MSPs Must Strengthen the Human Element in Cybersecurity

Author: Matt Scully, channel chief, Mailprotector

People remain the biggest threat to businesses’ defenses. Research consistently shows that human error is responsible for 50% to 60% of breaches or other cyberattacks, and most companies identify employees as their most significant risk factor. People are the most problematic risks to control.

No matter how ingenious the cybercriminal or weak the security solutions, the lack of employee awareness and (in some cases) ineptitude remain a significant concern for many organizations today. No one has the magic bullet to stop people from making poor decisions at the absolute wrong times.

Compounding that problem is the decline of personal responsibility. Many small companies fail to make employees accountable for their poor cybersecurity practices in this era of empowerment. The stories MSPs share in online forums are shocking. From end-users (business owners, in some cases) surfing porn on company laptops or repeatedly opening what are obviously phishing emails, too few will ever receive a reprimand, and providers are almost always left to clean up the mess.

The shift to remote work exacerbates those issues. Relatively few SMBs have electronic policies in place, adequately monitor their employees’ computer-related activities, or mandate cybersecurity training for all employees. Each of those lapses increases the risk of human error.

Strengthen ‘People Defenses’ for Your Clients

Every MSP understands the vital role employees play in their customers’ cybersecurity efforts. The unknown piece of the equation is how providers can positively influence end-users’ understanding of the risks and help them make smarter decisions, and implement tools that can overcome some, if not all, of their mistakes.

Education is essential. Cybersecurity training for all employees should be standard in today’s environment. Even without the increased risks associated with WFH and hybrid workplaces, every business is a target, and the escalation of phishing attacks continues to raise the threat level.

People need to understand the methods cybercriminals use and how those techniques are evolving to trick unsuspecting individuals into opening infected files or clicking on links to websites laden with malware. Malicious actors depend on end-users not following email security best practices to carry out their attacks.

MSPs must either strongly encourage (or, better yet, mandate) their clients to implement end-user training to even the playing field. However, no matter how critical it is to ensure these programs are part of the defensive mix, today’s risk environment demands additional safety precautions.

Layer Protections to Minimize the ‘Human Factor’

There is no possible way to completely block cybercriminals from breaching your clients’ networks. The bigger the target, the harder they will work to get through the defenses, as demonstrated by the recent attack on FireEye. State-sponsored hackers made off with the cybersecurity company’s penetration testing and assessment tools.

Imagine how businesses with less formidable levels of protection would fare against those attackers. While your clients may not be as big of a target as a company that works tirelessly to stop cybercriminals, every business is vulnerable today. Layered defenses will ease some of the pressure.

While nothing you do can guarantee hard-driving hackers will never break through the protections, a comprehensive set of cybersecurity solutions can deter cybercriminals and encourage them to seek out more vulnerable victims. Defensive solutions in that stack may include:

  • End Point/End User Protection
  • Firewall/Unified Threat Management (UTM)
  • Email Filtering
  • Email Archiving
  • Email Encryption
  • Web Filtering
  • Data Encryption
  • Mobile Security

Policies Influence Human Behavior

Most people need, or at least appreciate, workplace rules. Guidelines help set employee expectations and give them a framework within which to operate. Electronics policies provide that direction for workers, eliminating confusion about the acceptable uses of company-supplied technologies. These requirements may cover where, when, and how to utilize their assigned devices and as well as work-related activities using their own PCs, laptops, smartphones, and other equipment.

Each of your clients needs an individualized electronics policy. A well-designed set of guidelines will not only eliminate confusion for end-users, but these documents give MSPs a structure for enforcing the rules. Cybersecurity best practices should be clearly spelled out in these policies.

Clearly defining and monitoring these rules is critical, as is effective enforcement, with substantial penalties for those who fail to comply. MSPs can reduce ‘human error’ by helping their clients construct, adopt, and periodically update electronics policies.

Emphasize the People Element

End-users are the ‘boots on the ground’ MSPs need to prevent successful cyberattacks on their clients’ businesses. The better prepared workers are to identify and take action against phishing and other potential security vulnerabilities, the less time your team will spend remediating data breaches.

When they know more, your managed services team will likely work less. People truly are the key to your success. When you get your clients to invest in the right training and tools to fortify their defensive posture, it reduces stress for everyone while boosting your monthly recurring revenue.

One of the best ways to stop cybercriminals is to focus on the people who make up the first line of defense. Provide easy, yet effective training programs and simple but powerful tools to protect their company data. For example, Mailprotector’s Bracket email encryption requires minimal effort to use, yet the solution ensures messages and attachments are only visible to senders and recipients. So simple that anyone can and will use it.

Enabling people with these types of tools makes work (and life) better for everyone, except cybercriminals.


Author Matt Scully is channel chief at Mailprotector. Read more guest blogs from Mailprotector here.

Return Home

1 Comment

Comment

    John Klassen:

    Shaming the end users misses the point.

    We want perfect security for our organizations, but our users aren’t perfect. The SANS blog RSA: The Human Element captures the essence of the problem. To paraphrase, humans are a high risk yet cybersecurity is not the average user’s primary job.

    Don’t expect employee training, by itself, to fix this problem. 4 percent of users who will click on a malicious link in a phishing email, no matter what. No user, not even the cybersecurity experts at MSPs, are perfect at detecting phishing links. Hackers just need one user to click on one bad link to enter the organization and move laterally.

    Fortunately, user productivity must no longer be a cost of security. Now organizations can prioritize protecting users from the bad things that happen when they click links. More than 80% of organizations today rely on web-hosted services for which the browser acts as the endpoint. Simply shifting our focus from detection to prevention through browser isolation will have far-reaching effects.

    MSPs can’t stop users from clicking because users have to click to do their work. But they can stop bad things from happening when users click bad links.

Leave a Reply

Your email address will not be published. Required fields are marked *