Complacency is a formidable enemy. You have a robust patching regimen, an educational component to your MSP offerings, pen testing, and you segment data so that an attack on your client’s system can be contained and quarantined. It’s easy to think you’re doing all you can.
MSP security, however, is much more complicated than it used to be back when there were a couple of attack surfaces to secure, and that was it. Today, an MSP must be part cyber-warrior, part therapist, and part teacher to fend off all the various threats. Even the best of the best can still get burned.
With IoT, smartphones, social engineering, and sometimes just plain human laziness, an MSP is often more at the mercy of humanity than technology. Still, if security is an odds game, there are some steps you can take to tilt the odds in your clients’ favor. One of those steps is being aware; not just of the obvious cyber threats, but of the not-so-obvious ones also.
Malware is ever evolving, and there are ways systems can be infected that you could be excused for not putting on your MSP radar. Here are five threats you shouldn’t dismiss:
Videos
Videos are not traditionally seen as a threat, but malware can lurk in videos of cute puppies. Worse, you may be duped into watching a malware-laced video that everyone is sharing. Security Intelligence recently outlined the danger that video malware is posing:
Because of the irresistible appeal of videos, threat actors have been using the promise of video for many years. One common way to trick people into clicking on a malicious link is to ask, “Are you in this video?” The idea that an embarrassing video of yourself is publicly circulating can compel otherwise educated and rational people to open a video or click on a link, just to be sure. This tactic is common on major messaging platforms, where attackers can make it seem like a friend or colleague sent the video or link.
Once the video is clicked, all sorts of nasty payloads can be delivered.
Solution: Warn your clients about these social engineering techniques. The more socially engineered a plea-to-click seems, the more likely it’s a bad apple.
Smartphones
Phones can often seem impervious to malware, but it is this very casual attitude that can sow the seeds of trouble. People view their phones as practically an appendage, not a cyberthreat. However, there are plenty of programs that can install malware on a phone that stays dormant, until someone decides to use their laptop to charge their phone. Then, the malware is automatically activated and can potentially breach your client’s network.
Solution: Implement a ‘no connecting personal to work devices’ policy. This doesn’t mean employees can’t BYOD, but the two networks should never connect. There’s too much risk.
Browser extensions
Extensions are something that have been flying under the radar, but people use them in Chrome to enhance various online experiences. Many of the extensions are perfectly harmless, but others may well be logging keystrokes, stealing passwords, and harvesting information from enterprise employees.
All of this can be used for nefarious purposes if it falls into the wrong hands. Since extensions are browser-based, malware delivered via an extension won’t cause your files to be exposed. The damage is usually limited, but it’s the long game that security experts watch.
Solution: Make sure clients know the risks extensions pose and encourage people to be selective.
“Sneaky” services
There are many legitimate reasons to search for background information about a person. Insurance companies, trusts, credit scoring agencies, and human resource managers are all entities that may need to conduct background checks.
However, many services promise access to databases after you first install particular files or video players to view the records. Once these “viewer files” are installed, it could be open season on your client’s system. These files can sometimes be trojans or other malware that can be unleashed.
Streaming services are less an issue in the workplace than at home, but if there are employees trying to download movies on work computers, your client may have bigger problems to deal with than security.
Solution: Make sure your client has a streamlined procedure for background checks and research.
Surveys
Many surveys are what they say they are: ways to learn more about the user and to legitimately gather data. These are often harmless technically, and that is what makes them so irresistible. Others are more nefarious. In some cases, they can be used to harvest information that then is weaponized.
A common way to weaponize a survey is for hackers to create one from a company that is a known quantity. Once the survey-taker starts clicking links and divulging personal details, then a potential cyber catastrophe could be unleashed. SaskTel recently issued a warning about a fake survey that was using their logo and targeting their customers. This is a pretty typical form that survey malware takes.
Solution: Make sure employees are aware of the underlying motives and potential weaponization of survey information. Encourage clients to take surveys only from known entities.
Cyber security is constantly changing. While these five things should be watched now, there could be five completely different threats that emerge next year.
Photo: Art tools design / Shutterstock