In today’s IT environments productivity is necessary, uptime is essential, and security is critical. The latest hardware and software provide layers of protection in hopes of preventing cyber attacks. The newest technology causes most IT providers to forget the weakest link: the end user.
A typical user focuses on their job responsibilities without prioritizing security risks. A surprising amount of security breaches stem from users unknowingly granting administrative access or installing crypto-malware—all due to a lack of user security awareness and training.
Common Malicious Security Risks for End Users
Employees in all divisions within an organization are subject to malicious threats. Believe it or not, computer users are not the only asset regarded as a cybersecurity threat. Warehouse workers, receptionists, and delivery drivers are potential vulnerabilities. Security awareness and training are not intended for a specific group of users, but for the entire workforce.
Security breaches come in many forms: technical, physical, and administrative. Training employees in these areas reduces risks associated with data breaches, lowers active noise, builds a proactive service provider, and prevents lost productivity.
A baiting attack exploits a person’s curiosity. An attacker may leave a USB memory stick in the open—labeled ‘Confidential’ or ‘Payroll files’—to bait a user into plugging it into their computer. Attaching it to a PC would then activate malicious code or files with the intent of accessing company information.
Phishing attacks are the most common social engineering technique. Attackers use email, social media, or SMS to trick victims into divulging sensitive information or to direct the user to a malicious website to infect the user’s PC. Like baiting, phishing usually involves a method of attracting the user’s attention by leveraging their curiosity.
A spear-phishing attack is like a regular phishing attempt but targets a particular end user. This is usually accomplished by the attacker impersonating another employee—like a member of Human Resources—and requesting specific information.
A whaling attack uses sophisticated social engineering techniques to steal confidential or personal data. The information typically has a relevant value from an economic or commercial perspective. What distinguishes whaling from phishing is the target: an executive or heads of government agencies. The term "whaling" implies there is a bigger fish to capture.
Quid Pro Quo
A common tactic of a quid pro quo attack is calling a user while impersonating technical support. They attempt to befriend the user by fixing their issue in exchange for access to the user’s PC or other information. A user may unwillingly grant access to the individual because they assume they are calling from their service provider.
This type of attack is a simple and very common attempt at physically accessing a restricted area. An attacker may ‘piggyback’ an authorized employee, delivery person, or warehouse worker by waiting for someone to open the door and stepping through, avoiding security measures. These attacks are common in areas with many employees due to the constant exchange of employees in the restricted area.
Human Social Engineering
Gaining access to sensitive information and security questions is as simple as talking to another person. An attacker will befriend an employee, asking questions to drill down and divulge the data they need. A common example is gaining a user’s trust and having a conversation on topics like their choice of password. The attacker will steer the conversation towards their process of selecting a password and get the user to reciprocate.
Benefits of User Training
User training provides benefits to the service provider when implemented regularly. Cybersecurity awareness is important and working with clients that trust their vCIO strengthens the strategic relationship.
Implementing a recurring training program creates a steady flow of Non-Recurring Revenue (NRR). Training sessions have the potential to generate multiple revenue projects per year. A Technology Service Provider not prioritizing user training is a surprise, to be sure, but an unwelcome one. Training strengthens and reinforces the strategic relationship. When a customer trusts their IT service provider, they are more willing to accept recommendations. Strong connections do not see expenditures as a sales pitch or revenue-generating scheme, but as a partner concerned for their best interests.
Users who identify threats and resolve minor issues on their own reduce tickets which in turn reduces Reactive Hours per Endpoint per Month (RHEM). A self-sufficient customer—even if eliminating a handful of tickets per month—is a great boost to efficiency. The reduction of RHEM leads to a reduction in tickets and leads to an increase in margins.
At the end of the process, security awareness and user training benefit the service provider and client. There is no reason to deny a customer the knowledge of preventing their own issues. Users who can sustain themselves are much more productive, efficient, and better customers in the long run.