How Do MSPs Enforce End User Compliance?
Many employees tend to think of security and compliance as the responsibility of the IT department or the Security Team. Managed Service Providers know that is not the case. However, what are MSPs doing to ensure that end users are doing their part in maintaining compliance?
Compliance is all about data processing and privacy. That entails the Confidentiality, Integrity, and Availability (CIA) of the data. The IT department bears the bulk of the responsibility for maintaining the Integrity and Availability of the information. They put in place all of the systems that prevent access to the data by malevolent actors. They monitor the system for malicious activity to ensure integrity of the data. They build redundant and resilient systems to make sure the system is always available.
But when it comes to the confidentiality of the data, the end user has a large role to play. Employees must access confidential and protected information as a matter of course in their daily duties. Those in in the healthcare industry must access patient records containing Protected Health Information (PHI) covered by HIPAA guidelines. Financial workers must protect Personally Identifiable Information (PII) under GLBA. Defense department contractors must protect Controlled Unclassified Information (CUI) governed by the coming CMMC. And now, virtually every industry is falling under some form of data processing regulation based on a person's location of residency or citizenship as is evidenced by the California Consumer Privacy Act (CCPA) and the European Union's GDPR among other.
The confidentiality of protected information can be compromised in many ways. And the consequences of a compromise can be severe. A few examples include the doctor at a Los Angeles hospital that was caught snooping through over 300 patient records of celebrities admitted to find out the reason for admission. The doctor received a four-month prison sentence and lost his license to practice medicine. In another case, a Cisco employee was fooled by a "vishing" scam designed to circumvent multi-factor authentication systems. The hack resulted in the theft of critical files. An employee at Twillio fell for a "Smishing" scam by clicking on a text message with a malicious link allowing the bad actors access their customer files.
In all cases, an employee, whether intentionally or inadvertently, was directly involved in the transaction leading to the compromise. Having access to confidential information make employees the targets of social engineering attacks. Every employee has a responsibility to protect the data they have access to. But how?
By now, most organizations have implemented some form of employee security awareness training. This is a requirement in most regulated industries. However, the depth and quality of that education can vary greatly. Some organizations might offer an annual mandatory education seminar for the sake of "checking a box", while others may take it seriously and present a comprehensive and continuous education and testing system for their employees. As MSPs we need to make sure that our clients fall into the latter camp. Many of us are reselling sophisticated security awareness platforms to our clients to provide them with the tools. But how many of us are following up with the client to make sure that the training is being taken or, better yet, the phishing test failure rate is low? As a managed service, are we managing the education and testing campaigns? The bottom line is, the better educated and tested employees are, the better the data is protected.
As part of that training, employees are taught about the proper treatment of passwords: Don't share passwords, don't write them down, use strong passwords, and don’t use the same password for every account. But today we have so many accounts that require passwords, dozens often. How are we supposed to remember all those passwords? The truth is you can't. Employees should be encouraged to use a secure password manager. And they need to make sure to enable multi-factor authentication on their password account. This prevents someone from accessing the "keys to the kingdom" if the password to the password manager is compromised
Employees also need to resist the urge to "snoop". As a teller at a bank, you may wonder how that neighbor of yours can afford that huge house, two large SUVs, and a boat. It is tempting to look up their account and check out their bank balances. This is a clear violation.
Organizations create and distribute specific policies that the employee must read and agree to. Commonly, employees are presented an "acceptable use policy" on the first day of employment. This defines what the employee can and cannot do while using corporate resources (Network, Internet, laptop, phone, personal devices, etc.). It is important that employees are reminded of the policy periodically as it may have changed as new exploits are discovered. Many organizations have an "Incident Response Policy" intended to inform employees of how to respond if they suspect a breach happened. It defines whom the employee needs to contact and any actions that should be taken immediately. The amount of time between the discovery of a breach and evasive action is crucial to minimizing the damage done. It is the employee’s responsibility to review these policies and understand them. Managers should be incorporating periodic policy review as well as other security related topics in their staff meetings. Having the CISO present to staff periodically is a good practice.
Many organizations have a "clean desk policy". This is not about keeping crumbs off your keyboard. This is about making sure that confidential information is not left lying about for the world to see. Likewise, the computer screen should be locked when the employee is away from the desk, even if just going to get a cup of coffee in the break room.
"CEO fraud" is another common technique ("spear phishing") aimed at employees. In this scam, an employee with the authority to transfer money is targeted with a bogus email purportedly sent by the CEO late on a Friday afternoon that goes something like this: "Hey, I need you to wire $500,000 to the account below immediately so we don’t lose this deal. I am just about to board a plane, so you won’t be able to get a hold of me…". The email may have even originated from the CEOs actual email account. This is the result of a breach that has already occurred as the CEO's email account has been compromised. The message is designed to create a sense of urgency and dissuade the employee from trying to contact the CEO directly. In this case the employee should attempt to contact the CEO by phone anyway. If the CEO cannot be contacted directly, the employee should check with their second in command. Organizations should also implement a policy that requires two "signatures" prior to the wiring of any money over a certain amount.
All the examples above can, and should, be covered in the employee's security awareness training. And it is essential that employees take security awareness training seriously. This is the number one responsibility of the end user. And the MSP needs to play a role in ensuring it happens. Instead of simply reselling a Security Awareness Training service, walking away, and letting the client manage it, MSPs should be offering SAT as a service. They must be reviewing the results of employee training and testing during each QBR (you are doing QBRs, right?).
By ensuring end-user compliance, MSPs can kept not only their clients' businesses secure and compliant but their own as well.
MSPs need to keep their own practices secure and compliant. If you are an MSP that wants to build a maintain a security focused and compliance-based culture, click here to find out how we can help.