Let’s be honest, managed IT can be a nuisance to end users, particularly when it comes to security considerations. They’re interested in doing business, not updating their passwords every three months. They may smile and nod politely when presented with safety precautions, but IT security has nothing to do with their daily operations.
That’s where you, the managed IT provider, enter stage left to protect these people from, well, themselves. Your role is to inform them of best practices, show them what to look for with suspicious correspondence and paint a clear, vivid picture of the hell that can result from taking a relaxed approach toward security measures.
Jeff Leder, the director of managed IT security services for Impact Networking of Lake Forest, IL, feels the single greatest blind spot and attack vector can be found in unprepared users. He notes that malicious actors often seem to prioritize social engineering tactics over adversarial techniques, thus advanced security awareness training is a vital first step toward enhanced cybersecurity.
“Other areas of concern often include inattentiveness and complacency as it pertains to IT infrastructure,” he added. “Baseline security practices like patching, proper firewall configuration, and password policy management which are overlooked create dangerous situations for client organizations.”
As organizations scale, Leder notes it increases the potential for users to be less aware of the dangers lurking from the outside. Even the antiquated Nigerian prince scam has become sophisticated and complex, while other phishing attacks pray upon people’s fears by indicating their information may have been compromised during an actual attack—thus riding the coattails of a successful data breach. This underscores the importance of implementing security training and launching simulated phishing attacks that use a variety of tactics to help show users what they should look for in identifying potential red flags.
“When you follow the simulations with training campaigns for users who fall susceptible to various tactics, it’s a great way to ultimately lead users down a path where they really do think before they click,” he added.
Have Device, Will Travel
When a dealer such as Cincinnati-based Donnellon McCarthy Enterprises takes over the managed IT needs of a client, one of the greatest vulnerabilities that exist lies in outdated equipment, according to company President Jim George. Perhaps some are overlooked and underused, but still represent a danger zone. Some businesses haven’t upgraded to Windows 10 or are still running old servers.
“The Internet of Things is creeping its way into business like bring your own device has,” George noted. “These types of devices help hackers find vulnerabilities and create issues. There is also an educational process on the type of actions that users need to avoid breaches. Our suggestion is that businesses make cybersecurity education part of their orientation process.”
Derick Tallman, IT security and operations manager at Access Systems of Waukee, IA, notes his dealership relishes its advisory role and the importance of illustrating to clients the controls and solutions that are the backbone of cybersecurity protection. Access Systems host lunch-and-learn events to cover some of the more remedial elements of strong security practices, and tests user vulnerabilities through simulated email phishing attacks, buffered by integrated training.
Part of the challenge, Tallman points out, is balancing end-user convenience with securing systems. “Does a client want open systems that are easy and convenient to access, or do they want to lock down their systems with strong IT controls such as strong passwords and multifactor authentication?” he posed. “Some of the biggest blind spots we face are updating system components as customers may feel that their systems aren’t ‘broken’ today, so why do they need to update?
“Staying on top of recent system components – from updating and patching operating systems and programs to getting hardware that is within warranty – can help minimize the security risks that the business faces. Having customers understand that having their data backed up is no longer just for the risk of physical data destruction, but can be a lifeline in the event of a security incident is also frequently addressed.”
Specific Attacks
Attacks can come in many forms and through various vulnerabilities, and for AIS of Las Vegas, it requires navigating clients through the mass of threats, notes Monique Phalen, director of IT. They can range from gift card scams to social engineering and Google Drive attacks. AIS simulates phishing attacks through Webroot and provides certifications to employees, compliance officers and operations managers to enable clients to test at the company level.
AIS constantly polls companies, business and technology leaders to gauge what is working, along with what is emerging. “We’re that man behind the curtain; we don’t want the customers to see us working behind the scenes,” Phalen said. “We want end users to feel safe and secure, but encourage them to always keep one eye open. It’s actually quite interesting to see all these ways people try to come up with to attack businesses…it never gets boring.”