If you work at a managed service provider, you’ve probably had this exchange before.

You recommend cybersecurity awareness training to a client. They nod politely at first, then the objections start rolling in. Maybe they spoke to a couple of their internal “experts” who fixed a printer once in 2007 and accidentally secured the Internal Tech Support role.

“Our business is too small to get attacked.”

“We already meet compliance requirements.”

“Our employees aren’t dumb.”

Most resistance to cybersecurity awareness training isn’t down to technology, or costs, or some personal vendetta against you. It’s usually down to misunderstandings and misconceptions, and once you know what those misconceptions are, they’re much easier to address.

Below are seven of the most common pushbacks MSPs hear about security awareness training, and how to respond to them.

7 Common Pushbacks MSPs Hear About Security Awareness Training (and How to Respond)

1. “Cybersecurity Awareness Training Is Boring and a Waste of Time”

This objection usually comes from people who have experienced bad training before - you know the stuff. A 60-minute compliance video that employees play in the background while answering emails. Or hours on end sat in a room being asked whether you should send your bank details to someone claiming to be a Nigerian prince (a quick tip you can have for free: no, don’t do that).

That kind of training is a waste of time, even if it ticks a box. But good security awareness training works differently.

Instead of long, generic courses once a year, modern SAT programs - the decent ones - use short, relevant lessons that employees can complete in a few minutes. The goal is to build habits over time, not overwhelm people with information.

When training is:

• Short
• Engaging
• Related to their job role
• Relevant to current threats

Employees are far more likely to remember it.

And compared to the multiple months spent recovering from a breach, a few minutes a month is a pretty good trade.

2. “We Just Need to Meet Compliance Requirements”

Many organizations approach cybersecurity awareness training as a checkbox. If a compliance framework requires annual training, they schedule one session a year and call it done. The problem is that compliance requirements represent the minimum standard, not an effective security strategy.

Threats evolve constantly with new phishing techniques, social engineering tactics, and new attack methods appearing all the time. Training once a year is like studying for a test and forgetting everything the moment summer vacation starts. Frequent, shorter training sessions are far more effective because they reinforce good habits and keep employees aware of current threats.

Compliance might require training once a year, but actual security requires a better approach. Many cyber insurance providers now expect ongoing security awareness training, not just a once-a-year checkbox exercise, which makes this approach even harder to justify.

3. “Our Business Is Too Small to Get Attacked”

This is one of the most common (and most facepalm-inducingly wrong) cybersecurity myths.

Attackers aren’t always looking for the biggest companies. They’re looking for the easiest targets.

In fact, 46% of cyber breaches impact businesses with fewer than 1,000 employees, according to SecureWorld data.

So small and medium businesses are obviously extremely attractive targets. Why?

Because smaller organizations often have:

• Fewer security resources
• Less mature processes
• Employees who receive less training

Those pesky attackers know this. They also know that breaching one small company is often easier than breaching a large enterprise. Just like convenience stores and gas stations get robbed more often than banks, which get robbed more often than Fort Knox. The rewards might not be as high, but the likelihood of success is far greater.

In truth, no business is too small to be targeted. Some are just too small to make the news.

4. “It’s Too Expensive”

At first glance, security awareness training can look like just another cost. Another line item. Another subscription. Another thing eating into budget. But this is one of those situations where the cheaper option ends up being far more expensive.

A breach doesn’t just cost money. It costs:

• Downtime
• Lost productivity
• Legal fees
• Reputational damage
• Customer trust
• Potentially fines or compensation

And most importantly, time. (For most businesses, over 100 days to be specific.)

Even relatively small incidents can take weeks or months to fully recover from. Larger ones can drag on even longer, pulling your team away from the work that actually grows the business.

By comparison, security awareness training is predictable, relatively low-cost, and designed to prevent those situations in the first place.

It’s not an extra expense. It’s an investment to help avoid a much bigger expense - possibly even a business-ending one.

5. “Our Employees Aren’t Dumb”

First off, at least some of them probably are - let’s get that out of the way right off the bat. But also, security awareness training isn’t a test or reflection of intelligence. What appears to be common sense or obvious to some simply never crosses the mind of people who aren’t exposed to that particular knowledge or scenario.

Even smart employees make mistakes when they’re busy, multitasking, or under pressure. That’s exactly the environment attackers rely on. In fact, Proofpoint research showed that 71% of users admitted taking a risky action online in the past year, even though 96% of those knew it wasn’t the safest choice.

So clearly it’s not a knowledge or intelligence problem. It’s a behavior problem.

Security awareness training helps build better habits by:

• Teaching employees how modern attacks actually work
• Reinforcing safe behaviors through repetition
• Making security relevant to their daily work

It’s the same reason we run phishing simulations. Not because employees are unintelligent, but because attackers are constantly improving their tactics, and regular training helps employees stay one step ahead. And some users are bigger targets than others.

New employees are prime targets because onboarding creates the perfect environment for phishing and impersonation. They’re setting up direct deposit, signing documents, and getting acquainted with new systems - a recipe for impersonation to slip through the cracks. Executives are major targets, too, because they have access to sensitive information and decision-making power, and they’re not always as engaged with training as they should be (we see you!). Then there are those who consistently skip training altogether - they're higher risk because, you know, basic logic and the laws of the universe.

6. “We Already Have Security Tools”

Firewalls, endpoint protection, and email filtering are essential parts of a security stack. But attackers know how to work around technical controls. That’s why so many modern attacks focus on people instead of systems.

Examples include:

• Business email compromise
• Fake invoices or payment requests
• Social engineering scams (if you’re not sure what that means, read more here)
• MFA fatigue attacks - where attackers bombard users with login approvals until they accept one just to make it stop.

In these scenarios, the attacker doesn’t need to hack anything. They just need someone to click a link or approve a request. Human error remains one of the biggest causes of breaches, which means technical defenses alone are not enough. Security awareness training fills the gap by helping employees recognize threats before they become incidents.

Deciding you don’t need to train employees because you’ve got technical defenses in place is like taking the steering wheel out of your car because you trust the seatbelts and airbags.

7. “Security Awareness Training Doesn’t Reduce Risk”

There’s a perception in some organizations that security awareness training is just a box-ticking exercise that doesn’t actually move the needle. The data says otherwise. When implemented correctly, security awareness training produces measurable improvements in user behavior.

Organizations commonly see:

• Lower phishing click rates
• Higher phishing reporting rates
• Faster incident detection
• Improved security habits across the organization

At Phin, we’ve seen phishing click rates drop by as much as 70% after consistent training, and sometimes the benefits go even further. For example, one Phin customer completely changed how they collect credit card information from customers after realizing the risks in their previous process. That kind of operational change only happens when employees understand the threats they face and know how to respond to them.

Turning Pushback Into Buy-In

If customers push back on security awareness training, it’s rarely because they don’t care about security. Most of the time, they simply misunderstand what effective training looks like.

The key is helping them understand that:

• Security awareness training does not have to be time-consuming
• Compliance alone is not enough to reduce risk
• Small businesses are common targets
• Smart employees still need good security habits
• Technology alone can’t and won’t stop social engineering attacks

Once customers see SAT as a practical risk-reduction tool rather than a compliance checkbox, the conversation becomes much easier.

And that’s when real change happens.

Download the Infographic: 7 SAT Pushbacks and How to Respond

Want an easier way to handle these conversations with your customers?

We’ve put together a simple, shareable infographic that breaks down the most common security awareness training objections and how to respond to them.

You can use it in sales, follow-up, and general awareness campaigns. Heck, you can print it out and stick it on your window if you like.

Spread the good word of SAT and maybe make that next “We don’t need this…” conversation a little easier for everyone.