One Way Employees and Hackers Are Exactly Alike

Power Up by Empath Cyber

In today's rundown:

• 🤖 One Way Employees and Hackers Are Exactly Alike

• 🔥 Hackers Aren’t Innovating.. And We’re To Blame

• 🧠 What’s the Cyber Path of Least Resistance?

Read time: 4 minutes 👇

One way employees and Hackers Are Exactly Alike

Have you ever looked at a winding river and wondered how it took its path over the years? It seems to make no real sense. But the fact is, water always takes the path of least resistance. It simply moves wherever it’s easiest to go.

Your employees are exactly like that water. And scary enough, so are hackers. Invariably, they’ll always take the path of least resistance.

Have you ever thought about this? I’m constantly amazed by the solutions that our employees will often create to solve a business problem. Ironically, in nearly every case, their proposed solutions are inefficient at best and introduce all kinds of security issues at worst.

Think about it: they’ll adobe their own shadow IT cloud solutions. They’ll happily email others sensitive documents. They’ll open and click on nearly anything that they think will help them get their job done faster.

And hackers? They also take the path of least resistance. After all, one of the primary reasons we saw ransomware actors begin to target SMBs en masse back in 2018 was exactly this reason. Our employees have introduced all sorts of material weaknesses and issues that simply allow an attacker to easily go after them.

After all, as a hacker, why would they want to spend an enormous amount of time, resources and money to attack a sophisticated and mature large business when they can just as easily hit multiple unprotected SMBs with the same time and resources?

And that’s exactly what they do. That’s why SMBs are under cyber attack more than ever before. And I’m curious to hear from you: do you share this same message to your clients? Do they know how important this is?

Hackers Aren’t Innovating.. And We’re To Blame

Speaking of which, we had Phil Langlois from Verizon on CyberCall #146 a few weeks ago. You know the same Verizon data scientist who helps lead the world’s leading Verizon DBIR report every year.

And he said something profound: 👇

Ouch. That hurts. And Phil is exactly right. Sure, we do see 0 days hit periodically throughout the year like MoveIT, Log4J and many others. And they are absolutely huge “drop everything and scan/patch” moments.

But the vast majority of security incidents we see aren’t from a 0 day. They’re from routine things like phishing attacks, misconfigurations, and privilege abuse. It’s the basic stuff. The things that aren’t super sexy but are immensely important.

So that gets me thinking. If my business can do the basic minimums, what does that mean for attackers, who act like water? Will they move on to a path of less resistance? Maybe not always. But often.

And so that gets me thinking for my last segment in this week’s Power Up newsletter. What are the bare minimums to make our organization a path of higher resistance?

What’s the Cyber Path of Least Resistance?

I think we’d all do well to consider the answer to this question. What is the path to least resistance for us and our clients? What makes us more difficult than the next organization for a hacker?

I think a few things stand out to me:

1. We need to always pursue executive buy in. Everything starts here. You won’t get the right budget without it. You won’t have the backing to make the changes you need. And you’ll always be fighting up against the floor of the organization, and never able to set the cyber ceiling, so to speak.

2. We need to be risk aligned. If we can get executive buy in, the very next thing we need to shift towards is risk alignment. Sure, a risk assessment is part of the job here, but it’s far more than that. It includes actively tying in cyber risk to corporate risk. It takes time. But it works.

3. We need to be constant educators. Education never ends. It’s literally what I’m doing right now with you as you read this. And there’s countless effective ways to educate our clients. In-person discussions, lunch and learns, tabletops, QBRs, heck even text messages here and there when interesting articles come up.

4. We need to be standards aligned. How much better would the world be if every MSP on planet earth was at a minimum aligned to CIS implementation group 1? Wouldn’t that be a game changer? While not perfect, at least that’s a starting point. It’s the cyber floor. The bare minimum. We all know that likely won’t happen for everyone. But it absolutely can and should (and must!) happen for you and your clients. Are you committed to that? It’s the blueprint to your success.

I’d love to hear from you. What other items might you add to the “Cyber Path of Least Resistance” list? Leave me a reply and let me know!

That's all for now!

Did someone forward you this email? If so, you can sign up to the #1 MSP Cybersecurity Newsletter in the world right here: www.empathcyber.com/powerup

If you have any interesting projects or ideas, please reach out to us by [email protected] or hit me up on LinkedIn. As always, thanks for reading, and see you next time. 🫡

Find Empath Cyber and Wes here:

• empathcyber.com/join 

• linkedin.com/wesspencer 

• https://www.thecybercast.com/

• https://twitter.com/wes_spencer

• https://www.youtube.com/wesspencer