MSP Cybersecurity Best Practices: Managing The Human Factor

Non-malicious human mistakes were a key factor in 68% of data breaches in 2023, according to Verizon's most recent Data Breach Investigations Report (DBIR). While simple human error accounts for many of these cases, social engineering attacks were another common cause.

Fortunately, your managed service provider (MSP) can take steps to teach your staff how to protect themselves and your organization in their day-to-day work. Giving your team the tools and information they need to incorporate best practices into your everyday operations is one of the best actions you can take to reduce your cyber risk.

Human Threats to MSP Cybersecurity

People are far from as accurate or consistent as an information system. They also don’t have the robustness of immutable policies. While those can be seen as limitations, they’re also what drives human greatness. The flexibility of the human mind makes it quickly adaptable to any situation in a way that information systems and policies aren’t. 

Threat actors can leverage that flexibility to take advantage of people through sophisticated social engineering attacks. Although you can use policies and input validation to lock down information systems against most attacks, you can't do that with humans. That's what makes social engineering attacks like phishing the top attack vector for years on end.  

Proper training and access to the appropriate resources can turn your people into an accurate, proactive warning system. After all, knowing what an attack looks like and recognizing abnormal behavior enables them to report one that your information systems might miss.

While you can say automated information security defense infrastructure also understands expected system behavior, it is significantly less effective at identifying poor computer performance. 

Put differently; automated information security infrastructure is only as good as its models. If a model isn’t completely accurate and tuned to an environment, unexpected behavior either: 

1. Won’t result in alerts, leading to missed threats.
2. Will result in too many alerts and report false positives, leading to more missed threats.

People can rationalize inappropriate behavior and determine whether or not it’s reportable. People innately understand patterns — and even patterns of behavior — well. Conversely, they know when those patterns are disrupted. 

While humans will also under and over-report, people can be a solid supplement to automated systems. They may mean the difference between detecting a threat and not detecting a threat. 

How to Cultivate the Human Element

So, you have this legion of unreliable and fickle components to a cybersecurity program. How do you use them to build a robust cybersecurity system?

You play to their strengths:

• Flexibility
• Adaptability
• Situational awareness
• Pattern recognition

Building a cybersecurity program that accounts for that can be relatively straightforward. There are some common programmatic elements you can put into place to enable and promote human cybersecurity.

Empowering MSP Teams: Training and Phishing Simulations

At a minimum, you should provide your organization’s staff with an engaging training program that captures and holds their attention long enough to be effective. And that's possible even on a limited budget.

The key is to make training tangible. Practically every industry has had one or more data breaches or significant cybersecurity events at this point — including MSPs and other IT companies.

Those kinds of events usually mean two things: 

1. Disruptions in mission-critical service delivery
2. Lost profits due to downtime, loss of productivity and reputational damage

Talk about those events in training. Highlight where things went wrong if you can and the real-world impacts of a cyber incident. Here are some examples to get you started:

• Healthcare: A healthcare cyber incident can prevent providers from treating their patients effectively for more than a month.
• Finance: Downtime resulting from cybercrime can prevent people from accessing or maximizing the value of their money.
• Education: Without access to learning management systems and other important educational tools, students can't learn.
• Non-profit: A cyber incident can prevent charities and other organizations from delivering valuable services to the community.

In short: people don’t get what they need, and that puts the business in jeopardy. 

Teaching Employees to Spot Patterns

Humans spot patterns better than any automated system can. We’re so good at it that we’ll make patterns up out of nothing. 

Leveraging that pattern recognition is critical to cultivating human cybersecurity. One way to do that is by teaching the giveaway signs of a phishing email:

• An unexpected email address in the email header
• Misspellings and grammatical mistakes in the message body
• Urgency or threats
• Subject matter that doesn't make sense for the sender
• Links and attachments you did not request or need 

Adding more information and objectives can also be good, but you want to balance information saturation with utility. Information overload can overwhelm your employees and lead to diminishing returns. 

The same exercise can be done for social engineering attacks broadly as well as potential signs of a cyberattack. People can—and will—take an alert and sophisticated approach toward potential attack modalities if they’re given the tools and support to do so. 

Practice Makes Perfect

Just like how regular workouts are essential for improving your physical strength, exercising your phishing response technique is critical to building operative memory in handling incidents. The idiom “practice makes perfect” exists for a reason. Rote recall of processes and actions helps build comfort and facility with processes, just like pattern recognition. 

Practice exercises can take many different forms:

• System recovery drills
• Security incident tabletops
• Major incident management testing
• Physical security drills
• Downtime or building closure drills

The exercises you include in your training program should cover both the processes and the operational effectiveness of those processes. Not only should there be a discussion of what should be done, but there should also be a “live-action” implementation of those events. 

Obviously, creating an effective simulation is more difficult for some exercises than others. But the more actual experience that can be injected into the exercise, the better. 

Using Tools to Empower Employees

Employees need more than a few training sessions to fine-tune their ability to respond to information security incidents. You also need to provide your staff with tools and resources that eliminate incident response roadblocks, such as:

• A clickable button for reporting phishing emails
• Clear processes for escalating suspected issues 
• Contact information for security analysts

Another important step in building cybersecurity confidence is removing the fear of reproach for speaking up. Adequate training reduces the risk of false positives by familiarizing employees with the telltale signs of a real attack, which can help them feel more comfortable calling out a threat if they see one.

Delegation is another important aspect of empowerment, as the closer an employee is to a threat, the faster they can mitigate it. Likewise, escalating threats to higher organizational levels who are removed from the threat significantly reduces the likelihood of a timely response.

While it's important to strike a balance between the two extremes, supporting your staff in reporting risks — and making mistakes — is the best step you can take to encourage better incident response.

The Value of Reinforcement

While penalizing employees for reporting genuine risks is a bad move, punitive measures for engaging in risky behavior can be helpful. People respond much better to reinforcement than they do to punishment. A good distinction: reinforcement promotes behavior, and punishment dissuades behavior. 

Both positive and negative reinforcement are effective for teaching employees to stave off attacks in the corporate tech environment. Phishing exercises are a great example. Notifying staff who failed a phishing exercise of their failure and requiring them to do training or speak with a manager or security staff member goes a long way. Similar measures can be undertaken for other activities. 

Where reinforcement doesn’t work, you may need to resort to punishment. Punishment, especially in the corporate space, carries numerous risks: 

• Degraded morale
• Malicious compliance
• Weaponized ignorance
• Unresponsiveness
• Retaliation
• Data exfiltration
• Loss of mission-critical personnel

Before taking action, you need to carefully weigh the risks of punishment against its benefits. 

That being said, continuing with the phishing example, if an employee has been trained about phishing and repeatedly fails phishing exercises (or worse, falls for an actual phishing attack), then punitive measures may be necessary. The specific measures you take and how you structure them should vary depending on your organizational structure and operations. 

Inequitable punitive measures — for example, treating executives differently from regular employees — will ultimately undermine the success and impact of a security program. Creating the perception that some staff is privileged and above the rules will eviscerate respect for the rules. 

Final Thoughts

There are many ways to cultivate the human element of any organization to be a security watchdog. By relying on the strengths people bring to the table and cultivating those, you can create very effective operational security awareness. 

While there are drawbacks to completely relying on people for security safeguards, people provide a great supplement to automated infrastructure and an early warning system where that infrastructure fails to identify threats.

You’ll want to think about how you cultivate good behavior and dissuade unwanted behavior. Training, empowerment, and reinforcement consistently prove to work best. Punitive measures applied consistently can help but can also have significant tradeoffs. Whatever method you pursue depends on organizational needs and priorities.

Empower Your MSP With Help From Phin Security

If you're looking for a comprehensive training solution that empowers staff and improves incident response, Phin Security is here to help. Our platform includes features and capabilities specifically designed for MSPs, including:

• Fast, simple onboarding and setup
• Engaging training content and real-time phishing simulations
• Immediate feedback and actionable takeaways from Learning Moments
• Advanced analytics and automated reporting for targeted improvement
• Dedicated support from experienced Phin Security team members

See for yourself how Phin Security helps MSPs mitigate human risk. Start your free trial today!