The most significant risks to your SMB customers don’t always come from threats with catchy names like Wanna Cry. Instead, the biggest threats can come from sources with names that are often more mundane like “Paula in Accounting” or “Dave in Purchasing.” That’s because the most acute cybersecurity risk in any organization comes from within. Yes, Russian hackers can do their thing and need to be monitored, but Paula in accounting can be even more menacing.
Paula or Dave don’t need to be nefarious actors. Chances are they’re just opening that video of cute puppies riding on a unicycle that their friend sent them. Or carelessly setting their password as ‘12345.’
In a study released in 2017 by Keeper Security and the Ponemon Institute which surveyed 1000 IT professionals, 54 percent said careless employees were the root cause of cybersecurity incidents. And a study conducted by London consultancy, Willis Towers Watson put the number higher, finding that 90 percent of all cybersecurity incidents stemmed from some type of human error.
Anthony Dagostino, the head of global cyber risk at Willis Towers Wason shares, “the simple truth is that a data compromise is more likely to come from an employee leaving a laptop on the train than from a malicious criminal hack.”
Mike Davis, the chief information security officer of Alliantgroup, a national tax consulting firm, concurs with the number put out by Willis Towers Watson.
“The human element of cyber risk is the major cause of 90 to 95 percent of security incidents,” Davis shares.
How to mitigate internal risk
So, what can an MSP do to mitigate this internal risk within their customers businesses?
“They need to tune their MDR (managed detection and response) capabilities to the frequency and attributes of accidental data spillage as a dedicated use case,” Davis says. Target that threat vector with a correlation engine and data logs that focus on the most likely “poor user.”
“Once the poor user has been identified; then the key is to try to preempt poor practices that can be stopped, yet not inhibit business productivity,” Davis says, including education and warnings on key risky behaviors.
“The key to the above points is to mimic the usual typical threat space with poor user characteristics. Then instead of reducing the alert overload, they provide an enhanced monitoring lens for poor user behavior,” Davis shares.
Mark Heckman, professor of practice at the University of San Diego’s Center for Cybersecurity Engineering and Technology, points out that the non-nefarious employee actions don’t have to be rooted in carelessness. Some fall prey to very slick scams.
“Phishing emails can be quite sophisticated. They can fool even trained and experienced people,” Heckman tells SmarterMSP. Heckman shared a few recommendations for MSPs looking to head off employee blundering:
COMPARTMENTALIZE: Isolate the information and the user system so that it is more difficult for an attacker to pivot from the hacked system and leverage their success to obtain more access. A managed service provider has to build strong walls between its customers, and also between its own internal systems and the systems it manages.
ACTIVE INTRUSION MONITORING: Sufficient resources should be allocated to systems that work. Despite all of the money spent on, for example, user training, the systems that we work on are fundamentally unsecured. We can’t prevent all intrusions, so we have to work hard to detect them after (or, preferably, as) they happen. The bad guys quickly adapt, so it becomes a game of defense.
BE CONSISTENT WITH SECURITY: Demand that anyone, even third-party vendors, who have access to your network implement at least the same level of security that you have. Alternatively, if they fail to do that, at least compartmentalize their access. The temptation to skimp on these steps is great because they do take resources and planning. And that could impact productivity. It is difficult to measure the money saved from all of the attacks that didn’t happen. Which is why these strategies are usually only partially carried out, if at all, due to an inability to correctly estimate the risk.
Where MSPs need to shift their focus
Dr. Steven Furnell agrees that heaping blame on “misfits” and “malcontents” for security breaches in the office isn’t necessarily where an MSP should be focusing.
“The core issue is very often people who make mistakes, get tricked, or don’t know any better,” says Steven Furnell, the associate dean for International and Postgraduate Faculty of Science and Engineering at Plymouth University in England. Furnell tells SmarterMSP that the sort of things that come into play here are things include people choosing guessable (or crackable) passwords, failing to apply updates, clicking their way into trouble on the web, and getting duped by phishing scams. These, in turn, provide the opportunity for attackers and malware to take a foothold.
An MSP clearly has the potential to cover some aspects — such as enforcing good password practices, maintaining appropriate updates and patch statuses, preventing access to blacklisted sites, and domains etc. Indeed, taking care of some of these baseline technical aspects can provide the safety net against many employee errors.
Having said this, it will be even more effective if accompanied by a credible level of employee awareness and training, to ensure that customers appreciate the reason for some of the user-facing security controls and understand how to use them.
Photo: wk1003mike / Shutterstock.