Cyberattacks are attempted once every 39 seconds, according to University of Maryland report—they are pervasive and growing in complexity, sophistication and frequency. Even the most prepared MSPs can’t protect against every threat. That’s why it’s so important that employees report incidents, suspicious activity and errors immediately.
Despite this being a critical need, employees often fear backlash and recrimination for reporting mistakes and suspicions. Joy Beland, vice president of partner strategy and cybersecurity education at Summit7 and member of the CompTIA Cybersecurity Industry Advisory Council, says that is exactly what needs to happen. She outlines the key elements to help encourage incident reporting and engage employees in risk discussions.
Set an Example
Cybersecurity is frequently discussed as a focus, but Beland finds that security principles are not followed as often as they are preached. “Everything you do as an MSP is an example for your clients,” she warns. “Don’t ask clients to implement security if you’re not doing it yourself.”
She cites the example of a recent cybersecurity conference she attended where attendees were being asked to scan QR codes to access conference materials, even though that is not recommended.
“We’re going against our own practices to placate an industry, as many of us have been teaching our customers and staff not to scan QR codes as part of security awareness training.”
Beland also notes how passwords to systems are often provided to new employees.
“I know of MSPs that still send the username and password for new employees via regular email. Not providing those credentials via encryption or by sending the password and username via separate methods—such as emailing the username and texting the initial password—shows the customer that you are not taking password protection seriously.”
If you really want employees to be more diligent in reporting, you must set the standard that security is taken seriously.
Leadership can make great strides in this area by reporting their own mistakes. Beland suggests that leadership set an example by openly reporting errors.
“I have emailed our security operations center (SOC) team at least four or five times in the last year to admit to mistakes I made. Our own director of security will be the first to tell you he made a mistake. Early reporting is essential, and we all must own up to our mistakes,” she notes.
Extend Cybersecurity Training to All Departments
Beland also recommends that all departments take part in cybersecurity training. “Every role within your organization has some impact on cybersecurity—marketing, finance, HR, everyone,” she says. “You must involve everyone in training. The more you make others feel like they’re part of cybersecurity, the more they embrace it.”
She feels that departments not related to IT often feel that cybersecurity is being handled by IT departments and feel removed from responsibility, but those roles are at risk just as much, if not more, than IT.
Implement a Security Outreach Program
Employees need to be involved in cybersecurity on a regular basis. MSPs often make the mistake of conducting a training and then never following up on the skills taught. Beland recommends implementing a security outreach program to make cybersecurity training part of your ongoing internal processes.
For example, Summit7 uses security ambassadors. These ambassadors attend a monthly meeting where they learn about a new security topic. Then, they go to their respective departments and discuss how the training is applicable to their business unit or function. The next month, they report back with key takeaways from that discussion and identify the next topic. The ambassadors are recognized with an additional title and a stipend to participate.
Security outreach programs keep the conversation going and teaches staff to identify risks, but more importantly, it normalizes discussions about cyber risk.
Beland does caution that this type of program may not be effective in smaller organizations. If you have fewer than 50 employees, she recommends having a monthly cybersecurity meeting where one person is assigned a topic to discuss. This keeps employees accountable and helps to touch on areas of personal interest and concern.
Focus on Skills, Not Tools
One pitfall Beland frequently sees in cybersecurity education is focusing on a tool, rather than a skill. “MSPs often think that if they implement a security tool, their job is done. But the tool is only going to be as good as your employees’ willingness to follow the guidelines. Employees need to understand the importance of pausing to evaluate what impact their actions might have,” she cautions.
She encourages MSPs to move the focus from training on how to use a tool and move towards showing employees how to build resilience and identify suspicious activity. The tool may help you do that, but it shouldn’t be the focus.
Take Care in Your Forensic Discussions
It can be very easy for discussions to turn negative and accusatory during the forensic investigation phase. It’s very important that conversations focus on uncovering gaps and planning for future mitigation, instead of pointing fingers.
“Knowing who was responsible doesn’t help you after the fact. You only need to know why an incident occurred and what to do to prevent it in the future,” Beland says.
Offer Anonymous Reporting as a Last Resort
If all else fails, you can offer anonymous reporting options. Although, Beland says this isn’t a recommended strategy. But if you need to try and encourage reporting, but you haven’t developed a security-first culture, you may need to do this until you can implement positive changes.
Raise Your Cyber Awareness.
Learn more about earning the CompTIA Cybersecurity Trustmark.