An MSP’s Guide to Surviving Phishing in 2020

An MSP’s Guide to Surviving Phishing in 2020

Phishing is a hot topic for security in 2020. Hackers are getting smarter and security services are struggling to keep up with some of the new, highly targeted campaigns. What do you do when the user overrides every protection in place falling prey to a highly targeted phishing campaign? What does their employee do when it’s supposedly the CEO calling?

A new trend making the news is deciding who holds the liability in the event of phishing. The core argument of the suit boils down to: “[T]he MSP didn’t provide the necessary service or training required to stop the crime.” How much is on the company and how much is on the Managed Service Provider (MSP)? This whole suit will set a precedent one way or another for MSPs.

Avoiding Liability

How do you plan your security stack to avoid phishing? Do you focus on only security or do you use training as well? Do you keep your clients fully up to date against new threats? Do you cut down on allowed software at the site? How you answer and understand each of these affects how the ruling on this case will affect you.

With new threats on the black market and the continued improvement in phishing and other targeted attack methods, where exactly does the line between corporate culture and best faith from the MSP lie? This case may determine that, but this is something which needs to be worked into a contract on signing. Where does your best faith effort and their negligence begin? This can help determine your liability in an event, if any.

Let’s move on to what you can do for best practices to avoid omitting your responsibility to your client.

Shoring Up Security

A machine is 100% efficient 95% of the time. The distinction between this just being 95% is important. An ideal person will be 95% efficient 100% of the time in an ideal position. This also works out to 95%. Despite the fact our numbers work out the same, the machine never makes mistakes on the same class of problem. It has problems it just can’t solve though.

A well placed employee will be the opposite of the machine in that they can solve any problem in their arena, but will make minor mistakes randomly. The goal is for these to be far and few between, but a real life person being right 90% of the time is amazing, 95% is almost unheard of. The magic comes from combining the two, you remove the chance of the low hanging fruit from being exploited, but use human efficiency on the harder problems. You won’t get 100%, but you’ll get 99% with a little bit of training and a good security setup.

Digging Into the Technical Side of Phishing

Target how phishing works. Target the human elements of cybersecurity first for assigning technology. Where do most phishing attempts originate? They come from email and websites.

Tools like OpenDNS or Vipre Mail provide a way to stop known phishing domains and suspicious emails. OpenDNS blocks questionable domains and provides the chance to put in custom error messages. Vipre Mail stops spam emails and provides reports to companies. Combine the tool with a way to address the human causes of these problems. A tool which doesn’t tell you what happened and why is useless.

Do you employ MFA to make sure that a compromised password is a minor concern? Do you know when a password is compromised without a mess ensuing? Do you monitor the dark web for compromised information? Make sure your client takes measures for themselves to reduce technical attacks.

Training Your Users

If the average user acted like the average power user, antivirus would almost be pointless. Spam and phishing would have to become significantly smarter or it would just disappear. It just takes one employee clicking the wrong link to compromise the entire company. Have you had the first painful conversation about the fact that not everything on the internet is true with the weakest links? It’s painful, but often necessary.

“An ounce of cure is worth a pound of cure,” rings truer than ever with modern phishing. I go months without spam hitting my inbox, but when it does, it’s usually extremely well done. IRS.com wants you to report your social security number and provide a good email to verify if you have been compromised or not. What do you do?

Do you inspect the certificate first or look at the form and see if there is some kind of redirect? Or do you see the domain first? The average user doesn’t care about the difference between TLD’s and why IRS.gov is more believable than IRS.info. How much pain do you save explaining that you shouldn’t fill in information for Bank of America when your company only uses Chase?

Better Verification

What do you do if someone calls asking your department to fulfill an invoice? What do your users do? If you hear a familiar voice on the other end, you’re probably going to comply. The problem is that now we have deepfakes which can emulate a person. Are they having a bad day or are they actually a computer? You won’t know until you comply (or don’t).

Most extremely large companies employ some kind of verification system. We built our own system to prevent these sorts of issues and make it more accessible for our clients. How do you make sure a user hasn’t been fired minutes ago and is calling to get access to what they shouldn’t have access to? You don’t unless you can check.

Moving Forward

While the lawsuit hasn’t quite taken it’s course as of writing, either way, you need to make sure you solve your client’s issues. Where do you draw the line? If John in finance is allowed to use “password123”, what do you do when they get hacked? Who’s fault is it?

You have to have a plan, and you have to have a way to address any of the client’s bad security practices. Do you support them regardless, address the problem, or refuse service? Support means the potential of liability, addressing the problem depends on the client, refusing service means losing money. What’s the right answer?

There really isn’t one… yet. The best you can do is take every step towards securing your client. Focus on technology and training as well as you can and you reduce the attack surface. No matter the ruling, you should be riding your client and pushing them towards success one way or another. Make your life and their’s easier with technology and tools like ID 20/20 along with training.

Sage Driskell

by Sage Driskell