Managed Service Providers (MSPs) perform countless mission-critical services for downstream clients. As such, MSPs are prime targets for attack. Numerous attacks over the past couple of years on Microsoft, Git, Solarwinds, and others highlighted the criticality of the impact that an attack on an MSP can have on downstream clients.
The most effective way for MSPs to address cyber threats is to adopt a robust and effective security program. Many modern security programs cover administrative, technical, and physical safeguards to promote the confidentiality, integrity, and availability of an organization’s and client’s data.
Where phishing and other social engineering attacks are top attack vectors, it’s never been more critical to safeguard the human element of your organization. The best way to do that: creating and fostering a culture of security awareness.
In this article, we’ll talk about security awareness, how you can create a culture around it, and tips to keep consequences real and relevant for your staff.
What is Security Awareness?
Security Awareness, put simply, is a programmatic approach to instilling knowledge about various cyberattack vectors and how to avoid falling for them. If security awareness were that simple, the global cybersecurity market wouldn’t currently sit around $200 billion, with a projected tripling in size over the next seven years.
The efficacy of a security awareness program can be impacted by numerous factors, each of which may affect security awareness to a greater or lesser degree.
Impacted Industry
Cyber threats are uniform. An attack against a bank will be materially similar to an attack on a hospital which will be materially identical to an attack on an MSP. Those attacks typically progress as follows:
-
A threat actor gains access to an environment,
-
They establish persistence in that environment,
-
They inspect the environment,
-
The threat actor infiltrates code pipelines and absconds with data, and
-
The threat actor can deploy ransomware which, in most cases, encrypts local copies of data.
How a threat actor gains access to information will look different. A banking trojan spreads and operates relatively silently, while ransomware spreads very disruptively. Injection into a code pipeline may involve some software but predominately involves the ongoing utilization of seemingly legitimate credentials.
You can spot each threat actor's methods differently: increased user calls to the helpdesk about credential and account issues, computers behaving weirdly, and code anomalies, respectively.
There are many indicia of compromise, some of which will be more or less relevant to various industries. Training users on those indicia that are common and relevant to your industry increases your chances of spotting and mitigating threats.
The Existence of Controls
Some industries may want comprehensive communication of specific security controls. For example, an organization with a development pipeline and a “shift left” mentality will want to educate all of its developers on what a Secure Development Lifecycle (SDLC) is and how to promote that. Education on secure coding practices is a must.
Other organizations may want to inform staff about phishing threats, proper credential use and management, and clean desk policies.
None of those organizations may want staff to understand the intricacies of endpoint safeguard operations, logging and alerting pipelines, and other early warning systems that may exist for technological threats. Knowledge of those systems may promote internal controls subversion or external knowledge of controls.
Awareness Overload
Adopting a “need to know” philosophy on security awareness training prevents awareness overload. Most organizational staff aren’t technologically adept. They’re not cybersecurity adept. Providing too much information can overwhelm staff. The more you train after a point, the less effective is.
Topical Threats
Keeping security awareness topical, in addition to keeping it manageable, helps address current threats. While historical attacks and attack modalities can be exciting, they’re not very pertinent to modern threats.
It’s essential to keep training topical. Ask yourself: what threats are staff going to encounter daily? There are lots of great ways to figure this out:
-
Evaluate threat briefings from law enforcement and other sources,
-
Review what’s being caught by your secure email gateway or alternative,
-
Filter logs for potential threats,
-
Read the news, and
-
Talk to your cybersecurity peers.
That last point is essential to highlight. Cybersecurity isn’t a team sport, but maybe it should be. Threat actors collaborate regularly and in detail to create very effective attack modalities. Cybersecurity experts and staff benefit through collaboration—and to a degree more in-depth than simply attending conferences and vendor-sponsored calls. Honest, quality discussions about threats improve everyone’s standing.
How to Create a Culture of Security Awareness
There’s no one-size-fits-all solution for creating a culture of security awareness. Still, there are some excellent pointers for any organization to consider when promoting security awareness.
Cultivate Support
Securing leadership support is the most challenging part of cultivating a security awareness culture. It’s also the most critical part of developing a culture of security awareness. If your leadership doesn’t take security seriously, why should staff?
Cultivating support for a security awareness program should be simple. Security awareness programs are low-cost. They can be done for “free,” only consuming staff time. Even more involved programs can be one of the lower-cost components of organizational security infrastructure.
Security awareness programs are also proven to be cost-effective. While different security awareness program vendors calculate return on investment differently, all sources highlight the significant benefits of mitigating immediate and long-term losses resulting from a cyberattack.
Security awareness programs are also proven to be effective at mitigating risk. Some sources put the efficacy at dropping dangers of attack by up to 600 percent. Numbers like that make sense: by making staff more aware of risks and more adept at spotting them, there’s less likelihood they’ll succumb to an attack.
That means there’s less likelihood of the organization succumbing to attack. In turn, it lightens the load on other parts of the security infrastructure. Not that doing so necessarily saves money vis-a-vis tool utilization, but it’s cost avoidance by minimizing the likelihood of a severe cyber event.
So why is cultivating the support of executive leadership so tricky? As will be seen as a theme in creating a culture of security awareness, the lack of threat tangibility is incredibly impactful. Spending money on addressing threats or encumbering staff time for training (which is also a cost) is difficult to justify where nothing’s happened. Driving buy-in and support for a security awareness program involves proving a negative: nothing’s happened, and you have to demonstrate nothing will continue to happen if you train.
Keep it Engaging
Most pieces of training can be dry and dull or seen as an obligation instead of a benefit. Just as you have to sell security awareness to senior leadership, do you need to sell it to the staff who will be participating? The best way to sell it to staff is to drive engagement.
Engagement doesn’t have to be flashy: you don’t need something that looks like a video game or high-production video content to train on information security. While those things are undoubtedly eye-catching and engaging—and if you have the budget, they go a long way—you can do a lot with a little.
Face-to-face engagement is one form of engagement that can be time-consuming but impactful. Lunch-and-learns, information sessions, and live training go a long way toward engaging staff and making them understand the human element of security and the security office. Another benefit: they’ll have a face and a name for security issues. While that might not be the standard incident reporting pipeline, if the difference is between reporting an incident improperly or not being able to report an incident for forgetting the appropriate method, then any report is better than nothing.
Another form of engagement that is low cost and high efficacy is security competitions. There are many different manifestations of this one:
-
Bug bounty
-
Phishing performance competitions
-
Security art poster competitions
-
Security shorts – short videos about cybersecurity
Those are just some examples, and there are many more. Some even generate content for intranets, training sites, or building posters.
Again, all of those engagement modalities build the tangibility of threats. Either people understand the implications or ease of finding and exploiting threats, or they learn and create materials describing threats. In any case, the more engaged, the more threat-aware staff will be.
Keep it Intelligible and Manageable
You'll lose most of your audience if you go too deep on highly technological or security-focused topics. Conversely, if you overtrain, staff become desensitized to security issues after a point. Finding the sweet spot between too much and not enough can be challenging.
Just remember: if you want to train everyone, you will have to make compromises on content. That’s going to depend on your staff composition, industry, and other factors. Some staff deal with technology as a means to an end, not as their primary engagement point.
What training should do, above all, is make threats tangible. In other words, explain why threats matter and why people should behave securely and safely.
The Importance of Threat Tangibility
Cyber threats impact other people and organizations until they don’t. For many organizations, the danger isn’t real until it happens. That would be understandable, except that even the most influential and best-prepared organizations have succumbed to cyberattacks, catastrophic misconfiguration, or data loss.
Despite that, some organizations seem to continue through cycles of unpreparedness, cyberattack or another major incident, increased investment to address the issue that just happened, and unpreparedness in other areas. It makes sense in a penny-wise, pound-foolish sort of way.
Informing staff of the tangibility and consequences of threats is critical to building a culture of security awareness. Three key points to emphasize:
-
Threat actors are heavily financially incentivized to cause harm and/or system misconfigurations due to improper design or maintenance can cause extensive damage;
-
It’s a matter of when not if; and
-
The consequences will be millions of dollars of damage.
It’s an almost daily occurrence that something catastrophic happens to an organization. A culture of security awareness emphasizes that being unsafe, careless, or insecure will cost millions in damages.
That explanation should be compelling for executive leadership, who may think twice about the potential costs of a cyberattack or other catastrophic incident.
If your organization disciplines accordingly, that’s also important to inform staff. Not only does that make threats personally tangible, but it also ensures staff isn’t caught unawares should they succumb to an attack.
It’s also important to highlight to clients or customers what you’re doing to mitigate an attack and that it’s tangible. Where attacks on MSPs increasingly result in downstream impacts on clients, they want to know that you’re taking it seriously. A culture of security awareness is a great way to express that.
Conclusion
MSPs need to develop a culture of security awareness. It’s not only critical for their operations but also to safeguard customer or client data and systems.
Security awareness covers numerous facets of human-based organizational safeguards. Many of them are tangible actions people can take to be safer or more careful. Cultivating a culture of security awareness requires more than just informing staff of that. It involves making safety, security, and care. It makes those concepts and the risks of their opposites tangible, both to staff and leadership.
