For businesses and the MSPs that serve them, achieving effective IT security requires a strategy with several layers of defense. To thwart potential breaches, most organizations understand that – at a minimum – endpoint access should be tightly controlled, data should be protected by encryption, and smart security policies should be enacted and enforced.
For as strong as security solutions are, employee training should be the cornerstone of any security strategy. After all, employee behavior continues to show that it has the power to make or break most of your other security measures. Employees that follow best practices and are well-versed in recognizing security risks, can greatly increase the success of a multi-layer security plan. On the other hand, if an employee fails to safeguard their passwords, leaves credentialed sessions unattended, or falls for email scams, then no security technique can fully protect a business from harm.
Employee behavior continues to show that it has the power to make or break other #security measures.
The spotlight on employee training is becoming more critical in the wake of increasingly sophisticated and convincing phishing and spear phishing attacks. Criminals are now exploiting detailed personal data — collected from the dark web and social media profiles — to approach a targeted business’ employees with complex social engineering scams.
For example, attackers will impersonate managers and executives within the organization, and send spear phishing emails to employees that appear to be genuine. These emails will include the scammer’s instructions, which may direct the employee to wire company funds to a false account controlled by the scammer, or to send sensitive company data or personal information such as employees’ W-2 forms. Scammers will then leverage any and all sensitive data gained to carry out further fraud.
Going even further, many attackers are increasingly seeking to gain control of company email accounts, either to deliver scam emails to employees via fully genuine channels, or to carry out highly-effective attacks on a company’s own users. For instance, these business-email compromise attacks can escalate from targeting employees to targeting customers, exploiting email records of a past transactions to send a customer a request to “confirm their security credentials.” Doing so, of course, allows the criminals to gain even more confidential data to use for malicious purposes. Needless to say, customers will not be pleased with the business involved in exposing their data.
How can MSPs help?
It’s crucial for MSPs to equip their clients with highly-capable employee training solutions that prepare employees to recognize and avoid falling prey to the latest, most sophisticated phishing threats. It can’t be assumed that all employees understand good IT security hygiene, and that is where MSPs can play a role. Security-minded MSPs can and should introduce tools that allow MSPs to manage training regimens and to track and certify the progress of individual employees. Employees can be trained in adhering to best practices when it comes to identifying nuanced phishing scams and other deceptive threats, securing passwords and access points, and following the business’s established policies. Employee training tools (built for MSP portfolios) also make it possible to test client employees in live situations after their training, sending them realistic simulated phishing emails to check that their behavior truly supports security.
As the practices of scammers continue to evolve and their attacks become more dangerous, MSPs and the businesses they serve will need to be even more diligent in adapting their solutions and practices to counter whatever comes next. MSPs can also help their clients to put more secure policies in place. For example, requiring multiple approvals in order to wire funds or share sensitive information, so that a single employee’s behavior cannot result in a loss for the company. With phishing — and spear phishing — scams on the rise, the human factor is perhaps just as important as any bit of security software. Protecting against it will add a progressively critical layer to an MSP’s security offering.
Photo: wk1003mike / Shutterstock.