The hack on SolarWinds, an IT infrastructure management software firm based in Austin, Texas, may be the most destructive cyberattack ever targeted towards U.S. federal agencies. While the scale of the espionage campaign is yet unknown, it appears that hackers placed malicious code in the company’s software patches thus gaining access to the IT infrastructure of its clients who dutifully updated their software. By exploiting one vulnerability at the technology firm, the hackers breached tens of thousands (at least) of other organizations from private companies to the Departments of Commerce, Treasury, Homeland Security, and Energy. Technology Firm Vulnerabilities This is certainly not the first time a technology company — whether IT infrastructure or software — has been used to gain backdoor access to multiple networks. Technology companies are very attractive targets for cyberattacks because they hold the sacred keys to every critical aspect of their clients’ businesses. The Cybersecurity & Infrastructure Security Agency (CISA) has issued multiple directives related to persistent, advanced threats on managed services providers (MSPs), including this one in October of 2018: “MSPs provide remote management of customer IT and end-user systems. The number of organizations using MSPs has grown significantly over recent years because MSPs allow their customers to scale and support their network environments at a lower cost than financing these resources internally. MSPs generally have direct and unfettered access to their customers’ networks and may store customer data on their own internal infrastructure. By servicing a large number of customers, MSPs can achieve significant economies of scale. However, a compromise in one part of an MSP’s network can spread globally, affecting other customers and introducing risk.” Securing Our Own House It is incumbent upon technology firms to take responsibility to ensure they are using the best-in-class security measures to protect their own — and by extension their clients’ — infrastructure. DKBinnovative Security Operations states: “MSSPs are a critical target for cyberattacks because if the MSSP domino falls then all the down-chain clients can potentially fall as well, so its fundamental to ensure our own house is secure.” The Importance of Training Proofpoint’s 2020 User Risk Report cites only 49% of U.S. workers know the definition of phishing. Yet, at least 67% of cyberattacks are caused by social attacks including phishing and compromised emails, as well as errors and credential theft, according to the 2020 Verizon Data Breach Investigations Report (DBIR). This startling knowledge gap presents a huge opportunity for employers to improve the security of their business, with minimal time and expense. Over the last few years, the DKB team has developed an anti-phishing program and methodology that entails testing, risk scoring, security awareness training, and a rewards system. And it has proven to be successful. One healthcare client, who was highly targeted by email attacks, saw phishing click rates quickly drop from an initial 40% to about 20%, thus cutting the company’s exposure in half. The numbers continue to improve with ongoing training. Lessons Learned The process of designing a phishing training program, testing it on our employees, and implementing the final product in client environments has been eye opening. Here are some lessons we’ve learned that you can apply to your own company. #1 Little Time, Frequent Repetition In as little as 10 to 15 minutes of training per month, your employees can greatly reduce their susceptibility to phishing scams. Research shows that the content in micro-learning — an educational approach that favors bite-sized lessons — is more memorable and efficient than longer formats. And it won’t interrupt your employees’ productivity. It does take a long-term commitment, however. Employees need continuing education in order to be aware of ever-changing phishing tactics. #2 Customize for Ultimate Impact For the greatest impact, have your MSP firm tailor a training and testing program that best fits the needs and risk profile of your firm. Every company is different just as the value of their secured data is worth more to various bad actors. If your company has the slightest risk of competitor or foreign espionage, you need specific training for this. If your company holds the personal details of thousands of clients, you need specific training. One generic program is a good start, but in no way meets the training requirements to combat today’s sophisticated cybercriminals. The low cost of customized training can save you countless dollars and reputation losses in the future.