MSPs have never deployed more security technology than they have today.

Yet breaches keep starting the same way. A convincing email. A rushed click. An MFA prompt approved at the wrong moment.

The problem is not missing tools. It is that attackers have shifted their focus to the one layer technology cannot fully control: people.

This webinar explores why human risk is becoming the defining security challenge for MSPs heading into 2026, and how providers who treat it as a managed service, not a training checkbox, will be the ones that win.

Key takeaways for MSPs

• Attackers are scaling social engineering with AI and global reach, even when your client base is local.
• Traditional controls are necessary, then they hit a hard limit once a user lets an attacker in.
• Checkbox training creates completion, not behavior change.
• Human Risk Management works when it is continuous, measured, and owned as a service.
• Selling outcomes makes MSPs harder to replace than selling tools.
  

The 2026 threat shift MSPs cannot ignore

Colin started with an uncomfortable truth: “local” is no longer a security concept.

Remote access, cloud identity, SaaS sprawl, contractors, and work-from-anywhere patterns mean a small business in one town is exposed like a global company. The attacker does not need proximity. They need a path. That path is increasingly human, because human access is portable.

Then AI arrives and removes the last safety net many teams relied on.

There was a time when phishing had a smell. Broken grammar. Weird formatting. A tone that felt off. That smell is fading. AI can write cleanly in English, French, Spanish, and whatever your client’s workforce uses day to day. It can mirror a company’s internal voice. It can pull details from LinkedIn and public sources, then stitch them into emails that feel “personal” without being truly targeted.

That changes the economics of the attack.

The attacker does not need to choose between quality and scale. They can have both. They can run a “good enough” spearphish across a huge population, then let probability do the work.

Colin described this as a volume game, and it is hard to argue with the math. A low conversion rate stops looking low when you can run the play against millions.

The part MSPs feel most is timing.

When the world experiences a major outage, a vendor incident, or a breaking IT story, attackers get a gift: context. In the webinar, the “Microsoft outage” example landed because everyone has lived it. When teams are stressed, distracted, and racing to keep operations moving, they want quick resolution. That is exactly when a clean “support” email can pass as helpful rather than hostile.

This is not about users being careless. It is about users being human.

Why classic controls hit a ceiling

No serious MSP should interpret this webinar as “tools do not matter.” They do. They reduce blast radius. They catch lateral movement. They help you recover. They keep the obvious stuff out.

The point was sharper: tools cannot protect your client from a user who authorizes the wrong action.

A good stack can block known-bad links. It can flag suspicious logins. It can enforce MFA.

It cannot stop:

• the user approving a push when they are busy
• the user typing credentials into a replica page
• the user trusting a voice call that sounds like “the vendor”
• the user sharing access in the name of speed
  

Colin framed it simply: you can have every control in place, then it still fails if someone lets them in the front door.

That is why the conversation around human risk has moved from “nice add-on” to “core layer.” It is the missing layer in too many managed security services.

The compliance trap: why “training” fails in the real world

The webinar’s most useful insight was not a new tactic. It was a diagnosis.

Security awareness training became a checkbox because compliance rewarded checkboxes. Vendors sold completion. MSPs sold completion. Clients bought completion because auditors asked for evidence of completion.

It worked commercially. It did not work behaviorally.

Colin’s explanation was blunt: if people do training to check a box, they will not care about it. They will click through videos, pass a lightweight quiz, and forget what they saw by next week.

He used a fitness analogy because it maps cleanly to how humans learn:

You do not get strong by watching exercise videos.
You get strong by doing the reps, regularly, until it becomes muscle memory.

That is what most “annual training” never creates: muscle memory.

It creates a temporary awareness spike. Then the world moves on. The attacker does not.

Human Risk Management is closer to coaching than content

One of the best moments in the session came from Colin’s parenting example.

You cannot protect your kids by following them everywhere telling them what to do. You teach them to notice. You teach them to assess. You reinforce it with situations. You build judgment through repetition.

That is exactly what mature human risk programs try to do inside organizations.

Not “watch this video.”

Instead:

• build awareness of what threats look like in real life
• create repeated practice in safe simulations
• measure what is happening, not what was assigned
• intervene with the right follow-up for the right people
• keep it going long enough for habits to form
  

Mathias added the operational reality MSPs care about: this requires monitoring and measurement, not because metrics are trendy, but because behavior change is invisible unless you track it.

If you only measure completion, you end up “compliant” and still exposed.

If you measure behavior, you can answer questions clients care about:

• Are we improving?
• Where are we still at risk?
• Which teams need extra support?
• Are the riskiest actions decreasing month over month?

That is the shift from training as content to training as a discipline.

The MSP business case: outcomes beat tools

The thought leadership value here is not “phishing is bad.” MSPs already know that.

The value is the commercial reframing.

Colin said it clearly: when you sell a product or tool, you commoditize yourself. Your client can buy that same tool elsewhere. Your renewal becomes a pricing conversation. Your competitor can undercut you with “the same stack.”

When you deliver an outcome, you become harder to replace.

Outcome delivery means the client experiences you as:

• the partner who reduces risk
• the advisor who helps their organization function safely
• the team that makes security feel like progress, not friction
  

It also changes what the client expects from you.

A “tool MSP” is expected to install, configure, and react.

A “risk MSP” is expected to manage, report, and improve.

That difference matters because it moves you into a category clients protect during budget pressure. When a client is forced to cut spend, they do not cut what they believe prevents catastrophe. They cut what feels optional.

Human risk management, done properly, sits in the “prevents catastrophe” category.

Where MSPs get it wrong: selling HRM, then not running it

Colin’s most practical warning was about follow-through.

Many MSPs can sell human risk.
Many MSPs can deploy a platform.

The failure is what happens next.

Human risk becomes a real service only when it has an operational cadence:

• activity runs consistently
• results are reviewed
• high-risk users are addressed
• progress is shared with the client
• the program evolves with new threats
  

If you treat HRM like a one-time project, clients experience it like software they never asked for. Adoption drops. Engagement drops. The client stops caring. You stop talking about it. The door stays open.

If you treat HRM like patching, backups, or endpoint protection, meaning ongoing and owned, clients experience it as part of how they stay safe. That is the difference between “we bought training” and “we are reducing risk.”

The mindset MSPs should take into 2026

Colin gave a simple starting point: give human risk real attention.

Not as a side conversation at renewal time. Not as a compliance upsell. Not as a “we also have training.”

As a core part of your security narrative.

He made a point that matters for differentiation: most MSPs still are not having this conversation in a credible way. They pitch tools. They list features. They talk about email security and backups and endpoint protection because that is familiar.

Human risk is familiar to every business owner, just not in security language.

Every owner already worries about employees as both the biggest opportunity and the biggest risk. They worry about mistakes, disengagement, turnover, and poor judgment under pressure. Human risk management meets them inside a fear they already have, then gives them a structured way to reduce it.

Colin also shared a sales truth that is worth keeping: buyers make decisions for three reasons.

• Make more money.
• Lower costs.
• Reduce risk.
  

Human risk sits cleanly in the third. It sells best when you connect it to what the client loses during an incident: downtime, lost revenue, lost trust, lost sleep.

When you lead with that, the conversation stops being “do we need this tool?” and becomes “how do we lower the chance of disaster?”

Next steps: how to turn the webinar into action

If you want to build human risk into your 2026 security offer, the next move is not a new pitch deck.

It is a service design decision.

Decide what you will own:

• the ongoing program
• the reporting rhythm
• the interventions for at-risk users
• the narrative you will use with clients: risk reduction, not compliance
  

From there, the two most direct CTAs from usecure’s side are built for MSP adoption:

1) Get the NFR license
Use it to run the program internally, then use real screens and real results when you show clients what “managed human risk” looks like.

2) Use the Demo Hub for on-demand demos
Show the workflow, not the promise. Clients trust what they can see

‍

‍