According to a recent Channel Futures IT Security Trends Survey, training end-users to spot phishing is highly successful in thwarting some attacks.

End-user training and education are responsible for a marked decrease in exposure, said 30 percent of IT practitioners and 43 percent of channel pros in that survey. But there’s still more work to be done to throttle new and increasingly sophisticated phishing and social engineering attacks. Here are hot tips and trends MSSPs should focus on or add to their training curricula for 2019 to improve both their clients’ outcomes and their own bottom lines.

Specialized training courses on mobile phishing. Mobile phishing is on the rise, chiefly because it is unexpected and therefore more successful, on average. If you want a good update on the latest tactics in combatting and stopping mobile phishing, check out this Channel Partners webinar on demand – “Mobile Phishing Attacks: Spot, Block & Control” – with David Richardson of Lookout.

Because mobile phishing is relatively new, most organizations have not yet educated their employees to increase awareness, let alone train them to spot such attacks. Consider giving specialized courses on the topic or adding an educational track to your existing phishing training curriculum to quickly build your client’s defenses.

“As far as new training, I am encouraging companies to focus on some of the unique issues that come up with mobile-device users,” said Mark McCreary, chief privacy officer and partner at the law firm Fox Rothschild LLP.

Fox Rothschild’s Mark McCreary

“For example, if an employee receives an email in the office, it is easy to see that a sender is actually ‘Mark McCreary ([email protected]).’ However, that can be far more difficult to detect on an iPhone or Android device because only ‘Mark McCreary’ is displayed as the sender. Employees need to understand this and get in the habit of checking email addresses on mobile devices if any request seems unusual or out of character.”

Mobile phishing attacks are diverse, so user training should be both comprehensive and regularly updated.

“Users should also be aware that phishing attacks are moving beyond email, and into voice and text communications, so further education is needed in this area as well,” said Chris Crellin, senior director of product management, Barracuda MSP.

Cross-training in behavioral analytics and phishing for insider threats.  “The recent election-targeted attacks show that attackers are building and using databases of social information and intelligence, and using sophisticated phishing tactics not only to dupe users into clicking on malicious links, but to affect behavior and reinforce belief systems without the user realizing what is happening,” said Stephen Cox, VP and chief security architect at SecureAuth, a provider of Identity Security Automation.

While the targeted behavior change in the election year attacks was to affect voting, social strife and perhaps even violence, phishers can change their tactics to affect how employees behave too. Think of this as a potential new level in insider threats wherein the user becomes a willing participant in the attack rather than an unwitting victim.

This is an opportunity to provide more sophisticated training in the use of behavioral analytics to detect user behavior shifts and preventing these attacks from succeeding by training users to spot them and understand their purpose.

Upgrading user training updates and refreshers. Companies tend to focus on short-term productivity, making it difficult to justify pausing work long enough to train employees adequately in security measures. But that nearsightedness can be very costly.

“If a company is providing training once every three years, they are not going to prevent many of the phishing attempts on their company,” said McCreary. “Also, if a company is not including data security training as part of new-hire orientation, they are likely bringing on an employee that has never been taught best practices for internet and email usage.”

2019 is the year MSSPs should offer more customization in security training programs to facilitate more effective training for the scenarios McCreary mentioned, and to fill similar training gaps discovered by the MSSP.

Optiv’s George Chatterton

“My team also receives requests to provide customized training around the latest industry standard practices in our field,” said George Chatterton, instructor-led training manager at Optiv, a $2 billion security solutions integrator and MSSP.

“For some clients, this means creating security training programs for their employees internationally – aligning learning to specific employees, gaining their buy-in, explaining what’s in it for them – and working with them on security best practices,” Chatterton added.

Improving both the effectiveness of the training and the time the training takes will deliver positive outcomes for client and MSSP alike.

Consider using videos, interactive visualizations, quizzes and gamification to upgrade training and refresher programs as well as to improve information retention.

“General security awareness, targeted security awareness and executive security awareness are increasingly popular training topics — from e-learning to instructor led training. Within those broad categories, we’re frequently seeing deep dives on topics such as social media, social engineering, phishing, user-created vulnerabilities, identity theft and IoT,” said  Chatterton.