Just about everybody agrees end-user training is the best defense against spear phishing and other types of cybersecurity attacks that rely on social engineering. The trouble is finding someone to provide that training at a time when cybersecurity professionals are chronically in short supply.
A new survey of 634 cybersecurity professionals conducted by Barracuda Networks finds 90 percent said end-user training was critically or very important and 77 percent said their organization engages in training end users to recognized phishing and spear phishing attacks. Only 44 percent of those organizations that provide this training rely on a third party to provide it.
Reliance on third-party providers is relatively low for a number of reasons. The survey is weighted to organizations that have internal cybersecurity staff. There may also be no funding available to provide that training, or the organization is simply unaware alternative approaches exist. The survey results make it clear the smaller the company, the less likely it is they’re going to have the expertise and resources available to train end users.
Growing security needs
The quality of that training is also going to vary widely. Few organizations have invested in phishing simulation software that provides a mechanism to consistently train end users to identify the latest social engineering techniques being employed by cyber criminals. The survey notes that phishing simulation (63 percent) followed by social engineering detection (62 percent), email encryption (60 percent), and data loss prevention (59 percent) top the list of capabilities desired most by the cybersecurity professionals surveyed.
84% of #cybersecurity pros said their source of concern is employee behavior @SmarterMSP
In fact, the survey notes that overall both the cost and severity of email-based cybersecurity attacks has risen sharply over the past 12 months. A full 87 percent of IT security professionals surveyed said their company faced an attempted email-based attack in the past year, and 81 percent said the frequency of such attacks has increased in the past year. A total of 81 percent said the overall cost of an email security breach is increasing, and the biggest source of concern for cybersecurity professionals is employee behavior (84 percent).
It’s also worth noting the survey finds social engineering attacks are becoming more targeted as cyber criminals begin to zone in on finance departments. Nearly a quarter (24 percent) identified the finance department as being the most vulnerable to these types of attacks.
Cybersecurity training opportunities
End-user cybersecurity training represents a major opportunity for managed service providers on multiple levels. Besides the revenue generated by delivering the training, it puts MSPs in a position to become a trusted cybersecurity advisor capable of delivering a variety of cybersecurity services.
Most organizations today have a firewall in place along with anti-virus software deployed on endpoints. But beyond those fundamental cybersecurity technologies, usage of other cybersecurity technologies drops off sharply largely due to a lack of resources and expertise. MSPs that investment in, for example, being able to implement data loss prevention technologies or integrate data protection services in a way that combats ransomware are going to be sought after.
The challenge, of course, is acquiring that expertise in the first place. But unlike many other technologies, the return on investment associated with gaining that expertise grows exponentially over time. Arguably, the best way to advertise that expertise once it’s gained is to provide cybersecurity training services to end users at a time when the need for that training has never been more acute.
Photo: KC Jan/Shutterstock.com