High-profile hacker Kevin Mitnick said solution providers should conduct mock attacks against their own end users to ensure employees aren't being tempted by nefarious schemes.
"You need to educate, train and inoculate your users," Mitnick said Monday during Navigate 2017 by Continuum. "Actually attack your users with phishing and other types of tradecraft that the bad guys do, and it becomes a very teachable moment."
If customers don't wish to be subjected to faux phishing emails, Mitnick said MSPs should still test how employees handle attempts to have them give up compromising information over the phone. Customers should be notified that the IT service provider will be testing their security defenses from time to time to avoid needless reductions in employee morale, Mitnick said.
These efforts should help inoculate customers against legitimate bad actors who attempt to pull off attacks that are similar to the simulations, according to Mitnick. Plus, employees who are entrapped by the practice attack can be offered additional training, Mitnick said.
"The hacker is going to look for the weakest link in the security chain," Mitnick said. "And the weakest link has always been the people."
A key component in improving security education is having employers move away from information security manuals that "read like the Las Vegas penal code," Mitnick said. Instead, he said companies should develop brochures with lots of images and less text that delve into specific topics such as choosing a good password.
"If it's boring and disinterested, nobody's going to read it," Mitnick said.
These brochures should be simple and easy for end users to understand, Mitnick said, and businesses should ensure the information is presented in a relevant, informative and entertaining way so that workers actually read the material. The brochures can then refer staff back to the security manual for additional information, Mitnick said.
Mitnick also recommends that users avoid opening Microsoft Word or Adobe PDF attachments directly to their desktop since that could result in exposure to software flaws. Instead, he said customers should preview the documents in Google Quick View or in the cloud.
And businesses should design systems that automatically determine whether or not an individual has met the security threshold rather than leaving that decision up to human beings, Mitnick said. People typically find it harder to say "no" to a request, especially if the bad actor is impersonating a customer, supplier, vendor or colleague.