A recent investigation, based on a billion email messages per day, discovered two very interesting things: Firstly, cybercriminals are opportunists, targeting any person who might be useful in exploiting an organization. The second, and perhaps most shocking finding, was that in 99% of cyber-attacks, a human being is needed at some point to make the attack successful.
So, how does a business go about managing such an onslaught of cyber-attacks that focus on its most important resource, staff?
A Managed Service Provider (MSP) offers the secret sauce in managing people-focused threats. By offering clients proactive ongoing security in the form of security awareness training, email threats can be controlled.
The Email Threat Landscape
Emails are a weapon of choice for cybercriminals. According to Symantec:
- A whopping 94% of malware is delivered using email.
- 48% of malicious email attachments are Office documents
- 1 in 10 emails contain a malicious URL
This report highlights the fact that to manage security threats a multi-pronged is needed. This opens up an opportunity for an MSP to deliver this multi-faceted, Swiss Army Knife of cybersecurity measures, by adding security awareness training to its portfolio.
Reactive or Proactive Security?
In protecting a business against the impact of email borne threats, an MSP can offer both reactive and proactive measures. Reactive measures that prevent email phishing include systems such as spam filters. These reactive security measures form a baseline response to phishing campaigns; a wide-net capture approach. However, to provide thorough and encompassing security, reactive measures must be shored up by proactive security measures, which include security awareness training for all employees.
Security Awareness Training as a Secondary Filter for Phishing
Email borne threats are a very successful vector for cybercriminals. As such, much effort is put into the creation of email phishing campaigns, with easy to use ‘phishing kits’ being sold on the dark web. Email phishing uses tried and tested social engineering techniques that are based on a technique of ‘trust and trick’: Build a phishing campaign that is based on a trusted brand (such as Microsoft Office 365) and trick recipients into clicking on a phishing link that results in malware (including ransomware) infection and/or stolen login credentials. This tactic works. The Verizon Data Breach Report found that 90% of data breaches use phishing to initiate a cyber-attack.
Security awareness training offers a proactive way to educate employees on how phishing works. Knowledge is power and giving an employee the knowledge to recognize that something is amiss when they receive a spoof email helps to contain the threat.
Security awareness provides a secondary filter system for phishing, augmenting any spam filter in place. By training an employee to spot the tell-tale signs of phishing, any email threats that get past a spam filter can then be filtered out by a human being.
Being proactive about security works. The respondents in the Q2 2020, Cyber Risk Alliance, Cybersecurity Resource Allocation and Efficacy Index (CRAE) said that proactive security gave them confidence that security measures would work. The report also pointed out that phishing was the biggest concern for 59% of U.S. and 68% of Canadian respondents.
Phishing Simulation and Security Awareness Training
75% of security incidents are caused by a lack of staff knowledge. Phishing simulation and interactive education provisioning are used to train employees about what phishing is and how to look for the signs of a phishing email. Spear-phishing, a targeted form of phishing, is extremely difficult to reactively prevent and spot. Training gives an employee the mental tools to deal with phishing directly.
How an MSP can Generate Recurring Income
An MSP can offer a client, security awareness training, as a phishing secondary filter system to complement any reactive measures such as Spam Filtering. The package will provide a client with a 360-degree approach to email borne security threats.
It is important to remember that security awareness training is about creating a ‘culture of security’. This culture must be persistent and current. Security threats are always changing. Cybercriminals take advantage of new situations to propagate campaigns and improve success rates. The Covid-19 pandemic is evidence of this. TitanHQ noted our detection rates of Covid-19-related phishing emails spiked during the pandemic. An ever-changing threat landscape means that training must be ongoing, tailored to the time of training, and relevant to the industry the client works in.
Security awareness training is not a one-time solution; training employees means that the client needs to establish an ongoing relationship with the MSP providing the training. MSPs can create tailored packages for clients that reflect this ongoing relationship. Training packages keeping staff up to date with the latest threats, using phishing simulation and interactive video sessions, to ensure all staff are prepared.
A 360-Degree MSP Package for a 360-Degree Problem
Security awareness training that is relevant and tailored, offers an MSP a great way to generate recurring revenue. Cybersecurity detection and prevention must bring into play both reactive and proactive measures to manage the sophisticated and complex patterns that modern cybercrime is based on. Security awareness training is an ongoing exercise that covers the entire workforce of a client. As such, packages providing phishing simulation and interactive training sessions provide a way for MSPs to build ongoing relationships with clients. As an offering, security awareness training complements security measures that perform first pass protection against phishing. By using both reactive and proactive measures, a client can be assured that everything is being done to protect their organization against email phishing threats.