PiChris - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

IT security alert for MSPs: Beware of stupid

MSP companies must keep an eye on the role of human error and mistakes -- as well as targeted attacks -- as they formulate their security strategies.

IT security is often discussed as a technology struggle, but data breaches often boil down to user bumbling.

Human behavior as a source of security pain has been frequently documented, with accidental disclosures affecting groups ranging from the National Guard to world leaders attending the G20 summit. So, while user-generated breaches are nothing new, speakers at the Automation Nation conference this week reminded managed services provider (MSP) attendees to consider the human condition as the key contributor to many an IT security alert.

In a keynote address, Kevin Mitnick, an IT security consultant who once made the FBI's Most Wanted list after a series of computer break-ins, broke it down for the MSPs in the audience.

"We can't download a patch for stupidity," he said. "The real problem is actually the users."

Mitnick cited an informal study revealing nine out of 10 office workers approached outside of London's Waterloo Station would volunteer their passwords in exchange for an inexpensive pen. He noted that a subsequent study -- this time, using chocolate eggs as the lure -- again found the majority of the subjects would turn over their passwords.

We can't download a patch for stupidity.
Kevin MitnickIT security consultant

Those types of results, Mitnick suggested, encourage social engineering attacks in which perpetrators use manipulation or deception to get others to provide the information they seek. He said such attacks offer a low-cost approach that doesn't leave behind a log that would indicate a compromise.

Social engineering attackers may harvest information about their intended targets via social networking platforms, such as LinkedIn, Facebook and Twitter. Information gleaned from such sites can paint a picture of the target's circle of trust, Mitnick said, adding that attackers can use that insight to craft a phishing assault that mimics the target's customers or suppliers, for example.

Bradley Gross, managing partner of a law practice that bears his name, said mistakes, such as falling prey to a phishing expedition, are one of the most typical sources of data breaches. Gross, who works with MSPs, value-added resellers and other channel partners, noted that dumb moves -- leaving a laptop in a car, for example -- also rank toward the top of the list of breach triggers.

His warning for Automation Nation attendees: "Stupidity is out there, and it is robust."

Gross said channel partners also have to contend with more sinister security breach sources, such as intentional hacks and mischief-minded employees. Service providers, he added, can take steps to put themselves on better security footing, however. Those include conducting a security audit, tightening their master services agreement, establishing a data breach policy, looking into cybersecurity insurance and considering annual penetration testing.

David Bellini, president and managing director of ConnectWise International, based in Tampa, Fla., said the onus is on channel partners to hone their security skills -- for their own well-being and their customers.

"Our customers' customers are small businesses ... and their job is to make sure they are securing their customers networks, systems and databases," he said.

Next Steps

Read about Menlo Security's distribution strategy

Find out about a CompTIA report on IT security and the channel

Gain more insight into Kevin Mitnick's views on social engineering

Dig Deeper on Threat management and prevention

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What do you see as the main IT security alert triggers affecting your customers?
Cancel
We all do stupid things. Many of the stupid things we do that create security risks happen because of a lack of situational awareness. I’ve noticed that’s one thing that the security training I’ve received has not covered well. Stay alert, keep your guard up, and you won’t do so many stupid things.
Cancel
That's a great point about situational awareness. A few organizations have applied the OODA loop to cybersecurity, but I don't know of any particular corporate IT security training programs that have made that connection.
Cancel

-ADS BY GOOGLE

MicroscopeUK

SearchCloudProvider

SearchSecurity

SearchStorage

SearchNetworking

SearchCloudComputing

SearchDataManagement

SearchBusinessAnalytics

Close