10 Steps to Implementing Security Awareness Trainings as an MSP

Zach DeMeyer
January 25, 2024

As cyber threats continue to increase in both severity and volume, fostering a culture of security awareness is crucial. Employees are the first line of defense against most security risks such as phishing attacks, malware, social engineering, and more.  

  • The average cost of a security breach is $4.35 million dollars1
  • 83% of organizations have had more than one breach1
  • Business Email Compromise attacks cost US victims more than $2.7 billion in 20222
  • 85% of data breaches were due to the "human element"3
  • 59% of employees are not fully confident they could identify a social engineering attack4  
  • 3.4 billion phishing emails are sent out daily5

Implementing effective security awareness training is essential for MSPs to safeguard their clients' sensitive data and mitigate cyber threats. These trainings raise awareness about multiple security risks and educate employees on security best practices for maintaining strong passwords, identifying suspicious emails, and practicing safe online behavior.  

By educating employees and fostering a security-conscious culture, MSPs will:  

  • Strengthen their clients' cybersecurity posture
  • Reduce the likelihood of successful cyberattacks
  • Safeguard sensitive information
  • Mitigate potential financial and reputational damages

Here are ten steps to help MSPs successfully implement security awareness trainings:

Step 1: Assess client requirements

  • Understand clients' cybersecurity needs and compliance obligations.
  • Identify specific training topics and focus areas based on their industry and risk profile.

Step 2: Develop a training strategy

  • Outline a comprehensive training plan that aligns with clients' goals and objectives.
  • Define the scope, delivery methods, and target audience for each training module.

Step 3: Customize training content

  • Tailor training materials to address clients' unique risks and organizational policies.
  • Incorporate industry-specific examples and real-world scenarios to enhance relevance.

Step 4: Select engaging training methods

  • Utilize interactive and immersive training approaches such as simulations, quizzes, and gamification.
  • Leverage multimedia resources like videos, infographics, and case studies to enhance learning.

Step 5: Implement phishing simulations

  • Conduct simulated phishing campaigns to test and improve employees' ability to identify phishing attempts.
  • Provide immediate feedback and training for individuals who fall victim to simulated phishing attacks.

Step 6: Promote continuous learning

  • Encourage employees to pursue ongoing education and certifications in cybersecurity.
  • Foster a learning culture by providing access to relevant resources, webinars, and industry events.

Step 7: Establish metrics and assessment criteria

  • Define measurable metrics to track the effectiveness of security awareness trainings.
  • Conduct regular assessments and surveys to gauge knowledge retention and behavioral changes.

Step 8: Foster a security-conscious culture

  • Lead by example and ensure that management actively promotes and participates in trainings.
  • Encourage open communication channels for reporting potential security incidents and concerns.

Step 9: Regularly update training materials

  • Stay up to date with the latest cyber threats and trends to keep training content relevant.
  • Revise and enhance materials periodically to address emerging risks and new attack vectors.

Step 10: Provide ongoing support and reinforcement

  • Offer continuous support to clients through follow-up sessions, workshops, and Q&A sessions.
  • Provide resources such as security checklists, best practice guides, and incident response templates.

Implementing security awareness trainings as an MSP is a crucial step in strengthening clients' cybersecurity defenses. With these ten steps, MSPs will help their clients develop a security-conscious culture, reduce human error, and strengthen overall resilience against cyber threats. By investing in security awareness, MSPs can position themselves as trusted partners in protecting client data and fostering long-term relationships.  


  1. https://www.ibm.com/downloads/cas/3R8N1DZJ  
  2. https://www.csoonline.com/article/3700312/5-key-steps-to-push-back-against-business-email-compromise.html#:~:text=In%20its%202022%20Internet%20Crime,BEC%20attacks%20are%20more%20subtle.  
  3. https://www.verizon.com/business/en-sg/resources/reports/dbir/
  4. https://www.techtarget.com/searchsecurity/infographic/7-security-awareness-statistics-to-keep-you-up-at-night
Stay up to date

Subscribe to receive the latest insights, news, and updates from Todyl.

Additional reading

Threat breakdown: Remote access and credential dumping
5 key elements of effective MDR providers: Beyond just detection and response
Streamlining zero trust security with JumpCloud and Todyl

Todyl updates

Sign-up to get the latest from Todyl sent straight to your inbox.