As cybercriminals step up their attacks, aided by AI and other technologies, it’s critical for MSPs and their clients to reinforce cybersecurity awareness efforts among their employees.
According to the World Economic Forum, 95% of data breaches can be traced to human error. Security awareness and training can help stop many types of attacks, which rely on social engineering and manipulation as much as technology skills.
With generative AI, criminals can avoid many of the traditional telltale spelling and grammar errors of phishing emails and spoofed websites. AI also helps attackers craft more convincing phishing email language based on data from employee social media feeds, company emails, and other sources.
The emergence of AI-based tools has helped criminals launch more successful attacks. So, both the MSP and their clients must train their employees to spot suspicious emails.
Recognizing Email Threats
If an email arrives asking for sensitive data (passwords, account numbers, etc.), employees should be trained to corroborate the email in person or over the phone with the sender, and to make their IT or internal security teams aware of the potential attack or breach.
Chris Crellin
MSPs and their clients should ensure that employees are aware of the level of this threat. They need to understand that ransomware attacks are increasing, as well as receive regular updates alerting them to current security threats.
CISA’s Best Practices
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) provided additional guidance on best cybersecurity awareness practices as part of its Secure Our World campaign. CISA emphasized four best practices to help staff avoid falling for a phishing attack. Those include:
- Encourage the use of strong passwords and password managers. Most users must juggle dozens of passwords. This is why many people fail to create strong passwords — they’re hard to recall. Businesses need strong password initiatives to include access to password managers to address user frustration. Strong, unique passwords will help protect accounts from being compromised, while the password manager platform will eliminate the frustration associated with forgetting those passwords.
- Enable multifactor authentication (MFA). Strong passwords aren’t infallible, so MFA plays a key role in securing network and application access. A secondary method of confirming a user’s identity can protect accounts even if a password has been compromised. For businesses, MFA should be part of the default approach to account configuration.
- Train employees to recognize and report phishing attacks. Scam emails are the primary way cybercriminals trick workers into revealing sensitive account information and data. Provide employees with training on common signs of a phishing attack. Include clear guidance on reporting attacks to the IT security team and management, as well as what to do with the email (delete, quarantine, etc.).
- Enforce software updates and patching procedures. Software updates help protect your applications from emerging vulnerabilities. Updates and patches can be managed centrally during off-hours to reduce user inconvenience or unwanted downtime. Automatic update settings can streamline this process. For complex IT environments, MSPs can help organize and prioritize these updates based on urgency and scope.
Managing Cybersecurity Efforts
Cybersecurity software and technology can only go so far in protecting networks, data, and applications. For security-centric MSPs, regular client updates and employee training are just as critical for reducing the likelihood of a successful attack and mitigating the damage.
MSPs can also leverage remote monitoring and management platforms, phishing simulation solutions, and other technologies to help streamline these education efforts.
Cybersecurity awareness should always be at the top of mind for both the MSP and their clients, and these efforts should include regular training and updates for all employees.
Chris Crellin is senior director of product management for Barracuda MSP, a provider of security and data protection solutions for MSPs. He is responsible for leading product strategy and management.
Image: iStock
