Empowering your end users: the basics of employee cybersecurity training
Various misconceptions about cybersecurity exist within the IT solution provider (TSP) industry. While we could list a dozen of these, one stands out among the rest—risk. Many clients who hire a TSP believe they’re completely protected and no longer at risk from the evolving threat landscape. But while MSPs and TSPs offer added protection from these threats, they still leave them open to the most significant risk to an organization’s information security—their employees.
According to a recent study, 85% of cyberattacks are caused by human error. Knowing that it’s people causing this significant weakness, it’s the responsibility of TSPs to educate and empower their employees and clients to prepare for, recognize, and prevent cyberattacks.
Creating a comprehensive cybersecurity awareness program
To best protect your clients, it’s imperative to establish cybersecurity training for them and their employees so they can better understand their responsibilities, learn how to protect sensitive information, and recognize signs of malicious threats.
As a TSP, you will likely be responsible for providing cybersecurity education, training, and guidance on needed policies. Any robust cybersecurity awareness training program should cover the following:
- Phishing and social engineering
- Access, passwords, and connection
- Device security
- Physical security
Are you prepared with the resources and knowledge to execute this training for your clients? If not, we’ve got you covered. Let’s take a deeper look at these important pillars of robust cybersecurity education.
Phishing and social engineering
Social engineering is a malicious attack on a user or administrator by deceiving them into divulging information to a bad actor. Phishing is a common social engineering tactic where attackers attempt to get sensitive information like passwords and credit card information by masquerading as a trustworthy source.
Common phishing attempts often require the victim to click on a link, open an attachment, send sensitive information, wire money, or take other actions that leave them and their information vulnerable.
As threat actors continue to create new methods and schemes, their tactics are even more challenging to detect, especially when it looks like it’s coming from a credible source like your CEO or coworker. However, these deceiving attacks often offer a few tell-tale signs, including:
- Content errors. Incorrect spelling, typos, and links containing random numbers and letters are red flags.
- A sense of urgency. An unusual sense of urgency with an immediate request for money or sensitive information indicates the email may be a phishing attack.
- Incorrect emails. An easy giveaway to phishing is when the email sender has a questionable email address. It’s essential to verify the email address before taking any action.
If your clients inevitably click on a phishing email, it’s crucial to take immediate action. Some steps you can take right away are:
- Informing IT as soon as possible. Telling the right person or department is critical in preventing a phishing scam from spreading company-wide. Encourage your clients to ask you to investigate or provide next steps.
- Resetting passwords. To avoid additional data loss, change passwords on professional and personal accounts to minimize damage.
Access, passwords, and connection
Client cybersecurity training is an excellent time to discuss different aspects of the network, such as access privileges, passwords, and the network connection itself. Both the client and their employees may benefit from a deeper understanding of what these do and why they’re essential to business security.
Generally, users with privileged access perform administrative-level functions or access sensitive data. All employees should know if they’re general or privileged users so they understand what information, applications, or processes are accessible to them.
Similarly, employees should be using best practices regarding the passwords they create, especially those used to access IT environments. In general, secure passwords should:
- Be unique to each app/site
- Have at least eight characters
- Contain letters and special characters
- Stay away from obvious information like names and birthdays
Additionally, passwords should be updated or changed about every six months.
While it may be less obvious, employees should also be wary of network connections outside of their homes or workplaces. Even if data on their device is encrypted, it’s not required that a connected network transfers that data in an encrypted format, which opens the door to many different vulnerabilities.
Employees need to be aware of vulnerabilities in public networks and how they could potentially be putting all data exchanged on that network at risk. Encourage end users only to use trusted network connections or a VPN to ensure a secure connection.
Device security
In a time where bring-your-own-device (BYOD) is popular, many businesses have become a threat actor’s paradise. As a TSP, your clients are often looking to you to educate their employees on the importance of device security.
When a mobile or personal device enters the workplace, it connects to the corporate network and accesses all company data. Every device creates more endpoints and opportunities for attackers to capitalize on. Without a secure connection, any mobile device could compromise the corporate network. Therefore, securing these devices is imperative to prevent a business catastrophe.
The same threats posed to company desktops and laptops also apply to personal mobile devices. Tablets and smartphones may be even less secure because they don’t have pre-installed endpoint protection. To protect the company and its data, users should be mindful of the websites they browse, the apps they install, and the links they click.
Physical security
Unfortunately, digital cyberthreats are not the only risks your clients and their employees should be aware of. Physical security also plays a key role in keeping sensitive information protected.
While clients and employees often overlook or dismiss it, it’s important to take physical security seriously.
It’s easy to mistakenly leave a mobile device or computer unattended—it happens to all of us. However, if someone swipes an employee’s unattended phone or logs in to their computer, their data will immediately be at risk.
The best way to protect your clients and their employees is through awareness. Your clients can increase their physical security in and out of the office by:
- Locking up all devices. Get in the habit of doing this every time you leave your desk. For Windows users, press and hold the Windows key, then press the “L” key. For Mac users, press control, shift, and eject (or the power key) simultaneously.
- Locking your documents. Store all your documents in a locked cabinet rather than leaving sensitive information hanging around your desk. Before leaving for the day, stow essential documents in a safe or locked cabinet.
- Discarding information properly. When throwing away or getting rid of documents and files, ensure you’re shredding them and discarding them appropriately.
Your job as a TSP is to protect your clients, and our job is to support you
The ConnectWise Partner Program was created to help our partners grow their businesses by investing in their strategy, marketing, and sales initiatives. Whether you grow at your own pace or with help from our team of experts, you’ll access educational resources, in-depth training videos, marketing assets, go-to-market campaigns, and community-based events to deepen your knowledge and expertise to grow your business.