I recently had the unfortunate opportunity to deal with a piece of ransomware that has only been in circulation in its current form for a few weeks. It took less than an hour from the time it dropped its payload to the time it was caught, yet it still managed to tear through pretty much all the servers.
So you might be asking yourself, “why is Chris telling us all about this ransomware and the successful attack?” The reason is that no amount of blinking lights would have prevented this attack from happening. Could we have reduced the likelihood? Maybe. Could we have prevented it altogether? No. And the reason, at the end of the day, is because of people.
Addressing the Myth
Many people assume that technology should be doing all of the work when it comes to security (i.e. more alerts = less risk). While technology is a vital part of a robust security posture, it shouldn’t stand on its own. Essentially, blinking lights and shiny objects don’t make you more secure, nor should it be what you base your security service offerings on.
I recently read an article that was titled, "Snake Oil Salesmen Plague the Security Industry." The article revolves around an interview with Adriel Desautels, in which he talks about how products and services are built to help address the ever-evolving cybersecurity space. But, what is getting lost in translation is where the product capabilities diverge from the sales and marketing messages that are used to convince us that if we just buy more of the blinking lights—another SKU of their many SKU’s in their portfolio—we can prevent, reduce, or eliminate our security problems and reduce or organizational risk.
If only it were that simple. To put this into perspective, here’s a direct quote from the article above as I don’t think I could say it any better. “Simply put, the best vulnerability scanner in the world can’t detect stupidity or the malicious intent of an employee.”
Your First Line of Defense
So, what am I trying to say here? Essentially, security education and training is just as (if not more) important as the solution or technology, and here’s why.
First and foremost, our clients and prospective clients need to be educated on security as a process and not security as a product or service. The weakest link is always going to be the human element, and if we don’t educate them, they will continue to make the same mistakes.
It’s hard to believe that in this day and age, people are still falling for the old Nigerian Prince scam. Or, another one of my favorites include someone you know having all of their money stolen, they’re out of the country and ask you to wire them money via Western Union... seriously?!
How to Truly Strengthen Security
This leads me to what you can do as an MSP (train your tech staff), as a client (educate your employees), or as a concerned citizen (inform your friends and family). There are three specific tips that come to mind—some of which you may already be aware of, but being aware is not the same as being able to execute or defend the why. Here they are:
So much of what happens to us is tied to assumptions; that those of us who are in the know believe that everyone else should just know. Sadly, this is not the case, which is why security education is so important.
CompTIA, for example, offers a free cybersecurity training for up to 50 employees for any of its premier members. There are other resources online, such as PhishMe and KnowBe4, among others that offer training and services to help you get educated on what threats are out there. Click here to see a roundup of the most important security courses and trainings!
Of course, don’t forget that the news is a great way to be in-the-know. Additionally, Continuum has regular webinars on topics like cybersecurity that are extremely helpful to partners and all MSPs.
2. Keep a Watchful Eye
When I was in High School, I had a teacher with a sign on the wall that read, “he who asks a foolish question is a fool for five minutes, but he who doesn’t ask a foolish question is a fool forever.”
You know how at the airport they tell you to report unattended bags and if you see something, say something. The same applies here. Be vigilant and keep a watchful eye. Tell someone if something seems out of place, or someone is behaving erratically, etc. It might just be what saves your company from complete loss when ransomware hits.
3. Sharing is Caring
It might sound counterintuitive, but when bad things happen—not if, but when—share your experience. Hopefully you have a business continuity and disaster recovery plan in place, but no matter how good it might be, the real conversation starts with getting back to being operational. Make sure to tell your stories with your peers, share with the FBI, Secret Service and even your local law enforcement. Just because you were a victim of a cybercrime doesn’t mean you can’t prevent it from happening to someone else.
It’s a lot to take in, but hopefully these tips will help you be more strategic about security and ultimately protecting yours and your clients’ business. Dealing with ransomware is never easy, and it’s difficult to truly be empathetic until it happens to you. So, think about it the next time you sit with a client or colleague and are talking about security. What are the things you would need to bounce back from an attack? What are you willing to lose? Answering these questions will help you or your clients solidify a security strategy and minimize the impact of an attack.
Looking to be your clients' go-to security provider? Download our eBook today: