to help their clients with their cybersecurity strategies and solutions. It’s more important than ever to be aware, and stay on top of the latest threats to best advise and protect clients as well as your own business.
“Approximately 97% of employees across multiple industries cannot recognize a sophisticated phishing email.”
PHISHING AT A GLANCE
passwords can open the door to cyberattacks. An identity and access management (IAM) tool can combine single sign-on (SSO), multifactor authentication (MFA), and password management into one integrated solution. Another option is passwordless authentication, which reduces security risks associated with passwords. It works by authenticating a user’s identity using biometrics, such as fingerprints and one-time passwords that require users to input a code that is provided to them via email, SMS, or an authenticator app. Finally, an organization is only as strong as its people. Security awareness training is no longer a “nice-to-have”; it is a necessity, and one that can be offered by MSPs as a service. By increasing security awareness, an organization can reduce its chance of having a cybersecurity incident by up to 70%. Security awareness training should be offered when onboarding employees. After that, phishing campaigns should be carried out monthly, since research shows that trained employees start losing what they learned at 4–6 months after each session. Changing Mindsets Is Part Of The Strategy It’s hard to argue against cybersecurity training, given the threat landscape, but it can be burdensome. For this reason, many organizations and their employees may not prioritize it, or they’ll skip it altogether. The opportunity for MSPs to offer the training is ripe, with the easy sell that a cyberattack can result in lost revenues, damage reputation, compromise data, cause operational disruption, and even lead to lawsuits. To engage employees in company training so they don’t see it as a chore or task, it needs to be simple. Training should be delivered in easy-to-communicate content, such as videos. The ideal time frame is 15–30 minutes to ensure maximum retention of what was learned. When it comes to compliance topics, there may be a lot of ground to cover. Rather than making trainings longer, they should be broken up into two or more segments. Whatever the subject matter, training should always be focused on one main idea and provide sample scenarios where participants are asked questions to test their knowledge of best practices. Another thing to keep in mind is that there are many types of cybersecurity training that target various aspects of security. Topics such as clean desk policy, strong password practices, and how to avoid phishing scams would fall under training for protecting passwords, while data privacy would cover privacy risks and secure connections. Other useful training topics range from physical security to cybersecurity threats such as ransomware, account takeover, and business email compromise, among others. With many employees still in remote or hybrid work scenarios, mobile security training is equally critical, teaching them how to secure their mobile devices and educating them about Wi-Fi security, device management, and backups as it pertains to mobile. Phishing is not going anywhere, and attacks are only getting more sophisticated. There is tremendous opportunity for MSPs
• 1 in 3 employees are likely to click the links in phishing emails. • 1 in 8 employees are likely to share information requested in a phishing email. • 60% of employees opened emails they weren’t fully confident were safe. • 45% click emails they consider to be suspicious “just in case it’s important.” • 45% of employees never report suspicious messages to IT for review. • 41% of employees failed to
notice a phishing message because they were tired.
• 47% of workers cited distraction as the main factor in their failure to spot phishing attempts.
Manoj Srivastava is the general manager of security for Kaseya’s ID Agent and Graphus companies. He is the co-founder and former CEO of Graphus before it was acquired by Kaseya. Learn more about how to prevent phishing attacks by visiting Graphus.ai or IDAgent.com.
MSPSuccessMagazine.com/cyber2022
33
Made with FlippingBook Ebook Creator