Seán Morris, Chief Technology Officer at TitanHQ, discusses the importance of security awareness training for MSPs, and which key features to look out for.
Seán Morris is the CTO and CISO at TitanHQ, a leading provider of cybersecurity solutions for businesses and MSPs. Morris runs all aspects of TitanHQ’s technology and product stack, as well as being responsible for running TitanHQ’s own security strategy. In his own words he “lives, breathes, eats and sleeps security”, delivering it for TitanHQ’s customers and for their own internal processes.
TitanHQ was founded in 1999, and currently secures over 8,500 businesses and over 2,500 MSPs, across 150 countries. Their customers range from global players such as Datto, Pepsi, and Virgin Media, to small businesses and MSPs. TitanHQ offers a range of security solutions for these customers: email security (SpamTitan & SpamTitan+) email archiving (ArcTitan), web content filtering (WebTitan), and email encryption (EncryptTitan).
In Feb 2022, TitanHQ acquired Cyber Risk Aware, a cybersecurity awareness training provider which has now been rebranded as SafeTitan, which offers cybersecurity training content, quizzes, and phishing simulations. While the security awareness training space is an increasingly crowded market, SafeTitan is differentiating itself with a core focus on MSPs – a community for which security awareness training has unique importance.
In this interview for Expert Insights, Morris covers why security awareness training is so important for MSPs, what features an awareness training solution should include, and his advice for MSPs when considering awareness training options. This interview has been edited for clarity and length.
As a CISO yourself, broadly speaking why would you say security awareness training is so important for organizations? What threats can these campaigns help to prevent?
Think back over the last five or ten years. The stakes have just gone up so fast, so quickly in the cybersecurity space. Everybody uses email – it’s just a given, right? It’s part of everybody’s attack surface, there’s no getting away from it. There’s no substitute for email, no matter what anyone says. And every email account is ultimately at risk from a phishing attack. Cybercriminals don’t particularly care if you’re a big business or a small business anymore.
I think it’s common knowledge that phishing is the number one attack vector because it’s so easy. It’s easy to phish. With the other attack vectors, zero-day for example, you need to be extremely technically competent. Obviously, there is plenty of opportunity for that, and we’re very aware of those threats, but phishing is the easiest, entry-level way to do it.
Attacks and defenses are always evolving. We’re evolving what we offer in terms of defense, cybercriminals are evolving the sophistication of their phishing attacks and their social engineering, and more recently they’re figuring out how to circumvent MFA, which is a very worrying development and a very sophisticated attack mechanism.
All this means is that the final line of defense comes back to the individual, every single time. You can put everything in place, and it can be very effective. But it only takes one email to get through to one person who is not aware of the threat and is not on the top of their game that day. That’s a really serious situation for that business.
Ultimately, security awareness training is important because when that happens, you need to make certain that person makes the right call. That they don’t click the link, and they don’t share credentials. That they ask questions, get someone else to look at it, and do whatever they need to do to protect their business. Security awareness training is so important because it encourages people to be curious about what they see in front of them, to ask the right questions, and not just blindly and instinctively click, but do the right thing.
Why is it important for MSPs in particular to be offering security awareness training as part of their security stack for clients? What benefits do MSPs see when offering a security awareness training platform?
Ultimately MSPs are responsible for the tech stack of their customers. And if you’re responsible for the tech stack, you’re implicitly – or explicitly depending on how you want to look at it as an MSP – responsible for security as well.
It’s a well-recognized fact that security awareness training is a key ingredient of a well-prepared, well-implemented security strategy. So, in terms of benefits for MSPs, what we hear from them is that there are tangible results from security awareness training. When you run a phishing-simulation campaign for your customer, the results are tangible: you can see who clicked the simulated phishing emails, and how many people were taken in.
It gives you a real sense of how strong or weak the last line of defense is in the organization. Any CISO that looks at that data for their company, any CEO will want to look at that data to see if they are in a good place, or if it was a real phishing campaign, would they be in a very bad place. That’s a powerful incentive for an MSP. Not just for running one campaign, but to see the trends. Are you moving in the right direction? Are we creating awareness?
I also think there’s an opportunity for MSPs to move into this space just by virtue of their very deep expertise in technology and security in general. To be able to provide training in implementation to their customers and provide additional best practices and insights as to how to take that data and make it real, and impactful for the business to strengthen that last line of defense.
How can MSPs make sure that when organizations implement security awareness training, users are actually engaging with the content and security behaviors are improving?
Creating a feedback loop for the customer and for the end users is really important and gamification is also important. Giving the end user a chance to get feedback on how they’re doing, through quizzes or giving them recognition when they report simulated emails. That’s really important as well. When it comes down to it for me, for the MSPs to influence this space they need to outline the best practices for the customer and help them get value from the technical implementation. That’s a really key thing.
The simple one that’s true for so many things, not just in this space but generally, is making the data visible and highlighting trends. Is the organization getting better? Are departments within the organization getting better? Why did more people click email lures this month vs last month, and what does that tell you about what your organization thinks about certain things? It's great to try out different types of campaign and asses what types of threat represents a bigger concern to the organization.
The other thing that is really important is leadership within organizations and giving real airtime to cybersecurity and its importance to the business. The risk that we see with cybersecurity training - and I think everyone, in reality, has experienced this – is that people will do the training, but will they engage with it properly? Will they actively consider it?
Recent stories in the media are also a great way to bring this topic to the forefront of everyone’s mind. There’s no shortage of material for company leaders to bring to the table and help everyone to understand this isn’t some abstract risk. It’s the difference between us continuing to trade as a business, or as an organization to continue doing what we’re doing.
All organizations owe it to themselves to create the space in their agenda and in their communication with their staff to put this front and center. I personally do this all the time on my team and our tabletop exercises are driven by what is going on in the world today and asking if we are ready for it.
MSPs, who have got a broader vista and visibility than any one business, can add a ton of additional value to their customers here. Tracking the progress is great, sharing it across your organization is powerful, but articulating the power of better cybersecurity to your business, all of your employees, and all of your customers as an MSP is the most important thing.
Learn more about all the features of SafeTitan for MSPs.
With that in mind, what are the most important features that MSPs should be looking for in a security awareness training solution?
There are some table stakes items here. The training content, quizzes, phishing simulation lures, and the richness of the content is fundamental. We have certainly put a ton of emphasis on the product in that regard. We have an in-house dedicated instructional design team because we think it's worth investing in ourselves to make certain that training is on-target, constantly up to date, and tied to the world we're in, not what the world was two years ago. That’s the key pillar.
From the point of view of specifics for MSPs, it comes down to the stuff we have focused on in our recent releases. MSPs are a very time-crunched bunch of people that run businesses and serve an enormous number of customers who have many, many end users. They want to get the most impact and the most improvements to security for customers, but at the same time, the more work is involved, the poorer the outcome will be.
So, we have heavily emphasized [the features] in the SafeTitan product that MSPs need to actually be really efficient. For example, if we directly inject the email into the inbox, you don't have to worry about whitelisting or building tons of complex rules to make certain that the phishing simulation emails will get to the end user. We just go straight in straight past all of that, so it is super easy to set up. In fact, you have to set it up as part of its onboarding, it's two clicks, and you're done.
We’re able to segment your customers into groups. If you want all your customers in one big group, no problem, obviously MSPs come in all shapes and sizes, and we've taken that into account as well. But the ability to actually run those campaigns for one or more groups of customers, what frequency you want, whether it's training or phishing, is a really powerful tool for the MSP to consider.
And I think the other thing we're doing in general across our products, is a major investment in the user experience driven by our MSP for a strategy. Ease of administration really is the number one priority for MSPs. We allow an MSP to do their most important tasks quickly without having to trawl through myriad dropdowns because they need to be able to get these tasks done with just a few clicks, then move on to the next thing. That’s the design philosophy that underpins SafeTitan and all of our products. It’s a key thing from the MSP perspective.
Another feature of SafeTitan, that I think is important to call out, is that we deliver training at the point in time that the person clicks the phishing lure. So, if you are unfortunate enough for whatever reason to engage with a phishing simulation that we send out, we don’t wait for a point in the future to train you on something you’ve forgotten about. We actually send you the training now. And there’s a very good reason for that: when you click a phishing link, you’re going to feel unhappy you’ve been tricked. And that’s the psychological window to give someone a very short and very targeted piece of training, where we can educate people and impact behavior.
What final advice would you give to MSPs who are considering a security awareness training solution, what’s the best place to start when considering the options on the market?
There are several criteria for MSPs to consider, and there are a few that really stand out in my mind when starting the journey to select an awareness training solution. As I mentioned, MSPs are busy, they’re time-crunched. So, you want something that’s easy to administer, quick to demonstrate value, and drives outcomes for your customers without much overhead.
And you shouldn’t have to feel guilty about that, it shouldn’t be a tradeoff. It should be all the benefits without additional work to achieve. And that’s the thing I would certainly say are they key criteria for MSPs to consider.
It’s also key to select a solution that recognizes MSPs are dealing with multiple customers and they may have different needs, you may even have different segments with differences in how you deal with them from a commercial perspective. Making it easy to manage that environment is also really important. And of course, ease of setup, so taking on new business is easy, and avoiding having to deal with whitelisting and rules is critical.
But as I mentioned earlier, there’s also a big opportunity for MSPs to contribute as knowledge leaders in this space. I know from talking to hundreds of MSPs at this stage that there really is value to the partnership they create with their customers. It’s not just the base provision of a service, it’s about building trust and becoming long-term partners in the business’s success by providing great technical support and guidance.
I think this is a great example of where an MSP can have a huge impact in how they guide their customers in the journey of security in general, and specifically in how they can use security awareness training to really enhance the overall security posture. I think that’s the biggest takeaway: it’s a really big opportunity for MSPs.