The Human Factor in MSP Security: Why Education Beats Blame Every Time
You know what’s funny about cybersecurity? We spend millions on fancy firewalls and cutting-edge detection systems, but the biggest vulnerability in most organizations isn’t some sophisticated zero-day exploit. It’s someone moving between meetings, scanning their inbox at speed, clicking a link they would normally question because they are trying to get a quarterly report finished before the deadline.
USecure recently had the chance to sit down with Dan Gardner, our Head of infrastructure and Security at here Bondgate IT, an MSP in northeast England. What he shared about the human element of cybersecurity really got me thinking about how we’re approaching this whole thing wrong.
Moving Beyond the Blame Game
Dan’s been in the trenches for 18 months with UseCure’s security awareness platform, and he’s seen firsthand how the conversation around human risk is shifting. “There’s a lot of stigma with human risk,” he explains. “There’s also a lot of misunderstanding from our clients about what human risk actually is.”
Here’s the thing that really struck me – we’ve been treating security awareness training like some kind of corporate punishment. You clicked the wrong link? Here’s your shame-filled training module. You fell for that phishing email? Time for another lecture about how you’re putting the company at risk.
But Dan’s approach is different. “The human risk element has developed from just looking at an individual and ultimately trying to find out their faults and punishing them for it. That’s not the etiquette we want to push towards our clients.”
It’s refreshing, honestly. Instead of pointing fingers when someone makes a mistake, what if we actually helped them understand why security matters? Not just for the company, but for them personally too.
This shift in perspective is crucial because fear-based training often backfires spectacularly. When employees are terrified of making mistakes, they tend to hide them rather than report them. That means potential security incidents go undetected, and the organization loses valuable opportunities to identify and patch vulnerabilities. Dan’s team has found that when they remove the shame element, people become more willing to admit when something doesn’t look right or when they’ve accidentally clicked on something suspicious.
The psychological impact of this approach cannot be overstated. Traditional security training often leaves employees feeling like they’re walking through a minefield, afraid that any wrong step will result in corporate disaster and personal humiliation. This creates a culture of anxiety rather than awareness. When people are anxious, they make more mistakes, not fewer. They rush through security protocols, skip verification steps, and avoid asking questions that might reveal their uncertainty.
Security That Actually Makes Sense
One thing that caught my attention was how Dan talks about the crossover between personal and business security. “There’s elements that we can help them with in their personal lives,” he says. “Educating them about better password hygiene, ensuring those passwords aren’t being reused over and over, educating them on how to handle credit card information.”
This is brilliant because it makes security relevant to people’s everyday lives. When you show someone how to protect their own bank account, suddenly they understand why protecting company data matters too. It’s not some abstract corporate policy anymore – it’s practical knowledge they can use.
Think about it: if your employees are using “password123” for their personal Netflix account, what do you think they’re doing with their work credentials?
The Waterfall Effect of Security Culture
Dan mentioned something that really resonated with me about how security awareness needs to flow through an organisation. “It’s that waterfall effect ultimately. You start at the top and try and build your way back down.”
But here’s where it gets tricky. The folks at the top often don’t have the same technical knowledge as the IT team, and the receptionist doesn’t know as much as either group. Yet everyone – and I mean everyone – is responsible for the security of that business.
“A lot of people understand that the executive team needs to be secure because they’ve got the keys to the kingdom,” Dan explains. “But they think, ‘What does my job role have to do with security? I don’t necessarily need that because all I do is answer emails.'”
That’s the disconnect right there. People don’t realize that answering emails is a security function when those emails might contain phishing attempts, malware, or social engineering attacks.
Compliance is Getting Real for Small Business
Here’s something that’s been keeping a lot of MSPs busy lately, compliance frameworks that used to only apply to big corporations are now filtering down to small businesses. Dan’s seeing this firsthand: “We’re seeing a lot of increase in compliance challenges because the frameworks are now filtering down to small business, and not all of those small businesses are aware necessarily.”
Remember when GDPR hit? Dan certainly does. “GDPR was a huge shift and no one quite understood what the framework was because ultimately the framework wasn’t definitive enough. It was left very open.”
From an MSP perspective, this created a perfect storm. Clients were asking, “What should we be doing? How should we be doing this?” And there wasn’t one clear answer. Every business needed a tailored approach, which made things incredibly difficult.
But here’s where having the right security awareness platform makes all the difference. Instead of businesses trying to become compliance experts overnight, tools like uSecure can help educate executive teams about different compliance requirements and help them ask the right questions.
The Mindset Shift is Real
What gives me hope is that Dan’s seeing real change in how people approach security. “We’re seeing a really big shift in mindset now. Security is becoming more of a higher priority.”
People are starting to adopt new security standards, policies, and procedures as part of their daily routine. It’s not just something the IT department worries about anymore – it’s becoming part of how everyone works.
This shift is partly driven by necessity. Cyber threats aren’t getting any less sophisticated, and the cost of a breach keeps going up. But it’s also because we’re finally getting better at explaining why security matters in terms people can actually relate to.
Building Trust Through Education
What I love about Dan’s approach is how it builds trust instead of fear. When employees feel like they can ask questions without getting in trouble, when they’re not afraid to admit they don’t understand something, that’s when real learning happens.
“If you’ve got that culture of building people’s esteem so they’re not afraid to ask questions or make mistakes and then learn from them,” that’s when you start to see real improvement in security posture.
The best security awareness program is the one where people actually want to participate. When employees see security training as something that helps them rather than something that’s done to them, everything changes.
Looking Forward
As we head into a new financial year, it’s worth thinking about how human risk management fits into your IT roadmap. The technology is important, sure, but the human element might be even more critical.
Our customers experience with Human Risk Management shows that when you get the human factor right – when you focus on education over punishment, when you make security relevant to people’s daily lives, when you build trust instead of fear – everything else becomes easier.
The question isn’t whether your employees will make mistakes. They will. The question is whether you’re building a culture where they can learn from those mistakes and become part of the solution rather than just another vulnerability to manage.
Because at the end of the day, your strongest firewall isn’t made of code – it’s made of people who understand why security matters and know what to do about it.