An MSP will take a layered approach to toolsets protecting from the end-user device through to the data at the systems level including protecting your data in case of a successful breach. Most often the right combination of honed technologies, security expertise, and processes enable the MSP to address issues and breach attempts before they become disruptive for your employees or your business.  

An important element to an effective defense strategy is your employees. Afterall people are the livelihood of every business. The bad actors know that too and target them for access to your network. With that, more than 90% of successful data breaches start with spear phishing attacks originating with an ill-prepared employee. That makes for a terrible day for that employee and the business. It’s critical to prepare employees to be that first line of defense. An MSP should provide end-user education in the form of consistent training and reinforcement helping people within organizations be sensitive to threats and not take the bait. This helps employees be vigilant against cyber criminals both at work and at home. It’s an essential piece of an effective cybersecurity threat protection strategy and a meaningful way to care for your employees. 

Prior to training it is common for a minimum of 60% of employees to fail a phishing test. Once the initial training is complete, it is not unusual for that failure rate to drop to nearly zero. However, after five to six months – if the training is not consistent – that failure rate starts to go up to 10% or more. This points out the need for the training to be consistent.  It doesn't have to be extensive but should serve as reminders that vigilance is important. 

There is a lot of flexibility in both format and delivery of this type training. The curriculum can be delivered through pre-produced video modules that are designed to guide the employee through the learning and prepare them for their critical role in the company’s cybersecurity defenses.  

This type of training serves a number of purposes. The first is the training itself and the value of having an aware and vigilant workforce. This training should be designed to help your employees become aware of social engineering tactics that do not have as much cybersecurity awareness such as Baiting, Pretexting, Smishing or Tailgating to name a few.  

The second purpose is auditing. This platform of continuous testing provides the company the ability to monitor users’ ability to spot suspicious emails. Whether it’s for new hires or existing employees, this type of automated training allows companies to identify gaps or problem areas that can be addressed proactively with additional training. 

Industry best practices indicate that this level of training should be continuous and regular. Once a year is not enough. Remember, the bad actors are relentless. The Cybersecurity Infrastructure Security Agency (CISA) has reported that in 60% of the attacks profiled, initial access was via a phishing link, or a phishing attachment. If you can solve that one problem, you've solved a lot of the security breaches that occur. 

Training and testing can identify next steps in strengthening your defenses. SMBs should work with their MSPs to implement other security platforms tools and meet at least quarterly to reinforce security protocols. This leads to the development of a roadmap that identifies high priority issues. Those issues, effectively and rigorously addressed, will keep the Human Firewall strong. 

To learn more about how Envision IT can maintain the health of your technology environment, strengthen your security posture, and help your organization address the ransomware crisis from “readiness to response”, visit us at www.envisionitllc.com or give us a call at 608.824.2060.