We recently conducted an email phishing test for one of our clients, a midsize retailer. Employees received an email disguised as coming from their human resources department. It accused them of accessing prohibited sites on the job and threatened them with termination. Employees were instructed to click a link in the email to see a list of prohibited sites they had allegedly accessed.
We were astonished when 48.5 percent of employees clicked on the link, despite the fact that origination address in the email was from an unknown source and the link clearly led to a destination outside the firewall. This may be an extreme example of the susceptibility of companies to the dangers of phishing, but it is by no means unusual. In our experience, between 20% and 45% of employees fall prey to spurious come-ons. And a single click to a malicious site can infect a user’s computer with malware that compromises the entire corporate network.
Many experts believe that breaches are now so common that the issue is no longer whether organizations will be attacked but when. Some data points:
We’ve learned a lot about internal vulnerabilities this year. In January we partnered with KnowBe4, a Clearwater, FL-based security awareness company. The agreement enables us to provide all of our backup and disaster recovery clients with email phishing and exposure tests coupled with online cyber security training for a base number of their employees at no cost. We did this not because it’s profitable be because it’s the right thing to do.
With so many attacks dominating the headlines, we expected that nearly all our clients would jump at the offer of free protection. Surprisingly, only about 20 percent did. We discovered that siloed organizational structures prevented many companies from taking a coordinated approach to security awareness. The people who were in charge of backup and disaster recovery had no responsibility for security. When we were able to tunnel through the organization to find the people who were, they were most receptive to anything that helped increase employee awareness. Unfortunately, finding those people was often like searching for a needle in a haystack.
We’ve been in the backup/DR business for nine years, and we compete with many fine companies that provide the best technology: encryption, multisite backup, remote hardware disaster recovery and round-the-clock technical support. But technology is only half the problem. As cartoonist John Klossner pointed out in Computerworld, the finest firewalls, encryption, antivirus software and the like can’t compete against Dave, the accounting clerk whose password is “password.”
The good news is that security awareness works. In our experience with KnowBe4, the percentage of employees who are susceptible to phishing emails dropped from 16 percent to 1.3 percent within 12 months after awareness training began. Experts have long agreed that the most serious vulnerability companies’ face is the lack of knowledge of their own people. Security training isn’t difficult or time-consuming. It’s just that many organizations believe its someone else’s responsibility.
Few MSPs are prepared to address this deficit. They have great technology, but they see the security problem as ending at their doorstep. They are failing their customers.
Smart MSPs know that doing business in the cloud is all about partnerships. It’s about taking shared responsibility for customer success and protecting the customer at all levels.
When MSPs come knocking at your door, be prepared to put them through the paces of explaining how their technology protects you. Then ask them what they do about the human side. If you get a blank stare, then proceed with caution. You may be getting only half a solution.