We at TechDecisions have spoken with many MSPs recently, and as a result, we’re feeling a bit… paranoid. I’m personally about to download a password manager since that was identified as one of the most common identity management techniques MSPs advise their clients use. Now more than ever, I’m afraid any personal data compromised might have a negative effect on my workplace.
Maybe, though, it’s not right to call this feeling “paranoia.” After all, MSPs have literally told us how they feel they need to educate tech managers, IT departments, and other business leaders about the threats posed to their businesses via sloppy personal data management.
Raffi Jamgotchian, president/CTO of Triada Networks and one of those MSPs we spoke with, says there is a disconnect in lower level employees between what MSPs show them about business data and how they make personal data decisions — and that disconnect can be solved with identity management architecture.
“By understanding how these things can impact them personally, they realize why it is important to bring that attitude to their work,” he said.
This is something CEOs already seem to understand, says Jamgotchian. He says business owners don’t normally have this problem because many of them tie together their personal and business lives, anyway. So if one connection is secure, they all tend to be.
But not true for the rest of the org chart.
Common identity attacks are digital AND physical
Like we said, MSPs have noticed how personal data is used to target business data. One of the most common attacks goes something like this:
- An office manager or personal secretary is contacted
- The message contains information that the supposed sender would know/phrased in a way they would phrase it (this is actually the attacker using social engineering to their advantage)
- The employee is asked to complete a task — such as providing critical business data, buying and revealing gift card codes, etc. — and confirm this via email or phone
“When they can look at sent mail, and know a company’s website and mail habits, that’s dangerous,” Manna says.
“When you think about it, how many people leave building access and proximity cards in their personal vehicles?”
Identity management techniques used by MSPs
There are a number of identity management techniques MSPs enlist to help keep their clients’ business data secure. But, critically, Manna and Jamgotchian both said the challenge is ensuring employee-clients follow up by using them to secure both their personal and their business data.
“Once we take 5-10 minutes to review something, it has a dramatic effect on how often we’re called on an issue,” says Manna. “But we reinforce these lessons with product scanning and fake phishing campaigns to prove our point.”
So the takeaway for CIOs, Tech Managers, and the greater IT department is: make sure your org’s employees at every level follow up with all of these tips. It’s a constant struggle, but one that is worth the effort.
Here are some more personal and business data security tips:
- use password managers — i.e. EVERY website/service has a different, complex password
- employ multi-factor authentication — especially on all BYOD devices, the mailbox, email, etc.
- establish (and regularly update) a list of trusted sources — that way, employees will know who and how potential phishers may target them and with what data they might try to do so with