As an MSP and cloud computing provider, you probably feel as though you eat, sleep and breathe data security. However, your customer base represents an area of potential vulnerability over which you have limited control.
One thing you can do is help educate your clients about data security to help minimize some of the most common and avoidable risks, particularly social engineering threats.
Social engineering attacks are designed to circumvent even the strongest cyber security technology by taking advantage of human vulnerabilities. They play on people’s natural desires to share things they know or just to be helpful when someone asks a question. Unfortunately, that can lead to the exposure of extremely sensitive information to criminals.
Here are some of the steps you can take to help your clients learn to avoid social engineering threats:
- Be aware of the types of attacks that are prevalent and pass along the word when you hear about new schemes that are gaining in popularity. For example, your clients’ employees should know to be suspicious of questions and “surveys,” either over the phone or via email.
- Suggest that your clients make sure there are well-understood social media policies in place to prevent employees from releasing company information that should be private.
- Have your customers carefully consider what information their company has that would be valuable to a cybercriminal and make sure to establish protocols for protecting that information. For example, during a demonstration at a 2010 hacking conference, participants were able to get employees at almost every company they called to tell them things like, “who handles a firm’s tape backups, the browser and browser version an employee uses, the software used to open PDFs, whether a company has a cafeteria and who operates it, etc.” All of that information could possibly be used for criminal purposes, even though it may seem harmless on the surface.
Encourage your clients to create and disseminate clear policies for information handling and cybercrime awareness that apply to every one of their employees and contractors, backed up by training. This training should include coaching on good personal judgment about whether an inquiry is innocent or suspicious, including:
- Whether the person asking the question has a legitimate reason for having the information they’re requesting.
- How to tell if someone seems to be “fishing” for information.
- Not letting a person wear you down or pressure you into revealing information you know your company policies prohibit you from sharing.
- Sensing that a question being asked does not match the role of the person who is inquiring has identified for themselves.
A lot of that training ultimately relies on developing people’s gut feelings, but when backed up by policies and procedures, can go a long way toward keeping data safe.
MSPAlliance members can purchase Cloud and MSP Insurance, including Cyber Liability Insurance, at very competitive rates.