By Manoj Srivastava, General Manager, Security, Kaseya
Cybercrime is on the rise and here to stay, and topping the list are phishing scams. A common misconception is that only dumb people fall victim to these types of attacks. The truth is that some of the most prestigious national labs, major corporations, and even people with doctoral degrees and IQs off the charts have been compromised.
According to the FBI, phishing was among the top three cybercrimes reported in 2020. In fact, phishing incidents more than doubled from 114,702 in 2019 to 241,342 in 2020. What’s even more frightening is that 90% of incidents that end in a data breach start with phishing.
Anyone can fall victim to a phishing scam, making it more important than ever for MSPs to protect their customers.
Don’t Let A Lack Of Security Training Haunt Your Business.
Email is one of the major vectors to distribute ransomware, and cybercriminals often depend on phishing and social engineering tactics to infiltrate an unsuspecting organization. Traditional legacy systems are less equipped to protect against cyberattacks, and smaller-sized MSPs may struggle to properly secure environments due to a lack of funds. One way to successfully get around this is by increasing security awareness, which can reduce an organization’s chances of having a cybersecurity incident by up to 70%.
People are the first line of defense. MSPs can leverage this position and safeguard their clients by offering security training to employees as part of their contractual services. Frequency matters. Research shows that trained employees start losing what they learned between 4–6 months after each session.
New employees should always go through training during their onboarding process, but don’t stop there. Phishing training should be carried out for all employees monthly. It may seem like a lot, but it’s critical for organizations to remain vigilant and always on their toes, as cybercriminals are constantly adapting their techniques to find a way in.
The pandemic also changed the landscape with more employees working from home or in hybrid scenarios with little to no supervision. About 55% of remote workers rely on email as their primary form of communication, driving home the importance of security training.
Smaller MSPs may sometimes think, “We are too small to be a target!” This is erroneous thinking. The sobering reality is that their customers are the target. One such victim of a sophisticated cyberattack consisted of a prospect reaching out through a SharePoint file asking for a response to a proposal via sign-in to SharePoint.
MSPs can never be too careful. Security awareness training is one way they can safeguard their clients.
The 5 Most Common Phishing Attacks
- Notification that you have received voicemail or e-fax
- Fake tech support email alleging malware on the computer and requesting remote access to install software to fix the issue
- Business email compromise (BEC) with a fraudulent invoice embedded with malware
- Phony emails from HR asking new employees to change their direct deposit information
- Spoofing and social engineering attacks designed to trick employees to reveal confidential information
Invest In Phishing Prevention Tools.
Another line of defense for MSPs is to invest in AI-based prevention tools that proactively monitor and protect their business and end customers. An effective AI not only scrutinizes email communications but also analyzes behaviors such as the devices’ senders, including an employee’s usage, who they message the most, and what time of the day they communicate the most, etc. This data is then used to create profiles of trusted email senders and compares incoming communications to these profiles to detect and prevent sophisticated phishing attempts. AI-based monitoring software can also scan images to identify false login pages and recognize altered signatures, then automatically quarantine malicious emails so the end user never interacts with harmful messages.
MSPs should invest in technology that offers warning banners that flag suspicious emails, allows users to quarantine or mark the message as safe with a single click, and proactively quarantines suspicious emails for IT to investigate before they even make it to an employee’s inbox. When selecting a product, MSPs should opt for one that offers a dashboard where they can monitor, investigate, and take action on detected threats in real time. It should also come with a reporting feature that includes security metrics that can then be shared with customers.
Next is the issue of passwords and the risk of them being compromised. Will passwords become a thing of the past? Possibly, but not immediately. An identity and access management (IAM) tool is another way MSPs can protect themselves and their customers by combining single sign-on (SSO), multifactor authentication (MFA), and password management into one solution.
MSPs should take advantage of the full functionality of AI to create a robust security platform that identifies threats, offers phishing simulation and security awareness training tools, and includes dark web monitoring and a password management solution as part of the offering.
Reframe The Way Organizations View Security.
Phishing is part of a larger conversation involving security. There needs to be a mindset shift around this topic. As cyberthreats and attacks continue to rise, it’s more important than ever for companies to have security plans in place that are regularly revisited and updated as needed.
When seat belts were first introduced in the 1980s, only 14% of Americans regularly wore them, despite the fact that the National Highway Traffic Safety Administration (NHTSA) required them in new cars as of the late 1960s. Even though seat belts could save lives, they were met with tremendous resistance and the belief they were an infringement on personal freedom. Eventually, drivers and passengers alike accepted the lifesaving device, and no one questions wearing them today.
For MSPs, cybersecurity needs to be a part of everyday life, as well. With the widespread use of email and cellphones, threats are not only rampant, but they are also getting cleverer and more sophisticated. While that may seem overwhelming, it creates opportunities for MSPs to expand their services and increase their bottom line. Much like the seatbelt, society is inching closer to cybersecurity measures becoming second nature.
Avoid Becoming Bait For Phishing Scams.
As phishing scams remain rampant, MSPs will need to make the case to their customers to invest in AI-based prevention tools and security training. Perhaps the most compelling argument is dollars and sense. The cost of phishing attacks is trending north. According to the FBI, U.S. businesses lost more than $1.8 billion last year in costs related to business email compromise (BEC) or spear phishing. The Bureau also reported adjusted losses at over $54 million attributed to phishing scams. Since phishing attacks may lead to data breaches, there are also costs associated with business disruption, lost productivity, and remediation efforts.
It’s not all ghoulish news. Security awareness training can significantly reduce phishing expenses. The message is loud and clear — like a group of children begging for Halloween treats outside the door, MSPs need to be proactive with customers about how security training is no longer a luxury but a necessity. Training alone is simply not enough in a constantly evolving landscape of cyberthreats. MSPs need to arm themselves with AI-based tools that can easily identify and quarantine malicious emails before they even hit customers’ inboxes, and if they do, additional preventative features can flag them so properly trained employees will know what to do with them.
It’s all about changing perceptions, and that might take some time. Eventually, however, customers will come to realize why buckling up and investing in security strategies can ultimately save their organization from disruption and potential financial ruin.
About the author: Manoj Srivastava is the Product Executive, Security, for Kaseya’s ID Agent and Graphus companies. He is the co-founder and former CEO of Graphus before it was acquired by Kaseya. Learn more about how to prevent phishing attacks by visiting Graphus.com or IDAgent.com.