.png)
These 40-plus figures show where human risk matters most and where MSPs should focus training, detection, and policy controls to reduce breaches.
Phishing is still the leading initial attack vector for data breaches and compromises. A significant share of incidents trace back to phishing or malicious email links, so simulated phishing campaigns should be a routine tool in every MSP toolkit. Combine email filtering, link protection, and user training to reduce click rates. Track click-throughs and remediate repeat clickers with targeted coaching. Report and response workflows must be simple so users report suspected messages rather than ignore them.
A surprisingly high percentage of workers never get formal security awareness training. When staff lack baseline training, common phishing and social-engineering tricks succeed more often. MSPs should inventory client training coverage and prioritize onboarding for untrained groups. Short, practical modules delivered frequently outperform long annual sessions. Use metrics like completion rates and simulation results to measure progress.
Many organizations report that existing training is outdated, especially for new AI-driven phishing and deepfake risks. Training must be updated to cover business email compromise, synthetic voice scams, and targeted social engineering. MSPs should recommend adaptive lessons that reflect current threat trends and real incident examples. Regular refreshers—quarterly or monthly microlearning—help reinforce new attack patterns. Combine training with technical detection and blocking controls for best results.
Yes — a small minority of employees often accounts for a large share of risky clicks and credential exposure. Focusing remediation on high-risk users yields faster risk reduction than blanket approaches. Identify repeat offenders through simulation data and offer personalized coaching and stricter controls where needed. Consider temporary access restrictions or multifactor authentication enforcement for persistent risk profiles. Document improvements to show ROI to clients.
Short, regular training beats a single long session. Many organizations believe one to two hours total time is a reasonable cadence for recurring awareness, split into micro-lessons. Aim for brief modules (5–15 minutes) that fit into employees’ workflows and reinforce behavior frequently. Measure knowledge retention with quizzes and follow-up simulations. Use analytics to adjust frequency and content based on user performance.
Yes — new employees are often more vulnerable in their first months on the job. Without proper onboarding and phishing simulations, new hires click malicious links at higher rates than experienced staff. Make security onboarding mandatory and include real-world tests during the first 90 days. Pair new hires with mentors who model safe practices and make reporting easy. Early intervention reduces long-term risk exposure.
Many users delete suspicious emails instead of reporting them, which slows detection and response. Encouraging a report-first culture helps SOCs spot targeted campaigns and emerging threats faster. Simplify the reporting process (one-click reporting integrated with mail clients) and acknowledge reporters to reinforce behavior. Analyze reports to spot campaigns and update defenses quickly. Reward or recognize timely reporting to build positive habits.
Insider risk is often fueled by lack of awareness and weak processes rather than malicious intent alone. A notable share of security pros cite inadequate training as a primary driver of insider incidents. Strengthen policies around data handling, least-privilege access, and credential hygiene. Combine training with monitoring for anomalous behavior and strong access controls. Regular audits and clear exit procedures reduce accidental exposures.
Yes — password hygiene remains critical, though rotation policies should be balanced with usability. Encourage strong, unique credentials and promote password managers and MFA to reduce reliance on rotation alone. When rotation is needed, automate reminders and simplify the process to avoid risky workarounds. Training should explain why good password practice matters and how to use tools securely. Enforce policies where critical systems are involved.
Use a mix of metrics: simulation click rates, remediation time, completion percentages, and incident counts. Relying on a single metric (like quiz scores) misses behavioral risk shown in real-world tests. Track trends over time to see whether interventions reduce clicks and improve reporting. Segment metrics by role, location, and hire date to target weak areas. Report outcomes to clients to demonstrate the value of awareness programs.
Leadership endorsement is essential — employees follow tone from the top. When C-level and managers participate in training and model secure habits, adoption improves across the organization. Encourage leaders to communicate expectations and make time for awareness activities. Include leaders in metrics reviews to ensure accountability. A culture that treats security as a shared responsibility is more resilient.
Focus on high-risk groups and repeat offenders first; targeted programs deliver the fastest return. Use phishing simulation data and role analysis to find the teams that handle the most sensitive data. Apply stronger technical controls where training gaps persist, such as blocking risky file types or enforcing conditional access. Gradually scale broad training once high-risk vectors are mitigated. Track ROI to justify further investment.
Palisade helps MSPs combine ongoing awareness training with detection, reporting workflows, and remediation guidance to reduce human risk. Use the platform to run simulations, collect user performance data, and automate follow-up training. For tools, integrations, and sample playbooks, visit Palisade’s resources: Palisade security awareness tools.
Need more help applying these figures to client programs? Palisade can help MSPs build targeted plans and measure improvements.
.svg)
