Humble Leadership Is A Powerful Weapon
The moment an executive or business owner decides to hire an MSP, they declare a commitment to the organization and employees to protect networks and data from cybercriminals. What they need to understand is this is not a responsibility hand-off but, instead, the beginning of their involvement.
Winning the battle against cybercrime requires all hands on deck. Hackers are oblivious to job titles and prey on fragile egos, and while this is a touchy topic to broach with clients, MSPs are negligent if we omit any potential roadblocks to safety. An awkward conversation with leadership early on beats explaining later that had they followed the rules expected of everyone else, they could have prevented a devastating hack. We advocate to involve everyone in the organization in the training process from the start — and to smash the hierarchy.
8 Ego-Driven Myths That Make SMBs Vulnerable To Cybercrime
As MSPs, we are all technology experts, but we cannot forget that computers and software are only as effective as their human operators. It may not strike the nerdy skills that drew you to this work, but attention to behavior management will keep your business sustainable.
Here are eight common falsehoods we have seen SMB leaders espouse that can pose cybersecurity risks. We also suggest ways your MSP can respond to promote the kind of humble leadership that can make or break the company’s security.
1. Our Revenue Is Too Small To Appeal To Hackers, So We Don’t Need Any Security Measures.
You’ll encounter this person when scrambling to salvage their company after getting hit.
It makes no difference to cybercriminals if a company reports $4 billion or $40,000 in annual revenue. Both a sandwich shop that only sells pastrami on rye and a big-box department store hold personal identifiable information (PII) on the network. PII is a hacker’s capital.
Think of apple picking. If you go to an orchard, do you climb to the top of the tree? Not if your goal is to fill the basket quickly. You grab the low-hanging fruit. Cybercriminals do the same thing. They have the ability to climb the tree — as evidenced by the Colonial Pipeline and Bank of America takedowns — but more often, they’ll pick easier targets.
When a huge corporation gets hacked, they can finance the recovery. Joe’s Car Wash, with its 15 employees, can’t afford it. If the cost doesn’t take them down, the bad publicity alone will drive clients to competitors.
2. We Created A Written Information Security Plan (Wisp) A Couple Years Ago. We’re Fine.
If that WISP is not current, it’s not in compliance. It needs to outline up-to-date protocols for employees to ensure they keep PII away from thieves.
Leadership should understand what the WISP entails and why it affects cyber-insurance qualifications. Then, continually educate everyone about their role in protecting the company. (Yes, CEOs, that includes you.)
And for those organizations that review the WISP whenever the mood strikes? Guess what. Cybercriminals don’t just punch in every couple years. They work every single day, courting you until you click on a nefarious link in an email — which is how 87% of hacks occur. While you sit back, thinking you’re fine, they’re developing more sophisticated ways to access your system, building a fast-growing cybercrime industry.
3. I’m Too Smart To Click On Something Like That. Only Fools Fall For Phishing Scams.
Intelligence is irrelevant. It’s about awareness and attention at a given moment.
If a leader feels superior to their staff and arrogantly skips simulated phishing training, they can miss key lessons and be more susceptible to falling for the scam. This can also happen to anyone who feels stressed out or preoccupied; those people don’t look closely at details in an email.
Remember, hackers are pros at tricking people, and some of the brightest people have gotten hit. And in this ever-changing industry, even information technology professionals like MSPs can’t possibly know everything about cybersecurity. The bottom line is that all employees need regular training. If a higher-up’s ego needs coddling, remind them they have a powerful responsibility to protect others, and employees are counting on them.
4. People Who Click On Phish Bait Should Feel Ashamed.
This might be the most harmful lie of all. As mentioned above, anyone can click on a bad link. Model humble leadership; show clients how to cultivate a safe environment where shame and blame are not tolerated — and be the first to admit culpability.
Never ask, “Who clicked on it?” It doesn’t matter. Someone was fooled. It might have even been you.
Education tools like simulated phishing demonstrate what a mistake might look like. Note that managing partners tend to sit out of these trainings, but 90% of the time, the hacker targets the manager. Simulations allow people to learn how to identify when an email doesn’t look right, and spotting the signs is most effective with practice.
Keep in mind these programs are like catch-and-release fishing. If you get caught with real phishing, you’re not going to live.
5. We’re An IT Company, So We Can Handle This On Our Own, Thanks.
Nope. If you work in cybersecurity, you can still get hit. We’re an IT company, and it has happened to us.
You are not shrewder than the cybercriminals. Your commitment to defense will never reach theirs to harming you. Don’t underestimate them.
Seriously, we’re good. We don’t need simulated phishing.
I assure you, there’s no question you need simulated phishing! Tech Advisors does it here, too.
6. My Reputation Will Be At Stake If I Tell Anyone I’ve Clicked On A Bad Link.
If you click on something that doesn’t seem legit, the worst thing you can do is keep it to yourself. If your company gets hacked, tell your MSP — ASAP!
Some of the worst zipped-lip offenders are managing partners. Help them understand that an ego can be the flame that burns down the company. Make sure your clients feel comfortable calling you and appreciate the urgency.
Once they learn how to recognize suspicious emails, they should get in the habit of letting you know when they receive one. Cost should not be a deterrent, since this time is likely already included in most MSP packages.
7. I Wouldn’t Dare Question The Person In Charge.
If employees fear speaking up to bosses more than making a huge bank transfer outside of normal protocol, there’s a bigger cultural problem to address. Encourage your clients to be approachable and regularly communicate with their team. Building relationships can break barriers to safety. An employee should never feel embarrassed to contact their supervisor.
8. I Don’t Need To Worry About Employee Social Media Habits.
Unless you’ve slept through the entire pandemic thus far, you’ll know this is not true. The surge of people working outside of the office’s protective firewall has caused cybercrime to go through the roof since early 2020.
The blurring of work and personal activities online has made it more evident that people share too much information on social media. Cybercriminals scoop up personal data, which become clues to crack passwords. When accessing the company’s network from home, every action can affect the organization.
Remind clients that the networks they originally configured to accommodate a handful of employees occasionally working from home (WFH) were not designed for use by everyone all the time. This capacity overload makes WFH security even more precarious.
You’ll hear all kinds of excuses from companies that resist putting proper security systems and programs in place. We at Tech Advisors cannot emphasize enough the importance of showing up for yourselves and your staff with transparency and humility. Hold yourself accountable, support your own growth, and encourage clients to take on a team-oriented mindset in the fight against a hacker’s tricks.
Cybercriminals know that the easiest way into any organization, no matter how secure, is through its employees — human beings who can be tricked and manipulated. Lead by example, commit to continued learning, and stay suspicious!