Why MSP Clients Should Worry About Security Awareness Training

By R. Greg Manson, Logically

You’ve done all you can to provide the most advanced technology to deter cybercriminals from impacting your clients’ organizations, so you should feel confident in your efforts, right? Well, unfortunately, despite technologies that impede malware and viruses, you may be wrong.

Most organizations do not realize that one of their biggest liabilities is their staff. According to a recent CNBC article, the problem is so massive that there are about 166 million phishing attacks per day, and approximately 43 percent of all threats are the result of a client’s staff being taken advantage of by malicious hackers, including those from ransomware.

If not properly alerted to the dangers of their role in thwarting cybercrime, users may be inadvertently putting an organization at great risk. That is why it is critically important to provide security training to clients early and often.

In this article, we will review the foundations of optimal security training to help organizations achieve success in the war against cyberattacks.

The Human Component

Most small to midsized businesses worry about cybercrimes and strive to take steps to mitigate the risks to their organizations. They work with MSPs and invest in security technologies that they think have adequately protected their organizations. While technology does provide a strong layer of protection, it does not protect against employee actions, which are largely unintentional but can add a great deal of risk to a business.

Security awareness training should, therefore, be a crucial part of your security framework, and should be implemented as part of an MSP’s bundled services. In addition, cybersecurity training needs to be centralized, streamlined, and implemented across client sites. Moreover, small to midsize organizations often are the soft targets that bad actors are seeking, and with the average cost of a breach estimated to be $3.62 million, according to a 2019 Data Breach Report, and accordingly, this specialized training should be well-received.

Virtually every business has compliance requirements but what happens when users let that data go out the door? Training empowers users – especially when they know and take seriously that security depends on them. If a business doesn’t have knowledgeable users who understand how cybercrimes can negatively impact their business as well as their customer’s business, then the security tools they have don’t do much good. So, security awareness training is extremely important – and with this specialized training, the full capabilities of a security product can be maximized.

MSPs need to create an environment for clients that provides a proactive and not a reactive workforce. There are many issues associated with reactive security.

Clients need to not only have an environment and culture for security but also need to have an incident response plan that provides a cohesive approach to dealing with cyberattacks. As we are now seeing with the COVID-19 crisis, there has been an uptick in breaches, and as previously mentioned, many of these attacks are aimed against more vulnerable soft targets like small to midsize businesses. Having an incident response plan in place in addition to formal security training is crucial. The plan helps businesses react - reducing reputation damage, IP, data, and money loss. However, having a cybersecurity policy is not enough; MSPs need to offer security awareness training that educates, supports, and empowers users.

MSPs should consider the four basic parts of security awareness training:

1. Review of current threats – including how to spot phishing emails, etc.
2. Review of policy and procedures – so everyone knows how to respond to specific security breaches
3. Password best practices and policies – Passwords are your client’s first line of defense. Use strong, complex, and lengthy passwords and never share them. Use multi-factor authentication (MFA) if possible and provide users with tips such as not using their local high school as an authentication clue, since many people put their high school names on Facebook. Ask your employees to visit the website https://haveibeenpwned.com/ to see if they have already had their password breached, and to adjust accordingly.
4. Community Involvement – When a client has its staff fully engaged in preventing cyberattacks, cybersecurity is easier to deal with and less prevalent and, in addition, it’s important to walk your staff through the four ways to spot a phishing email, including:
   1. Being able to recognize a bad domain and/or email address
   2. Understanding the dangers of a “catchy” subject line
   3. Being wary of a call to action for a “click here” link
   4. Not to click on a “big red button”

And, of course, MSPs need to educate users not to use personal file sharing applications in addition to making sure that everything is encrypted. Clients should also be reminded to shred everything, notify management of any suspicious activity, and always back up all their files.

Making security awareness training a staple for MSPs and small to midsized businesses will make client organizations less susceptible to the onslaught of social engineering attacks like phishing and malware while helping your clients achieve greater effectiveness against unrelenting cybercrimes.

About The Author

R. Greg Manson is Vice President of Audit, Security and Compliance at Logically.