The social engineering dilemma

Follow these best practices to protect your clients from social engineering attacks.

Nathan Bradbury, Manager, Systems Engineering at Barracuda MSP

Over the past several years, more companies have moved data and applications to the cloud. At the same time, the workforce has become more widely dispersed as the ongoing pandemic and other employment trends have increased the number of employees working remotely. As a result, the potential vectors for cyberattacks have increased.

While technology solutions can help enterprises protect themselves against these attacks, the most significant vulnerability in the network cannot be addressed by technology alone — employees themselves are susceptible when it comes to cybersecurity.

That is because social engineering attacks have grown in effectiveness, cost, and complexity. These types of attacks rely primarily on human psychology, using research to craft phishing emails that will fool employees into sharing data, passwords, and other information (as well as transferring files or money) without the need to execute malicious code on the user’s machine. Unfortunately, that can make these attacks largely invisible to traditional security safeguards until it is too late.

Business email compromise (BEC) attacks are a good example of this. Cybercriminals use social engineering methods to trick users into sharing credentials and then leverage their access into the email account to launch other types of attacks. Per the Verizon 2021 Data Breach Investigation Report, 85 percent of all breaches involved some human element. And these attacks are costly: Gartner estimates that such attacks will double every year through 2023 and cost targeted companies as much as $5 billion with $4.24 million being the average cost.

There are many other types of cyberattacks, too, such as consent phishing, deepfake videos, blackmail schemes, and more. Each incident relies on an employee’s inherent trust (or, in some cases, inexperience), which increases the risk of response to these well-crafted phishing messages.

Employee Awareness Training is Critical

For MSPs, this means that simply deploying robust security technology is not enough to ensure client data and applications are safe. Instead, MSPs must help their clients create a culture of cybersecurity and encourage them to invest in employee awareness training, phishing simulation, and ongoing education to help protect their staff.

This is not an easy task. A successful security awareness program has to do more than educate — it must also produce meaningful changes in employee behavior. The program should teach and reinforce best practices to help employees identify suspicious activity and avoid making dangerous and costly mistakes.

Set Clear Goals and Objectives: MSPs should help their clients establish a well-defined vision for their security objectives so that employees have a clear idea of what is expected of them. What does a successful security program look like?

Develop Metrics: Employees should have a clear idea of how their security performance will be measured against that vision. Companies should measure security awareness training completion and participation in ongoing education programs. 

Tie the Metrics to Business Outcomes: Measure the causes of cybersecurity incidents so that employees can see how a reduction in human error can impact these threats. Clearly outline how these attacks can affect revenue, costs, risks, brand reputation, and other business drivers.

Include the C-Suite: BEC and other social engineering attacks have increasingly targeted not just lower-level employees but also C-level executives. Ensure employees at every level are adequately trained to identify potential phishing attacks and know how to respond to and report these incidents. Executive buy-in will be critical to the success of the program, and using real-world examples of C-level security breaches can help drive the message home.

Leverage Technology: An excellent way to measure the success of an ongoing education program is to deploy phishing simulation solutions. These simulated attacks will help the MSP and client evaluate how well the training has worked and identify employees that may need additional help.

Lock Down Remote Access: The shift to remote work and work-from-home scenarios has complicated cybersecurity practices. Reminding employees to only use authorized devices and networks can only take you so far — personal devices and home wireless networks will remain an ongoing concern. Deploying technology like Zero-Trust Access technology, strong passwords, multi-factor authentication, and other approaches will provide a safety net for errant user behavior.

Create an Ongoing Awareness Program: Security awareness training is not a one-and-done program. Cybersecurity threats are evolving every day. Therefore, MSPs should help their clients create an ongoing education program that uses regular security alerts, newsletters, and periodic training events, along with an established program for onboarding new employees.

Creating a cybersecurity culture will help your clients prevent successful social engineering attacks. Regular education and training across the organization should be part of a holistic approach to security for every MSP.

Nathan Bradbury is Senior Manager of Systems Engineering for Barracuda MSP, a provider of security and data protection solutions for managed services providers.