Posted by Trevagh Stankard on Tue, Aug 3rd, 2021

Is Security Awareness Training Enough to Prevent Data Breaches?

In the last ten years or so, the principles of cybersecurity awareness training have gained ground. This has resulted in companies the world over, taking security awareness training seriously and investing in company initiatives to create the ‘culture of security' that awareness training attempts to develop.

However, security awareness alone, it seems, is not enough to deal with the continuing onslaught of cyber-attacks. If this statement is true, what can organizations do to protect themselves against cyber-threats?

What Impact Does Security Awareness Have on Phishing Attacks?

Security awareness training covers a wide remit of potential security issues including security hygiene, e.g., stop password sharing, awareness of compliance and risk, and so on. The training typically also contains an element of phishing simulation exercises to train employees on how to spot phishing emails. It is important to note that security awareness has, according to research, helped to reduce cyber-attacks. However, even with a general acceptance that security awareness is important, phishing continues to be the number one method of circumventing security.

In the case of phishing threats, the statistics show that this attack type is continuing to wreak havoc on organizations across the globe. SlashNext analyzed billions of link-based URLs in emails over six months in 2022 and found more than 255 million attacks —a 61% increase in the rate of phishing attacks compared to 2021. 54% of all threats detected were zero-hour threats, showing how hackers are shifting tactics in real-time to improve success. 76% of threats were targeted spear-phishing credential harvesting attacks.

While security awareness training may be an important way to manage many accidental data mishaps and misconfiguration of IT components, it is not the full answer.

The 360-Degree Approach to Security

Research shows that employees are central to cyber-attacks, with around 90% of cyber-threats starting at the human touchpoint. Security awareness training is about changing user behavior; this is not only difficult but takes time: human beings are conditioned to click on links and human-computer interactions have been specifically designed to make the one-click experience a design goal. Changing long-held behaviors like these take time and effort. During this time, cybercriminals adjust their tactics to circumvent any behavioral modifications. As such, phishing emails have become increasingly sophisticated to counter this effort. Phishing campaigns now use means such as spear-phishing to target individuals, social media to piggyback on trusted accounts and drive-by-downloads that exploit vulnerabilities.

The conclusion is that security awareness training is simply not enough to win the war of cyber-attrition. Security awareness must be bolstered by a ‘nip-it-in-the-bud’ strategy of using the best technology available to prevent phishing emails from entering employee inboxes in the first place and to prevent employees from navigating to phishing websites. This technology must also be smart enough to adjust to the changing cybersecurity landscape and new tactics. A combined, 360-degree approach to security that augments security awareness is finding evidential weight, including from a Datto “Global State of the Channel Ransomware” report. The study looked at the impact of ransomware on small to medium-sized organizations (SMBs) serviced by Managed Service Providers (MSPs).  The results were staggering:

70% of MSPs saw ransomware as the most common malware threat to SMBs -- phishing and web threats being the main vector of ransomware infection. Once infected, the downtime costs alone for North American companies were, on average, $308,900. The report highlighted the complex nature of mitigating ransomware, placing emphasis on a holistic approach that includes:

• Email filtering and URL content scanning
• Browser isolation
• Endpoint detection and response (EDR)
• Patch management
• Endpoint management

Along with employee security awareness training, these best-of-breed measures are needed to close off any gaps, especially those that involve employees being phished and/or navigating to infected websites.

Read Guide: Pillars of the Modern MSP Security Technology Techstack

Read Guide: How to Reduce the Risk of Phishing and Ransomware - Brand new and independent study by Osterman Research on the rise of phishing and ransomware attacks. 

Delivering the Best Security via an MSP

The shift of workloads and employees to the cloud has opened opportunities for cybercriminals but it has also created a space for the MSP to offer best-of-breed security solutions. MSPs are in a prime position to deliver the core components of cyber-threat mitigation, including malware protection.

Web threats are rapidly advancing adding to the use of email as a vector, making phishing simulation exercises less effective. Web threats are highly sophisticated, an analysis of the threat landscape by Microsoft concluded that “(cybercriminals are) using techniques that make them harder to spot and that threaten even the savviest targets.” 

Looking at the attack vectors, cyber-attacks are built around a mosaic of opportunities with 65% of attackers using targeted spear-phishing as the main infection vector and watering hole attacks, i.e., malicious websites. An MSP is perfectly positioned to deliver cloud-based solutions that transcend the issues inherent in the work from home movement that has been born of the Covid-19 pandemic. This mix of cloud-based apps, remote working, and increasingly sophisticated cyber-attacks is the basis for a multi-layered security offering, that aligns with and augments security awareness amongst employees.  Now more than ever, MSPs must deliver a solid security strategy to keep their customers’ operations and data safe.

Only by taking a wider-angle view of the situation can an organization counter the wide array of attacks. An MSP can use its ability as a SaaS provider to ensure that companies of all sizes and across all sectors have access to the best smart malware protection available. 

An MSP that can offer solutions that cover the areas targeted by cybercriminals gives itself a competitive edge whilst offering exceptional protection against cybercrimes of the now and the future.

Taking a Proactive and Responsible Approach to Cybersecurity

Putting too much responsibility onto our employees can be counterproductive. A balance of security awareness backed up by robust technical measures builds a stronger response to the sophisticated cyber-threats in the modern security landscape. An organization cannot rely entirely on its staff to prevent a cyber-attack, especially as we have all been trained to click before we think. Using a proactive approach to cybersecurity means making staff aware but also putting the structures in place to make sure that security awareness is not solely relied upon to prevent data breaches.

Sometimes MSPs Need to Walk Away

The most successful MSPs sometimes say no to new business.  It’s not uncommon for MSPs to demand that new clients upgrade to a minimum operating system or purchase warranted equipment in order to be able to properly manage their network resources.  The same should hold true for security.  For instance, a prospective client that insists on retaining poor password policies or isn’t willing to pay for your complete security stack is one that you might should probably politely walk away from.

Clients that make themselves vulnerable out of neglect or ignorance can expose the networks of you and your customers if they get attacked or infected.  As an MSP, you need to promote a “We’re all in this together” attitude in order to keep everyone secure.  You also don’t want to expose yourself to possible fines due to the failure of a client being out of compliance.

To find out more about how TitanHQ works with managed service providers to meet the requirements of the SMB marketplace, learn about the Titan Shield MSP Program.