How this MSP protects client data, profitability with security awareness training
Fewer trends in cybersecurity have impacted organizations more than the addition of IoT devices to the business IT environment. Once neatly defined, today’s security perimeter now expands past the physical office into employees’ personal devices and home networks — and the team at Fluid Networks has taken note.
A managed service provider (MSP) based out of Camarillo, California, Fluid Networks provides a full spectrum of business IT, communications and security solutions. The company has evolved alongside the industry since the early 90s, including keeping pace with the vanishing security perimeter.
“When I first came to Fluid Networks, we followed a per-device pricing model,” said Damian Stalls, vCIO Director. “But about three years ago, we started to notice most clients’ employees used multiple devices — sometimes three or four machines. As an MSP, we needed to cover every device, which meant shifting our business strategy to an all-in-seat pricing model.”
Fluid Networks needed to protect their clients’ data, regardless of what devices accessed the network from where. That also meant they needed to prepare their clients’ employees for the types of security threats they might face at work — or at home — with security awareness and training from Infosec IQ.
Maximizing uptime with Infosec IQ security awareness and training
“Pricing at Fluid Networks is based off of the individual user,” said Damian. “We don’t care if they’re at home, we don’t care if they’re on vacation and we don’t care if they have six machines in the office. It doesn’t really matter. We’re supporting that employee and our customers appreciate that.”
Following a needs-based approach, Damian and his team established a new pricing model that included the services and products clients needed to protect their systems and data at a flat rate.
“When we started looking for a security awareness training solution, we knew our clients wouldn’t immediately understand the value,” said Damian. “We also knew they would push back if they had to pay extra for it. I advocated for adding training as part of our all-in-seat price because I knew it would benefit us and them at the same time.”
With employees accessing sensitive data at the office, on the road and at home, Damian knew security awareness training would reduce risk for both Fluid Networks and their clients. Less incidents and downtime meant the Fluid Networks team spent less time servicing each account, while also limiting productivity losses onsite. This was especially important with their new all-in-seat pricing model.
“Cleaning up a malware infection can take hours and multiple personnel, said Damian. “Since adding Infosec IQ into our service offering, we’ve had fewer infected machines, which helps protect our margins.”
Damian personally manages the security awareness and training programs for Fluid Networks’ clients. “Every two weeks, we send out about 2 minutes of training to our clients. As long as they don’t fail a phishing simulation, I don’t ask them to take quizzes — just to spend a few minutes a month completing the training. If they do fail a phishing simulation, we layer on a little more training, followed by a short quiz to make sure they understand what we are trying to teach them.”
If a client elects to opt out of the training and later experiences a preventable incident like a ransomware infection, emergency service fees apply. This strategy helps Damian and his team assign clear value to the training program and keep their margins — and their clients’ data — secure.
“Our clients appreciate the fact that as their IT partner, we take an interest in their productivity and want to keep them as protected as possible,” said Damian. “And they also appreciate we’ve built an entire training program for their employees without raising their prices.”
Leveraging data to optimize results and drive behavior change
Damian sends monthly reports to each client outlining which employees completed training, individual phishing rates and overall organizational performance. He also makes recommendations for future training based on learner behavior summarized in each report. “If one employee gets phished multiple times, I’ll make recommendations on who managers should talk to or what we may need to do to get the employee to change their behavior,” Damian said.
If needed, Damian will work through managers at a client’s location to drive the results he wants to see, sometimes even sitting in on meetings to reinforce training and what employees should be looking out for. Damian also sends a newsletter in advance of each training to prepare learners for what’s coming next.
“We send newsletters the week before the training is released that tells learners what’s coming up, reinforces their previous training and reminds them what they need to be looking out for in terms of security.”
Next, Damian plans to add social proof to those same newsletters to engage more employees in the training. “We plan to share each organization’s overall training score in their newsletter,” said Damian. “If a particular organization is struggling to complete training or identify phishing emails, we hope this transparency will rally employees around completing the training and improving their team’s score.”
Why Infosec IQ?
While security awareness and training is a newer initiative at Fluid Networks, it’s not something Damian and his team take lightly.
“Before we signed with Infosec, I spent about eight months evaluating 20 different platforms,” said Damian. “Each vendor had different advantages, but we selected Infosec IQ because of the overall feature set and how it’s continually enhanced.”
This diligence and dedication to providing clients with an effective solution is already paying off. “We’ve been able to identify our clients’ most vulnerable employees — those who were getting phished the most often,” said Damian. “And we’ve seen those same users get smarter and stop falling for phishing simulations.”