk puzzle. Employees introduce risk in other ways, too, such as using weak or reused passwords, storing sensitive data in unsecured locations or failing to follow security policies. A training program that only focuses on email leaves a client exposed in these other areas.
This is where the real opportunity lies. Effective security awareness training for MSPs involves shifting the conversation from a simple training deliverable to managing a client’s total ‘human risk.’ A human risk management (HRM) platform like usecure consolidates these different areas into a single view. This approach allows you to:
- Run dark web monitoring (uBreach) to see if employee credentials have been compromised in third-party breaches
- Manage and track security policy acknowledgments (uPolicy) to ensure protocols are understood and followed
- Combine training, phishing simulations and policy management in one place to get a complete picture of user risk
Instead of managing multiple tools, you get a single platform that helps you identify compromised credentials, track policy compliance and deliver targeted training. It’s a more complete way to reduce human risk and show clients ongoing value.
-
Measure, report and iterate
What gets measured gets managed. To know if your training is working, you need to track key metrics over time. This data is also a powerful tool for showing clients the return on their investment and demonstrating the value you provide.
Important metrics to track include:
- Phishing simulation click rates
- Training course completion rates
- Quiz scores and knowledge improvements
- Policy compliance and adherence to security protocols
Use this data to identify trends and problem areas. Maybe one department consistently clicks on phishing emails, or a certain type of attack is tripping people up. That’s valuable information you can use to tailor future training and close gaps before they turn into incidents.
Share these reports with clients regularly. It’s a great way to demonstrate value and keep security top of mind at the leadership level. Treat training as a continuous improvement process. What works today might need to evolve as threats change and your clients’ businesses grow.
Building a human firewall
Ultimately, effective security awareness training for MSPs is about more than just helping a client satisfy a compliance requirement. It’s about building a human firewall that actively defends the business. By making training relevant, interactive, continuous and measurable, MSPs can turn their clients’ employees from a potential liability into a first-class security asset.
Ready to help your clients build a stronger security culture?
Explore Sherweb’s security solutions and find the right tools to make training stick.
