The IT security threat landscape moves at a supersonic speed as cybercriminals and security vendors volley back and forth trying to get the upper hand. Behind the scenes, however, another threat lurks within your customers’ businesses, a problem that has been around for as long as computers and the Internet and is still overlooked: your customers’ employees. A study released last year by CompTIA, based on input from more than 700 executives and business professionals, found that human error accounted for 52 percent of security breaches. According to the same study, only 54 percent of those surveyed said their company offers some form of cybersecurity training.
In a world where everything is changing, user behavior can be surprisingly obstinate. For managed services providers (MSPs) selling fixed-fee services, their profit margins depend on users’ behavior as much as their security technology. Simply put, if MSPs want to build a thriving business, they must minimize downtime caused by customer errors. Part of this goal requires MSPs to take an active role in filling a security education gap that exists in so many companies today. Here are three tips from our recent e-book, “The MSP’s Complete Guide to Cyber Security,” that can help ensure that your training program hits the mark.
1. Focus on the Biggest Security Culprits and Threats
Despite the fact that there are hundreds of thousands of malware threats and infected websites employees could fall prey to, focusing on the basic principles of security will be most effective and will lend itself to a better user experience. Here are two common types of errors you should teach customers’ employees to avoid:
- Post-It Notes. Look around a client’s office, and you are likely to find at least a few desks with sticky notes full of passwords in plain view. This practice provides easy access to sensitive information to people who should not have it, such as disgruntled employees or thieves.
- Email — Links and Attachments. Cybercrime has evolved since the days of the mysterious dethroned prince looking for help moving bundles of cash into a secure offshore bank account. Today’s phishing attacks mimic known banks and shipping companies and have higher success rates in getting unsuspecting users to take the bait. Make sure your training instills healthy skepticism about opening attachments or clicking on links from any entity the user did not request information from. Another good rule to keep in mind here is that if you’re not sure the email is real or fake, visit the company’s website and log in there rather than clicking the link in the email.
2. Provide Examples and Visuals
Rather than just talking about malware and other cyber threats, show your audience examples of suspicious emails and websites. Here is website that illustrates adware examples along with other potentially unwanted applications (PUAs). Additionally, you can use this phishing quiz from Consumer Reports, which includes examples of infected and legitimate emails and websites and explains how to tell the difference.
Once ransomware has infected a computer, a message is displayed on the screen letting the user know their machine has been compromised. Examples of these messages can be found here. It’s helpful to share this type of information with your customers as well so that, even if it’s too late, they’ll know to alert you and ask for help.
3. Hold Customers Accountable
Some of your customers may not be open to a 30-minute in-person training session to review security best practices. That’s okay; there are a number of online, self-directed programs available that employees can use to get up to speed on this important topic, including the “Internet Safety for Enterprise & Organizations Toolkit,” available free from Microsoft. However, if you plan to use the self-directed training approach, be sure to build in accountability. One way you might consider doing this is by meeting with your customer and discussing adding the training requirement into your managed services agreement. For example, the part of your SLA that discusses a flat monthly rate and unlimited support could be updated to include the caveat, “If an IT problem is determined to be caused by human error and the culprit has not completed the internet security IQ quiz, the customer will be billed at the hourly break-fix rate.”
While some MSPs may worry that this could create a contentious relationship with the customer, it does not have to be that way, especially if your customer understands the importance of protecting its data and intellectual property and that technology alone cannot accomplish this. Their employees play a key role in keeping their business secure. You’re not asking them to be perfect, just responsible.