For many channel partners, such as VARs and MSPs, cybersecurity-awareness training is a first stop in their quest to harden their customers’ networks against attack.
That’s because the human element is most difficult to counter and presents the greatest risk to corporate assets. Obliviously clicking a single rogue email can shutter a company. But once partners pluck the low-hanging fruit, it takes a keen ear and deft emotional skills to educate management about ongoing risks.
Delegates to our Brisbane roundtable discussed how they build urgency to release budget, legal issues of failure, and even their own capability to repel attacks against their managed networks and so save their customers from criminals, thieves and spies.
Do customers ask the right questions of their cybersecurity advisers?
Jon Bunch, Bay Technologies
Departments formed out of MOG (machinery of government) changes are typically without the right resources so they’re very dependent on vendors to provide ‘as-a-service’. In
Queensland, something like HPW (Dept of Housing & Public Works), a large and growing organisation, tend to have more mature security policies and processes that they need to ensure are continued when you provide them software or services. But in a void, we tend to fall back on well-known technologies like Azure, a very respected and certified platform because we can distribute databases, the files, and so on through a private network back to their own subscription. So, we find that to pay large dividends because we reduce our risk.
So, it’s just a very typical and very methodical situation to navigate and the only way is by showing you have either partnerships or access to good processes and products that underpin the end-customer’s concerns.
What questions should resellers & MSPs anticipate from customers?
Shane Varcoe, Webroot
We see that, through the amount of phishing attacks, they’re not asking any types of questions except, ‘Please, help?!’ So, the onus is on us in the channel to educate them.
Users, for instance, give away their passwords too easily and they probably use the same password for every account. So next thing, criminals are stealing from their bank accounts.
Our partners often come in after something’s happened and so the key question is, how do we get end-customers to start thinking about preventing data breaches, as opposed to waiting for something to happen? We haven’t really been able to answer that question.
Nate Cochrane, CRN
Looking at the latest government Notifiable Data Breach (NDB) quarterly report, the data most likely to be stolen, by nearly twice as much as the second category [financial details], was contact information. So maybe customers and companies don’t think too highly of their contact information but, for hackers, it’s a stepping-stone to more lucrative pickings.
Christian Greifeneder, Webroot
Just like they once sought out credit card lists, criminals now highly value lists of users. The NDB law has been in for more than a year but many people don’t know what to do when they get breached and that they face the prospect of heavy fines [up to $2.1 million]. So ignorance is a real cost.
That’s a module in Webroot’s security awareness training, a quick video that shows what to do when breached. These are questions the channel should pose: What’s your breach policy? And what will you do if you are breached? We must build a plan in partnership with the customer.
How can partners improve cyber-security awareness & lift training success in their customers?
Robert de Haan, Layer 8 Security
Most people don’t want to be trained. They’re not security geeks. They’re sat in front of a computer and a week later, they forgot it all. Just because someone knows what to do, doesn’t mean they’ll do it. You have to look at why people aren’t secure. What’s their attitude?
Do they accept it as part of their responsibility? What about corporate culture? Are they like most companies and saying, “No, it’s an IT problem “? And you must measure it and change behaviour. So it’s not just training on phishing—a good starting point from a client’s perspective—but you must look deeper.
You can have an amazing product and if you don’t deploy it correctly, it won’t be effective. So, in security-awareness training, Webroot found what is most effective is a process with people. MSPs say to human resources (HR), “Let’s build our security awareness so if somebody doesn’t take training seriously, they’re fired.” You don’t need to fire them but if their boss has to repeatedly ask, “Why are you not taking this seriously?” then you’ll see better results. So next time a phishing email comes in, they have tools and knowledge to spot it and not interact.
Robert de Haan
The CIO/CISO has a budget for a tenth of what they need. So we engage with HR, governance and risk, compliance, communications, e-learning, and executives. And if C-level doesn’t push down, your success rate’s very low. Before we deploy in the customer organisation, we ask the CEO to email all staff, saying: “The IT guys do an amazing job but attacks are coming from everywhere. Join with us and it’ll help you personally.” Our success rate is higher doing it that way.
Eric White, Dialog IT
Everyone who touches a computer needs cybersecurity awareness training. But if you’re leading a project, training everyone seems extremely large by comparison. As an external consultant, we train someone in the organisation who becomes that champion to run the program. We can only make the advice and prepare them to disperse that training to others.
Are there hidden benefits being a cybersecurity-aware organisation?
I turn it into a commercial discussion — now we’re certified, it’s easier to do business with other certified companies because they’re aligned with our thinking about mitigating risk and mature security policies. The quicker we mature our processes, the easier for likeminded companies to deal with us and that increases our commercial capacity without calls or marketing.
Darren Jansz, IPVS
In mid-market, customers are ‘just-in-time everything’ and dipping their toe in the cloud. They rely on the telco to provide a router with firewall and think that’s security. So the low-hanging fruit is the mid-market doesn’t know what it needs. Management doesn’t know the repercussions of a security breach and aren’t insured and the IT manager is reluctant to speak up. So partnering with law and accounting firms elevates their awareness of risk factors. And then it goes on the agenda and gets budget.
How can partners build urgency in time to make a difference?
James Kahn Idea 11
If you don’t bake cybersecurity into your engagements, you do yourself and your customers a disservice. We recently took out an indemnity cybersecurity policy to cover us if a mistake resulted in a cyber incident. But that’s the last line of defence; you still have to do everything else right.
We do cloud migrations and we encounter environments that are a mess —on-premises, legacy IT. One in particular we would have been irresponsible not to speak up. So we wrote a two-page board paper detailing what would happen if they didn’t solve their cybersecurity, and it unlocked budget. If something is enough risk, you can create budget. They often don’t understand action and consequence; if you continue on this path, this will happen. And we’ve got to the point where cybersecurity breaches are not a maybe, they’re inevitable if you don’t solve those challenges.
Warren Simondson, Ctrl-Alt-Del IT Consultancy
SMBs and mid-market businesses look to all of us for answers. If there is a breach, whose responsibility is it to report? Is it the customer or is it us, as service providers? The customer says they won’t say anything because they’ll be fined, and the service provider doesn’t want to be sued. Ethically, how do we approach this? As a forensics investigator, I’m going to stay with my ethics and how I was trained to ensure that I report large breaches. Now, do you think I’m popular with my customers? Not a chance in hell.
If an uninsured SME were fined, they could lose their business. And if they were to see that that risk is so high, they would perhaps do something about it. But there’s not a dollar to be made out of small SMEs so no one tells them.
Law firms have incredible data and they’re often structured as SMEs. A law firm I know had its RAID wiped. They calculated how much they were losing an hour in fees. They couldn’t function without their databases. They couldn’t ring a client and say, “Your case is on tomorrow”. Their entire business halted because of a simple database. And they weren’t calculating how much the data loss was, but how much they were losing in fees. That’s where you hit ’em. And boy did they move.
I spent years doing disaster recovery and there’s nasty statistics around catastrophic events like earthquakes — a company based on cash flow can go broke in two weeks. And so with the earthquakes in Newcastle, around 40 per cent of businesses never reopened. A cyber breach can do just that to your business.
How can trusted advisers bolster the human element of cybersecurity in their customers?
The Chinese always get blamed for data breaches and I still don’t know why that is because most breaches are internal – former employees and troublemakers. We must offer management that education to say, “Your staff could just pick up the data and walk with it today”.
We’ll never solve the challenge of people. But every organisation should install two-factor authentication (2fa) for all external access. Even if you train your people, sometimes the CEO’s secretary will get the email saying, “Click here to reset your Office 365 password”; they’ll click and whatever you have won’t help. But if you go 2fa, whoever hacks those credentials won’t get in.
Try the old retail ‘secret customer’ trick. In Townsville last week, I asked at the front counter, “I’m here to see Dan”; I simply looked up a name on the list. Then I got out my phone and asked if I could use their Wi-Fi to send an important email. And they told me their password. So, apply what retail’s been doing for years to social engineering: ring up and ask, “Do you have your boss’s email? Do you have his mobile number? Know where he is right now?”
Are MSPs doing enough to protect themselves and thereby customers?
We’re as secure as we can be, but you have to invest in your own backyard and have the right principles, policies and frameworks. So we use 2FA, have encrypted hard drives everywhere and intrusion prevention systems on everything. The recent ‘Cloud Hopper’ MSP breaches showed our customers need us to be vigilant. So we’ll be certified to the MSP3 [MSP Partner Program] from the Australian Cyber Security Centre as a secure MSP for government customers.
How can MSPs do more to help their customers?
When a customer comes to you, first find out why. That tells you what you must fix, and not just security. Learn where your customers go wrong and apply a security audit with awareness training. Pop in DNS protection and look at people’s risky browsing behaviours. That may explain why PCs are slow, because they picked up bad ads. Take a holistic approach and use the free tools for security audits. Look at the network and the protocols. And then go to the customer with a report on what needs fixing.
Hardcore security specialists forget customers are out to make money and serve their customers. If security inhibits them or is painful, they rebel. So I take this view of permissive capability – what you can do securely. If you have a security strategy that locks SaaS platforms, prevents shadow IT, it’s a barrier that slows the business. If it’s permissive, people do what they must and get access to the applications they need. That’s a win. We’re cloud-first and all our services are SaaS and we expect customers to do the same. It has to be permissive so, for instance, they must be able to use Dropbox to share files.
There’s not a problem with shared Dropbox; problems occur when they sync to local PCs. For example, if you synch to somebody’s home PC that has a virus and they push that back up to the server they share with their team.
How do you do that while keeping the data secure and keeping it protected? If you stop your business or your customer’s business from moving quickly, they lose their competitive advantage, part of which might be speed.
That conduit between business and supplier is not to your corporate document, it’s to quarantined documents. So you need mechanisms where you don’t mainstream that into your network.
Stephan Coint-Bavarot, SmileIT
We make the board understand that IT is there to help and, if part of their strategic plan, we anticipate the tools they need. So we work a lot on management framework. Take 2fa, for example — 10 years ago, no one was talking about that and in two years it’ll be not enough. So tools are great but framework [helps] people understand what they’re authorised to do, and that streamlines the business. Then they have a vision of where they are going and where they spend monies, and that’s what helps business.
GM, Bay Technologies
Operations Manager, Smile IT
Robert de Haan
CEO, Layer 8 Security
Cloud Communication Expert, IPVS
Sr Network Engineer, CloudPlus
MD, Idea 11
Solutions architect, Trimble Networks
IT Forensic Investigator, Ctrl-Alt-Del IT Consultancy
Solution Architect, Dialog IT
APAC Sales Manager, Webroot
Business Sales Engineer, Webroot
APAC Sr Mktg Mgr, Webroot
Contributing Editor, CRN