Evolving threats highlight the continued importance of security awareness training.

3 Min Read
Security awareness training
Getty Images

When it comes to cybersecurity threats, most organizations’ biggest weakness is employees who may inadvertently fall victim to phishing or malware attacks. Why? Usually it’s because they lack information—and security awareness training.

Remember the saying, “You don’t know what you don’t know?” Although it sounds like one of Yogi Berra’s malapropisms, the phrase appears to have originated with former Secretary of Defense Donald Rumsfeld. The concept is related to the Dunning-Kruger effect, a form of cognitive bias that causes people to overestimate their knowledge or abilities.

And when it comes to cybersecurity, what most of your clients’ employees don’t know could fill a book–a book that gets re-written every few weeks. That’s why security awareness training is so critical in combating these increasingly complex attacks.

Cybercriminals continuously improve their attacks to ensure higher levels of success. Phishing has evolved into spear phishing and other variations, with attacks leveraging trusted credentials and human psychology to steal information. Gateway-based security solutions are now more of an inconvenience to attackers rather than a true obstacle.

More advanced attacks that involve business email compromise (BEC) and other types of credential theft are difficult for these systems to recognize. Security awareness training combined with advanced security solutions that leverage artificial intelligence (AI) can be much more effective.

Security Awareness Training Fills the Security Gap

Employees have been conditioned to watch for obvious phishing scams like emails from Nigerian royalty or inquiries from obviously fake accounts. BEC attacks are much more difficult for them to spot because they look like a legitimate message from a familiar account. And while these attacks make up just 7% of all spear-phishing, they are incredibly costly. FBI estimates put the damage at roughly $26 billion over four years.

By providing employees with more guidance on recognizing these attacks, and then backing up that training with AI-based solutions that can spot fraudulent emails, MSPs can help reduce the likelihood of a successful attack.

A recent Barracuda report on spear phishing outlines how to spot attacks, as well as security tools and approaches that enable MSPs to protect client networks better. Those tips include:

Educate employees about detecting advanced BEC and spear-phishing attacks. Help those employees learn some of the tell-tale signs of an advanced BEC attack. While the accounts used in these attacks are familiar and legitimate email accounts, the requests being made by attackers are often unusual: requests for money or file transfers that are outside of the ordinary course of operations. Employees should learn to evaluate and question any request that seems out of the ordinary, or that involves the transfer of sensitive data or cash.

Reinforce training with firm policies. There should be processes and protocols in place that put additional operational safeguards around these data and money transfers. Where possible, email requests should be prohibited for purchasing and financial transactions. There should be multiple levels of approval, preferably with in-person or phone-based interactions.

Implement AI and machine learning technologies. Using AI-based security solutions, even highly advanced attacks can be thwarted. Solutions like Barracuda Sentinel leverage AI to learn typical communication patterns based on each user and then evaluate emails to check for anomalies that a human might miss. This helps further detect and prevent attacks.

Prepare to respond quickly to attacks. Once employees are trained to spot attacks, they should also be educated on reporting them, so that the cybersecurity team can promptly mitigate and respond to potential damage. Regular security awareness training helps update employees about the types of threats they may encounter and ensures that they are equipped to report them accurately. Automated incident reporting solutions can also help streamline this process and remove malicious messages before anyone else can open them.

Employees may be the weakest link in the security infrastructure. Still, they can also be an essential asset in spotting and stopping cyberattacks—provided they are given adequate security awareness training and the right tools.

Brian Babineau is Senior Vice President and General Manager for Barracuda MSP. In this role, he is responsible for the company’s managed services business, a dedicated team focused on enabling partners to easily deliver affordable IT solutions to customers.

This guest blog is part of a Channel Futures sponsorship.

Read more about:

MSPs
Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like