There’s a gaping chasm between having security awareness training (SAT) so you can say you did it and having SAT that actually changes behavior. Your customers want results - fewer clicks and fewer fires to put out. They want to know their people aren’t the weak link that keeps them up at night.

And for MSPs, that means two things. You need a setup that actually works for your clients, and you need a setup that doesn’t drain your time, energy, and will to live every single month. The same setup needs to tick both of those boxes, by the way. Separate setups is just another headache.

Good SAT is a retention tool, a risk reduction tool, and a revenue driver. But only when you manage it with the right structure.

Below are best practices you can use to build scalable, effective training programs across all your clients, without adding extra overhead to your team.

6 Best Practices for Security Awareness Training

1. Training Frequency That Builds Real Retention

Your users are busy. Your customers are busy. Your team is definitely busy. So the best training cadence is predictable, short, and ongoing.

Monthly micro training (5 to 10 minutes)

Short, snack-sized content works. Users complete it, don’t complain about it, and they actually remember it for longer than 30 seconds because it’s not overwhelming. Best of all, it is easy to deploy across dozens of tenants without blowing up your schedule.

Annual hour-long courses overload people and tank retention. A few minutes every month sticks much better and keeps security top of mind year-round.

Annual baseline training

The solid, dependable foundation for your SAT house - because without this you’re building on a swampy quagmire and it could all come crashing down any minute. Baseline training covers company policies, compliance requirements, password hygiene, acceptable use, and all the high level topics that auditors expect to see. Cyber insurance carriers will expect this. Many compliance standards require it. But you’re better than that, and your clients expect more - this is the bare minimum rather than the gold standard.

New hire training

New employees are statistically the highest risk group in any company. Assigning their training automatically on day one keeps everyone aligned and reduces the chance of a “the new guy just clicked a dodgy link then forwarded a phishing email to the entire finance department” situation.

MSP tip: Standardizing the cadence for every client stops your team from having to reinvent the wheel each time. Automation makes this easy to roll out.

2. Choosing the Right Training Topics

Good training topics are recent, relevant, and tailored. That means no outdated modules from five years ago and no content that looks like it belongs on a VHS- although it would probably give a sweet hit of nostalgia to most people in the corporate world to have a big TV wheeled in on a cart to watch a video.

Your topics should match:

• The company
• The department
• The specific role

Finance should get different examples to sales. Healthcare should not see the same content as a manufacturing plant. And every user should see topics that reflect the current threat landscape. Anything older than two years will probably feel stale, and probably be somewhat irrelevant.

When users see content that relates to them and their world, they take it more seriously and remember it longer.

3. Phishing Simulations That Teach, Not Punish

Phishing simulations are where users learn to spot the real thing. But they only work if the program is thoughtful, fair, and well timed.

Phishing simulation frequency

Standard industries: 1 per month

Higher risk industries (finance, legal, healthcare): 2 per month

This keeps users alert without overwhelming them.

Phishing simulation strategy

Start with simple emails to build confidence. Increase difficulty based on user skill levels. The goal isn’t to embarrass anyone; it’s to help them improve.

What not to send in phishing simulations

• No impersonating government or law enforcement
• No fake raises, bonuses, promotions, or anything that could crush morale
• No overly aggressive or misleading emotional bait

Remember the goal is education, not emotional carnage - entertaining though the latter may be. When done well, phishing simulations turn employees into a layer of defense, not a liability.

4. What to Measure and Why It Matters

To prove ROI to your customers you need clear, simple metrics that show the program is working. They help you understand user behavior and provide meaningful updates to clients.

Track these four KPIs:

1. Phishing click rate

Pretty self-explanatory, this one. Are fewer people clicking over time? If so, it’s a good indication of effective training.

2. Phishing report rate

Are more users reporting suspicious messages? An increase here shows the training is working - and users are being more vigilant.

3. Training completion rate

Is everyone participating, or are some users consistently behind? You can gauge general levels of engagement with this metric.

4. Users to watch

Identify those who fail often or skip training. These users need extra attention and likely extra training.

These four indicators give you a complete picture of behavior change - which, as we always say, is what good cybersecurity awareness training is all about!

5. What to Report to Clients

Clients want the truth, but not necessarily the whole truth and nothing but the truth. They want it concise and jargon-free, put into context to provide simple answers to three simple questions.

• Are we getting better or worse?
• Are our employees a risk?
• Will this help with our cyber insurance renewal?

If you can answer those three clearly, you win trust.

Best practice reporting cadence

Monthly executive summary

• One page
• Trend lines
• Plain English takeaways

Quarterly review

• Deeper dive on progress
• Clear explanation of risk reduction
• Recommendations that help the client and help you with upselling.

Example MSP framing:

“Your click rate dropped 18 percent in three months, and phishing reports doubled - so your employees are becoming a better defense against cyber attacks rather than an additional risk.”

This type of phrasing helps clients understand the real impact of their investment.

6. What to Automate to Save Time and Reduce Overhead

If your security awareness training platform does not support multi-tenant automation, it will drain your team fast. A well-automated platform lets the work run itself.

Automate these tasks

• Training campaigns
• Training reminders
• Phishing campaigns
• Remedial training for failures
• Reporting delivery
• New user onboarding
• User offboarding

Automation removes manual labor, reduces inconsistencies between clients, and creates a smooth experience for your team, with less direct involvement needed and fewer non-billable hours.

When everything runs in the background, your engineers stay focused on billable work and strategic projects. You also deliver a more consistent service to customers who co-manage their own users.

TL;DR?

Security awareness training should do more than help your clients tick a compliance box. When it’s structured well, updated often, automated properly, and matched to the needs of each user, it becomes a measurable risk reduction strategy.

Your clients get better outcomes. Your team spends less time chasing. And you can take the acclaim as the trusted partner who helped them get there.

If you want a simple checklist you can share directly with customers who help co-manage their SAT, download our Best Practices Infographic.