The Importance of Automation for Security Awareness
How many hours of your technician's time is wasted on manual tasks? What are they doing over and over again that can be automated? Today I want to share with you how you can improve as an MSP by training your technicians on automation and at what point it’s best to start automating tasks.
Watch the full episode below or listen on Apple/Spotify Podcasts. (links to Apple and Spotify on the Gone Phishing page!)
Episode 10: Listen on Apple
Full Episode 010 Transcript:
00:00:00:12 - 00:00:29:16
Connor Swalm
Welcome to Gone phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swan, CEO of Phin Security, and welcome to Gone phishing, everyone.
00:00:30:09 - 00:00:53:00
Connor Swalm
Welcome back. I'm Connor, CEO at Phin and welcome to Gone phishing, the podcast where we talk about everything phishing that's phishing with for you actual anglers out there and we're going to talk today about how important automation is in your security awareness program. So a couple of things I'd like to chat about before we dove into some of the talking points.
00:00:53:00 - 00:01:23:05
Connor Swalm
One Phin is my company. We work exclusively for MSP and MSP is a managed service provider. If you're an aware that serves hundreds, if not thousands of small to medium to enterprise sized customers. Think about bringing I.T and security expertize to the 99 point whatever percent 97 point whatever. Percent of employees that don't work at a Fortune 500 company specifically here in the US where we're based.
00:01:23:15 - 00:01:49:17
Connor Swalm
And so automation for anyone that's an MSP automation is an incredibly powerful tool that, if not leveraged correctly, could result in incredible costs to your company for providing services that could be automated in some way, shape or form. So automation in general for MSP is like one of the critical things that they worry about on a continuous basis.
00:01:49:17 - 00:02:23:10
Connor Swalm
And any amount of any amount of automation that they can create is automation that they would like to create. That's how important it is. So given that, how important is automation in awareness training? So I will address some of these points that I'll go over with actual real world conversations I've had with technicians and MSPs that have told me how they build certain programs, the way that they do that, and how much time, effort, energy, and what their experiences in building programs.
00:02:23:10 - 00:02:44:06
Connor Swalm
And essentially, you know, long story short, all of those conversations I had, I built into a use case that then me and our wonderful employees here have been built into a platform to soar. So that is how important it was for the MSPs, is that automation did not exist, that they wanted to take advantage of, and we end up saving MSPs tons of time.
00:02:44:11 - 00:03:06:00
Connor Swalm
That's why it's here. So that's how important it is. So how about that program's been managed in the past. What is I'm going to I'm going to say, what is our run of the mill awareness training program look like? And I know that it's not run of the mill, but it's what is the average program where there's I guess Littleton I want to mention or that what do technicians typically have to do to get a program up and running?
00:03:06:08 - 00:03:36:07
Connor Swalm
So it's this you can upload the employees of a company to a platform or to some other kind of mechanism. You can do that through CSP that your import on a consistent basis or through a connection to exchange Azure de Google workspace, whatever you're using is your employee database. So you get employees into your platform. And then the second thing that you do is you build a training program.
00:03:37:08 - 00:04:12:18
Connor Swalm
The training program will typically be mostly set in stone by maybe compliance requirements that you have to abide by, maybe by your cyber insurance policy telling you to, you know, educate on different topics. Or if you're really savvy, maybe you're looking at, you know, CIS controls and you look at as control 14 and you go through all of the implementation group one and then you go through the last point, 14.9 on implementation group to where you are actually creating role specific training for groups of individuals.
00:04:13:15 - 00:04:35:11
Connor Swalm
There's some topics in there that they'll trust. So what it's typically taken for a an awareness training program to get up and running is the uploading of those users by hand. Then you have to continuously make sure that those users stay up to date, that there's no removed users that need to be removed. There's no added. Users need be added, no updated users.
00:04:35:11 - 00:04:59:05
Connor Swalm
Sometimes you get to my hand, which is painful. The second thing for these these training contents, if you're not watching them all at once, a lot of times you will have to build this program. You have to select, let's say it's one video a month, 12 videos. It's just really simple for math. Six right now. You'll have to schedule those out and you'll have to deliver them for all of the employees in that company.
00:05:00:01 - 00:05:16:17
Connor Swalm
If you're an MSP, you'll have to go to your second company. You'll have to rebuild that program. Maybe you'll have to adjust it in in a few ways, and then you'll have to watch it there. What I'm getting at is you have to repeat everything over and over and over again for a lot, a lot of MSP. This is what they told me.
00:05:16:17 - 00:05:35:10
Connor Swalm
Their experience was over the last few years. And then you're not done yet. You got to do the same thing with phishing. So you got to select unique phishing assessments. You got to deliver them to users or schedule them out to be delivered. And then you have to go to your second, third, fourth and fifth client. Have to rebuild that all from scratch.
00:05:35:10 - 00:05:56:18
Connor Swalm
Again, that is the average experience that I that has been described to me by the technicians that I've talked to. So what that requires a lot of time. It requires an incredible amount of time. And a lot of that time is spent doing work over and over and over and over again. It's a worst kind of work to ever do.
00:05:56:18 - 00:06:20:03
Connor Swalm
And most of the technicians I talk to, they can't wait to pawn that work off to somebody else. And that is selecting the phishers, the trainings and actually uploading the users, most of the technicians I talked to. And so at some level what I've told to some technicians when I was actually doing the selling for for Fenton was we're here to give you your time back.
00:06:21:01 - 00:06:36:13
Connor Swalm
How cool would it be or how much better would your life get if you didn't have to spend the first 2 hours of your day going into a subset of your clients and re selecting phish so you don't have to be an expert at selecting which phishers go out. You don't have to be an expert at selecting which content is to get put in front of which users.
00:06:36:18 - 00:07:19:03
Connor Swalm
You don't need to do anything. We'll do that for you. That was the value add that really resonated with them. And so that is very important from us piece. So most partners that we work with deploy let's say north of 20 clients, that is when repetitive, consistent building programs with phishing and training gets onerous at about 20 partners, that starts to be enough of a workload on a consistent basis, making sure everything is running, making sure reporting is configured correctly, making sure no programs have lapsed, making sure your allow this thing is still working and Microsoft isn't screwing it.
00:07:19:03 - 00:07:53:16
Connor Swalm
Things typically at about 20 clients is when it starts to become the the major role of somebody. Somebody is full time jobs at about 70 clients. It is somebody's full time job in a lot of cases. So that's the scale of the problem. When there is no automation, this not only saves technicians time, but, you know, important point I bring up is what are the activities that actually generate that your client actually wants you to work on for them?
00:07:53:16 - 00:08:20:19
Connor Swalm
And a lot of it has to go back to you. The client doesn't necessarily care if you're an expert in selecting the citation emails and the training content doing all this thing. What they do care about is that you are a resource of expertize and professionalism, specifically in IT infrastructure and cybersecurity, and you're not going to communicate that to them by rebuilding phishing and training campaigns over and over and over again every year.
00:08:20:19 - 00:08:58:21
Connor Swalm
And every client or however often you decide to do it. What would help communicate to your client that you are that resource is meeting with them on a more consistent basis or being able to spend more face time with them and actually show them, demonstrate to them that you are that partnership for them. And so when we take that time away, when automation takes that time away from technicians and gives it back to them, that's when you can start to get into the much more impactful behaviors and and things that you would like your employees at your MSP to do.
00:08:59:23 - 00:09:18:07
Connor Swalm
That's what we advocate for. So literally we have I talk with partners all the time and we have a partner counsel that I meet with and it's How can we make your job easier? What would you wish that you had the time to do that you're ignoring because of X, Y and Z issues? So automation is kind of like the light at the end of the tunnel.
00:09:18:07 - 00:09:49:18
Connor Swalm
It's that all it needs to be leveraged very, very effectively in order to create give you the time back. And kind of like a second point that I mention here is I can't tell you how many how many MSP folk have come up to me, how many security practitioner cybersecurity folk in general. And one of their one thing that gives them heartburn is they feel like they need to be an expert in every single area, area of i.t.
00:09:49:18 - 00:10:11:20
Connor Swalm
Infrastructure and security that that's what their client is depending upon them for. And if you are building everything on your own by hand over and over again, you absolutely need to be an expert if you're leveraging relationships and partnerships and tools and platforms that are able to do that for you in some kind of automated fashion, because that's what they've dedicated their lives to.
00:10:12:12 - 00:10:46:15
Connor Swalm
That just gives you an incredible amount of scalability and removes some of that heartburn. So you need to be really careful about the partnerships you create, but when done correctly, you can leverage them super effectively. That's what I've seen in the last point that I'll make here is at the end of the day, the outcome we want to create together is to reduce the risk that social engineering becomes turns into the theft of information, access or money in a client, in a person.
00:10:46:15 - 00:11:16:12
Connor Swalm
And so what the heck does any of this automation have to do with keeping, with helping, with keeping an end user secure and with actually accomplished in that goal? And I will posit this, that I've heard from more than a few partners, more than a few MSPs in the industry is there are there were several instances where programs lapsed, training did not occur, phishing assessments did not go out.
00:11:17:01 - 00:11:55:01
Connor Swalm
Reporting stopped in portions of their client base, and they didn't recognize it because there was no alert, there was no automation that kept things running. And essentially the company, the clients were paying for something they weren't receiving, which on its own is an issue. But secondarily, I've run into several companies where they may or may not qualify for cyber insurance coverage because when they hand that cyber insurance questionnaire to their security partner or to their internal team, and they say, Do you do A, B and C?
00:11:55:01 - 00:12:35:14
Connor Swalm
And then you go and check that. And that's not happening, that that becomes a problem. And that's when things get a little trickier. So it could come down to automation, might be one of the reasons why you're able to scale your security services specifically, if a security service you offer is not scalable, it will not be profitable in a lot of ways or as profitable as it could be to deliver and we you know, I'm I don't like to say I'm an expert, but I've been around the block a little little bit on this very small segment of security, which is human vulnerability management.
00:12:36:05 - 00:12:59:02
Connor Swalm
But I can see how a lot of the principles would apply to every other area, and so do many MSPs. So I hope that I was able to communicate today the importance of automation. There are a lot of really neat tools that are coming out for you all as MSPs and you all as security practitioners to help automate a lot of this.
00:12:59:11 - 00:13:19:15
Connor Swalm
Again, the biggest piece of mind that I've seen, the biggest positive benefit I've seen for partners and for cybersecurity practitioners is reducing that load, that mental load of needing to be the expert in every area. Automation can help with a lot of that. If you do it with the right partner, that's the biggest benefit. And so what I would encourage you to do is take stock.
00:13:20:10 - 00:13:39:20
Connor Swalm
What are you spending time doing? What are you repeating over and over again that you could potentially, you know, automate a bit or potentially lean on your partner or lean on the vendor you're working with. If you're an internal I.T team or if you're an MSP, that's what I would recommend you do. As always, you can reach us through our website, find me on LinkedIn, find the company on LinkedIn.
00:13:39:20 - 00:14:02:18
Connor Swalm
That's page by and see. See that I website. I am Connor Swan, the CEO at Phin and thank you for phishing with me today. Thanks so much for tuning in to Gone phishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits.
00:14:03:00 - 00:14:17:20
Connor Swalm
Then check us out. Phin secure at phinsec.io that's in a that IO or like all of the wonderful things in our show notes. Thanks for phishing with me today and we'll see you next time.