Ask an MSP Expert: Protecting remote workers from COVID-19 phishing attacks

The following post was originally featured on SmarterMSP.com.   

Q: One of our customers’ remote workers recently clicked a phishing link. While we were able to prevent the attack from ultimately being successful, this is quite concerning, especially since remote workers are not within a secured network. How can we prevent end users from clicking phishing links?

You are not alone in your concern about this topic. Many MSPs have voiced that they are struggling with their customers’ remote workers clicking on links from unknown sources that have led to attacks. Remote workers are eager to learn the latest developments of the pandemic, and cybercriminals are capitalizing on their targets’ curiosity. They are using more sophisticated messages related to Covid-19 in a variety of different attack vectors, ranging from email to social engineering posts, to gain access to confidential information or personal credentials from a highly distracted workforce.

End user education has always been a key component to a sound cybersecurity strategy. Now more than ever, MSPs need to incorporate end user security awareness training as part of their security service offerings to protect the dispersed workforce who are working from their home network, not behind the protection of a secured office network.

If end user security awareness training is not currently part of your service offering, have no fear, there are many products in the market that can help you. Most security awareness training products include a Learning Management System (LMS) with training material and simulation campaigns that MSPs can modify and execute with their customers as they sign on.

Things to consider

When considering a security awareness product, MSPs should consider the following:

• How relevant is the training content provided by the vendor?

It is very important that your customers’ end users are getting the most relevant and engaging training material to effectively educate them on how to spot the latest phishing attacks. In addition, the training material must be aligned with the simulation campaigns for you to assess the progress of the training and determine how you can further reduce the risk level for your customer.

• Implement and administering security awareness training

Let’s face it, you’re busy. You need to be able to add new service offerings to the portfolio without adding more work for your technicians. Some products in the market allow for a ‘set it and forget it’ approach, but since the cyberthreat landscape is rapidly evolving, this is not your best path forward. You need to be able to deploy new content that takes into account that latest threat types in order to ensure end users are up to date with their education. In addition, ease of use plays a big role when it comes to the continuous administration of the program.

• Outsourcing end user email security awareness training

Administering security awareness training programs can be very time consuming. Is it a better use of your time and resources to outsource this service to a third-party who can deliver it on your behalf? Some vendors not only provide a product that can assist you with delivering this service, but they also have expertise in-house that can provide the service for you. With Barracuda MSP Managed PhishLine, for example, all you need to do is provide the end user contact details and the users will be enrolled into the next campaign. This simple approach can help you grow your business while saving your resources.

Now is the perfect time to encourage your customers to subscribe to end user security awareness training. Do not let your most valuable security defense – the human – get exploited by cybercriminals. Watch this latest webinar: Tips for creating a security awareness training program, to learn more about creating and delivering an effective end user security awareness training service.