Addressing the Mass Exodus from the Workplace

In case you haven’t heard, one of the unexpected consequences of the COVID-19 pandemic and associated economic disruption has been a massive number of people quitting their jobs. Dubbed the “Great Resignation,” this mass exodus in the workforce has led to labor shortages in many sectors along with rising salaries.

Some of this activity is directly related to the pandemic—workers in the service industry that have been displaced by shutdowns but buffered by pandemic assistance payments, have been able to delay their re-entry to the workforce and look for different or better jobs. However, in other sectors, these resignations seem to be driven by a general mass re-assessment of work by employees that have been working from home or have been furloughed. 

According to Fortune, the quit rate has hit an all-time high, although this trend has not affected every sector equally.

All this turnover exacerbates an already big workforce gap in the cybersecurity sector. The U.S. Commerce Department estimates there are about 464,000 U.S. cyber job openings, but not enough new, qualified workers to fill them, according to an article in the Washington Post. Moreover, with cyber-attacks increasing significantly during the pandemic, the need for qualified cybersecurity staff continues to grow.

Staff turnover has also generated new vulnerabilities, as many companies find that former employees have left with company data or may still have access to password-protected applications or networks.

For MSPs, this creates opportunities for business growth while also posing some hiring challenges. 

MSPs that provide security services have already seen first-hand how small and mid-sized businesses have struggled to face new cyber threats with an IT staff that has been stretched thin. Unfortunately, current employment trends are only going to make that problem worse.

While large companies may be able to handle their security needs internally, other companies will increasingly turn to vendors to provide automated security tools and services like XDR (Extended Detection and Response) and MDR (Managed Detection and Response). As a result, SMBs will need a managed services provider that can help them utilize these tools and educate their staff. 

MSPs can also help companies with a high degree of staff turnover to better lock down their infrastructure during the onboarding/offboarding process.

MSPs are also going to face their own hiring challenges. Like their clients, they will be competing for a shrinking pool of qualified candidates. There are few opportunities to expand the field of potential new hires that could be beneficial moving forward.

For example, companies could institute training programs to help create a home-grown team of cybersecurity experts from different departments within the organization. Likewise, MSPs can help their employees learn new skills to address this rapidly expanding market opportunity.

There could also be an expansion of diversity in the hiring base¬—that includes reaching out to a wide variety of educational institutes and hiring employees with a more diverse set of backgrounds and technical skills that may be applicable in cybersecurity. This has the additional benefit of bringing a fresh perspective to security challenges that could help improve responses to these rapidly evolving threats.

Many of the employees who have recently resigned positions were mid-career professionals. According to the Harvard Business Review, there was a 20 percent increase in resignations by people between 30 and 45. In addition, hundreds of thousands of women also left the workforce over the past year. These former employees are typically looking for new opportunities for growth that they could not find in their previous positions.

This is a vast pool of potential employees with a professional background that can leverage their soft skills in cybersecurity positions, according to Forbes

Savvy MSPs can seize this moment. Help clients weather workforce upheaval by providing the automated software and managed services they need to keep data and applications safe, even when they may be short-staffed in the IT department. MSPs can also help grow the pool of available cybersecurity talent by investing in their employees and hiring/training professionals from non-traditional backgrounds. 

It isn’t clear how long the volatile labor market will last, but MSPs can now take advantage of the opportunity to grow their businesses and workforces.

Nathan Bradbury is Senior Manager of Systems Engineering for Barracuda MSP, a provider of security and data protection solutions for managed services providers.

Best Practices for Combating Spear Phishing

As we head into 2020, it’s clear that cybercriminals will continue using spear-phishing attacks as a go-to tactic for attacking victims. In these breaches, attackers heavily research their targets and craft carefully designed messages, usually impersonating a trusted colleague, website, or business. The attacks are designed to steal login credentials, financial data, and other information that can be used for other crimes.

Spear phishing commonly helps enable business email compromise (BEC) attacks. While BEC attacks are still a small percentage of spear phishing attacks overall, they have caused more than $26 billion in losses over four years, according to the FBI.

In a November 2019 report, “Spear Phishing: Top Threats and Trends,” Barracuda analyzed more than 1.5 million spear-phishing emails and identified common trends and types of attacks.

In this research, we identified four common types of spear-phishing attacks:

Brand Impersonation: This type of spear-phishing, designed to impersonate well-known companies and business applications, makes up nearly half of all attacks. They are the most popular type of attack because they are well designed as an entry point to harvest credentials and carry out account takeover. 

Scams: These attacks are designed to capture private, sensitive, and personally identifiable information, such as bank accounts, credit card information, and Social Security numbers. Attackers trick victims into disclosing the information and then use it to either defraud them, steal their identities, or both. Attacks are executed using a variety of hooks, such as lottery winnings, unclaimed packages, donation solicitations, and other tactics. 

Business Email Compromise: Also known as CEO fraud, whaling, and wire-transfer fraud, business email compromise only makes up a small percentage of spear-phishing attacks but it causes substantial losses. Scammers impersonate an employee in the organization, a partner, vendor, or other trusted person in an email requesting a wire transfer or personally identifiable information.

Blackmail: Most blackmail scams are sextortion attacks. Cybercriminals claim to have a compromising video, images, or other content allegedly recorded on the victim’s computer and threaten to share it with all their email contacts unless they pay up.

Business Email Compromise is Costly

The Barracuda research focuses primarily on BEC attacks, because of their high cost. In these attacks, cybercriminals mimic typical business behavior in these operations, with most BEC attacks taking place on weekdays. The majority (85 percent) of BEC attacks are crafted to look like urgent requests meant to illicit an immediate response. As a result, three out of ten spear-phishing emails are successful in fooling employees if they impersonate HR or IT department personnel.

Because these attacks typically don’t include malicious links or attachments, they are often undetected by traditional email security tools. The attacks also rely on successful social engineering tactics.

In the past year , these types of spear-phishing attacks have cost an average financial loss of $270,000 per incident.

According to the report, business email compromise attacks have high click rates. One in ten spear-phishing emails successfully tricks a user into clicking. That number triples when the individual or department being impersonated is within the recipient’s organization. The survey also indicates that respondents believe the cost of these attacks is increasing, including financial impacts such as business interruption, reduced productivity, data loss, regulatory fines, and brand damage. One recent business email compromise scam cost a media conglomerate $29 million. 

Stopping Spear-Phishing Attacks

Barracuda has identified several ways that companies can help protect their data and financial information from these types of BEC and spear-phishing attacks.

Educate Users: Train your customers’ employees on how to recognize employee impersonation. Be sure to point out that phishing attacks don’t always need to have a URL or an attachment, and remind them to double-check email addresses and to pay attention to unusual requests.

Create Robust Internal Policies: Establish policies and protocols that require additional safeguards for wire transfers and other financial transactions. Prohibit email requests for purchases and other monetary transactions. Ensure multiple people are involved in the approval process.

Enforce DMARC Authentication:  Set up DMARC authentication to protect against attackers spoofing your email domain in their impersonation attacks.

Leverage Machine Learning: Don’t rely solely on traditional email security technologies, as most business email compromise attacks are designed to bypass security gateways. Machine learning technologies can analyze internal emails and learn an  individual’s regular communication pattern. Using this data, artificial intelligence can spot anomalies to predict and detect attacks, that might otherwise go undetected.

Respond Quickly: Train your customers’ employees on how to recognize and report an attack. From there, you can use intelligence tools to perform threat hunting and deploy an automated incident response solution that identifies the scope of attacks and quickly removes malicious messages before any damage occurs.

To learn more, download the research report here.

Nathan Bradbury is Manager of Systems Engineering for Barracuda MSP, a provider of security and data protection solutions for managed services providers.

Request My Demo