Watch Out For End Users Who Are Slow To Grasp Security, Midmarket IT Leaders Told

Midmarket companies continue to battle ransomware and phishing, and that won't stop, no matter how much effort is spent using technology and educating end users about information security threats, a Gartner analyst told IT directors this week.

Gartner believes that, through 2020, email will continue to be the primary vehicle for the delivery of advanced targeted attacks, as well as a common distribution method for attacks on consumer technology devices.

Gartner's Brian Reed told a group of about 50 midmarket IT directors that they must continue to be vigilant against ransomware and phishing attacks through technology and organizational strategies, he said during a Tuesday session at the Midsize Enterprise Summit East conference in Nashville, Tenn. The conference was hosted by CRN's parent, The Channel Company.

[Related: Gartner Analyst To Mid-Market CIOs: Look At Service Provider As Part Of Your Security Strategy]

Reed cited a few examples of phishing, such as conventional emails seeking money and the spoofing of a CEO.

"Phishing [attacks] don’t just hit stupid users; they hit important users too," Reed said. He added, "We don’t have to accept that people are just idiots and shrug our shoulders and whistle on down the road."

Meanwhile, ransomware attacks soared over 400 percent from 2015 to 2016, and are expected to climb even higher this year, Reed said, citing statistics from Beazley Breach Insights that were published in January. And, in the first quarter of 2016 alone, the FBI said ransomware victims paid $209 million to retrieve their encrypted data that online criminals were holding hostage, Reed cited in his presentation.

The Gartner analyst also warned of a new malware tactic that attacks users, then – rather than demand money – asks them to "infect" their friends by passing along attacks.

Gartner believes that organizations that invest in monthly, interactive security awareness activities with end users will experience fewer breaches caused by human error.

But the research firm suggests that midmarket organizations are hamstrung by their size and budgets. One of the biggest skills gaps in the mid-market is dedicated security professionals. In fact, several IT executives who attended the conference told CRN that they don't have staff members dedicated solely to security.

Despite that, Gartner says security is always listed as a primary challenge among midmarket companies. While they spend, on average, 5.6 percent of their IT budgets on security, mid-market organizations generally don't spend anything on user awareness, believing it to be a "soft" security investment.

Brad Horst, CIO at EYP Inc., a Boston-based construction design and consulting firm with 600 end users and 15 IT professionals, told CRN he has focused heavily on security over the past six to eight months. He said he has had to reach outside the company for help, having called on a managed security services provider for advice on writing policies that EYP was missing as part of its security posture. "I could not do that on my own," at least within the last several months, Horst said.

He also said EYP is putting together a training program for users to help reinforce security at the endpoints.

Gartner has several recommendations for midmarket IT leaders:

• Have a dedicated crisis management team that can respond to the malware attacks.
• Implement an enterprise endpoint backup product to protect user data on laptops and workstations.
• Evaluate the potential business impact of having data forcibly encrypted because of a ransomware attack, and adjust recovery point objectives to more frequently back up those systems.
• Align with the information security, IT disaster recovery and network teams to develop a unified incident response that focuses on resiliency rather than just prevention.

After his 30-minute presentation, Reed focused on the role managed security service providers can play in helping midmarket IT organizations.

"The biggest thing … is staff augmentation," he told CRN. But that doesn't mean as a tool to replace staff. Rather, "it's really meant to help out both knowledge [and] understanding, [and] to be an extra set of hands."