Best practices for protecting your clients’ remote workers from the latest phishing attacks, from Barracuda MSP’s Chris Crellin.

By Chris Crellin, senior director of product management, Barracuda MSP

While much of the world is responding to the COVID-19 pandemic through a variety of shelter-in-place orders and other restrictions that have shut down offices and large gatherings, another type of “virus” is sweeping the globe. An increase in cyber attacks, particularly phishing, has followed in the wake of the pandemic. 

A security manager with HP reported a 600 percent increase in attacks since the COVID-19 crisis forced the majority of workers to shift to remote work. A Google report found a 350 percent increase in phishing websites, many of them fake COVID-19 sites. Cyber attacks were already increasing independent of the virus, and according to a recent report from Dell, 82 percent of organizations had experienced a disruption of some sort in the past 12 months, up from 76 percent the previous year. 

The current environment is ripe for a new wave of successful cyber attacks. Many employees are working from home on personal hardware and often using unsecured WiFi networks. In many cases, unprepared for the shift to remote work, companies have had to cobble together infrastructure to support this.

Employees are also sharing workspaces with other members of their household, which can be stressful and distracting. Other world events — the economic downturn, the global protest movement, political uncertainty — have left employees hungry for information. They are much more likely to click on emails or websites touting updates or information related to these various crises. In the U.S., the Economic Impact Payment program has also led to further spikes in phishing activity. 

Offer a Complete Security Awareness Package

To help reduce remote employees’ risk of being roped in by the increasing number of phishing scams, companies should use a mix of training and technology so that networks can be protected by a more-informed staff and smart technology tools. MSPs can help by offering robust security awareness training products (such as Barracuda MSP Managed Phishline) that include updated materials and simulation campaigns that can ensure clients are protected against the latest threats. Here are a few best practices.

• Implement a security awareness training program. Conducting this type of training program was challenging before the pandemic. Now, with employees dispersed to their homes and other remote locations, it’s even more difficult. MSPs should understand that security training is not a one-and-done scenario. MSPs should look for security training tools that are easy to use and manage, and support the automatic deployment of new content as threats evolve. Too many MSPs will run a single phishing simulation, or run a training program and then call it a day. It has to be done continuously to keep people mindful of the threats that are continually present. 
• Make sure training content is relevant. Your client’s end users need relevant and engaging training material. Otherwise, the training program won’t be useful in helping them spot phishing attacks. The content should also be closely aligned with the simulation campaigns so that you can adequately assess effectiveness. 
• Consider a vendor that offers outsourced email security awareness training. Administering an effective program can be a drain on resources. Vendors that provide security training packages sometimes offer complete packages that include managing the training for you. In this way, you can grow your security offerings without having to add staff or divert resources to administering the program. 

There is significant demand right now for managed security services. Employees are often the weakest link in the security chain, particularly when it comes to phishing. Training and education play a crucial part in reducing risk while your clients manage the remote work environment.  

Phishing activity is likely to continue to increase throughout the remainder of 2020 as cybercriminals take advantage of these tumultuous circumstances. Your clients will need all the help they can get to reduce the risk of security breaches.

If you haven’t already, it’s time to invest in a complete security awareness training package. Barracuda also produced a webinar featuring tips to create an effective security awareness training program. You can watch it here.

Chris Crellin is Senior Director of Product Management for Barracuda MSP, a provider of security and data protection solutions for managed services providers, where he is responsible for leading product strategy and management.