People are both your weakest link and your best defense in the fight against cybercrime, so it's important they understand what is appropriate in their environment. From a cybersecurity perspective, companies want their staff to question what is going on and have a cautious mindset—and that means being cautious at home as well as in the workplace.
So, for example, as phishing is still one of the most effective methods for the bad guys to compromise system and people, and these emails are sometimes crafted very well, people need to be made aware of what to look for. They also need to know what to do if an email comes in that looks like a phishing email—i.e., not click on any links or open any attachments, and seek a second opinion if they’re really concerned.
As a managed service provider (MSP), you can really help your clients understand some of these basics of security and help to drive the culture of security awareness they need. You can do this in a number of ways—ranging from tapping into the free courses available online to helping to disseminate some simple facts to customers on a regular basis. Regularly reminding customers and their staff to watch their email, be careful what they’re opening, be careful what sites they're going to visit, and letting them know of scams prevalent at different points in time will go a long way to raising their security awareness.
As a case in point, I recently received a bulletin telling me to watch out for scams associated with human disasters; anything to do with these events and the grief that occurs with them is something that cybercriminals can, and will, take advantage of. Take the opportunity to remind your customers by alerting them to the latest trends this will help to ensure that their staff are always thinking about security. Beyond that, you need to help people understand a security event can have dramatic effects on their business, so they need to be acting in an appropriately vigilant way.
One thing that is crucial to reinforce is the understanding that it’s not just the responsibility of the IT team to manage company security, it is the responsibility of everyone in the organization. People need to be aware that it's part of their job and it is a responsibility for everyone in the organization to act appropriately when it comes to the security of the company’s data. With the EU General Data Protection Regulation (GDPR) coming into force, there are very serious fines for mismanagement of personal data. If an employee has access to this type of data, you can’t just rely on the IT or security team to police that it needs to be part of the whole company’s culture. If employees are not treating data with care—and treating data with care is key part of cybersecurity—there is a liability present for the company.
To give a real-world example of how changing the mindset of a company works and benefits the organization as a whole, we can look to the construction industry. It’s not cybersecurity- related, but Bechtel has built a culture of safety across its business (bechtel.com/about-us/safety/). If you ever go around a Bechtel site, you’ll see safety messages everywhere, like “use the hand rail when you go down,” “watch out for the cord on the floor,” and signs telling you where the exits are. They take safety so seriously, from the CEO down, that every meeting always starts with a safety message. By embedding safety so tightly in everything they do, they have manged to create an environment where safety is part of the culture—not an afterthought. This helps reduce the number of safety-related incidents, creates an environment safe for employees, and improves overall production.
By creating a culture of safety, they have really affected the bottom line as well as the overall safety of the environment. We can do the same with cybersecurity. We can take steps to make sure people are taking security seriously, because the effect of a cyber- incident on a company is just as bad as serious as any other disaster. If you get the whole company—from the president down to the intern—doing the right thing, it's going to help you job of securing your customers a great deal. If you help your customers create a culture of security, it’s no longer just you on the front line protecting your customers, you have backup.
Tim Brown is VP of Security for SolarWinds MSP. He has over 20 years of experience developing and implementing security technology, including identity and access management, vulnerability assessment, security compliance, threat research, vulnerability management, encryption, managed security services, and cloud security. Tim’s experience has made him an in-demand expert on cybersecurity, and has taken him from meeting with members of Congress and the Senate to the Situation Room in the White House. Additionally, Tim has been central in driving advancements in identity frameworks, has worked with the US government on security initiatives, and holds 18 patents on security-related topics.
© 2018 SolarWinds MSP UK Ltd. All rights reserved.
The SolarWinds and SolarWinds MSP trademarks, service marks, and logos are the exclusive property of SolarWinds MSP UK Ltd. or its affiliates. All other trademarks are the property of their respective owners.