How MSPs Can Address Security’s Human Factor
Eighty-one percent of MSPs deliver some level of security to clients, according to CompTIA. But how good are MSPs at addressing the human factor?
IBM estimates human error contributes to at least 95 percent of security incidents, while Verizon has concluded mistakes by internal staff, especially administrators, were “prime actors” in more than 60 percent of incidents. While most of those insider threats result from negligence rather than malice, the outcome is the same – a vulnerable IT environment.
Technology alone cannot solve this problem because no amount of software or hardware can stop humans from making mistakes. In its 2015 Data Breach Investigation Report, Verizon found 23 percent of recipients open phishing messages and 11 percent go a step further by clicking attachments.
Fixing the users
Stopping these behaviors requires good training. And that’s something MSPs can help clients deliver to their users.
Typically, MSPs provide security as an embedded function in their RMM platform, such as patch management and endpoint security. In some cases they may deliver higher-level services such as identity and password management. These are all essential security functions to have, but do not adequately address the human factor. It takes only one user to click a phishing email to unleash an infection that brings a company’s network to its knees.
How to address the threat
Security remains one of the biggest obstacles to adoption of cloud and managed services. Ironically, cloud and managed services can strengthen a company’s posture by centralizing and standardizing security practices and controls.
And that’s the first point MSPs need to make to customers: Unified security management is a good thing.
Secondly, MSPs can play a key role in helping SMB clients identify threats. Although breaches at well-known brands such as Sony, Target and Staples tend to grab all the headlines, cybercriminals also attack smaller, lesser-known companies. Every business has valuable data that cybercriminals covet – something that SMB decision-makers don’t always grasp.
Understanding the threat is the first step toward effective protection. The second is to evaluate which data requires which level of protection, which users need access to the most sensitive data, and how to manage that access.
Then comes the matter of educating users. Incredible as it may seem, security training often gets short shrift, even after the Sony and Target breaches exposed millions of users’ private data. “Only 54 percent of companies offer some form of cybersecurity training, with the format mostly being new employee orientation or some kind of annual refresher course,” CompTIA said in its 2015 “Trends in IT Security” report.
With help from MSPs, businesses can and should do better. Users need training on how to avoid common threats such as phishing and risky behaviors such as sharing passwords and leaving computers unattended.
When users fall prey to cyber schemes, it’s often out of curiosity or a reflex, so they need to be told the consequences of such unthinking behavior. They need to learn how to spot threats and follow proper security practices, such as alerting IT about a possible phishing email. And when they complete their training, they should be required to sign a document stating they understand their employer’s security policies and the consequences of violating them.
Building Trust through Security
By helping clients address the security human factor, MSPs can start to dismantle one of the main obstacles keeping businesses away from the cloud and managed services. Security concerns will always exist, but if you show clients you have a handle on the problem, you will gain their trust and business.
Pedro Pereira is Massachusetts-based freelance writer with two decades of experience covering and analyzing the IT channel and technology. He can be reached at firstname.lastname@example.org.