The biggest cybersecurity threat to your customers’ businesses is hiding in plain sight: the user. Be they gullible, malevolent, untrained, or just plain careless or lazy, user behavior is a top security threat, according to the just released Kaseya Cybersecurity Survey Report 2024. An alarming 89% of IT professionals surveyed cited a lack of training or bad user behavior as their main cybersecurity problem. And user-related security issues are causing the most distress, with poor user practices and gullibility (45%) and lack of end-user cybersecurity training (44%) as the root causes for cybersecurity problems, according to the research.
“Users are the number one security risk,” says Chris McKie, vice president of product marketing-security at Kaseya. “I don’t think that’s a huge surprise, but the numbers that support that seem [to indicate] people recognize it. it’s not just about protecting your endpoint; it’s not just about protecting servers or your web services. It’s people.”
And user-related issues rank among the top three threats that have impacted the respondents’ businesses, with phishing ranked first (58%), followed by computer viruses or malware (44%) and business email compromise (34%).
McKie says this represents a huge opportunity for MSPs to offer security awareness training, to learn more about their clients’ businesses, and to get more involved in helping them develop and implement security policies. “The challenge is, they need to go beyond just the devices. I think in technology it becomes very easy to just think about the endpoint, whether it’s that laptop or that server. We get enamored by the technology and we lose sight of the people.”
On the whole, MSPs have done a good job in phishing education, McKie says, but could do more to address business email compromise (BEC).
“We’ve gotten better overall as an industry in doing more phishing detection, phishing response, phishing protection, and [with] security awareness training helping employees understand, ‘Hey, this is what a phishing email looks like.’”
BEC, on the other hand, “is where we do fail in a lot of ways.” MSPs need to be talking to the C-suite about security policies, he says. For example, McKie explains, “What is the policy if you’re going to do a wire transfer? What are the thresholds and what are the safeguards to ensure we’re not just sending money out to someone we don’t really know for sure who it is? MSPs [can] play a major role in policy decision-making, policy creation [and] making sure there are safeguards in place.”
On The Good News/Bad News Front
Kaseya’s research did find several areas of progress in the cybersecurity battle.
On the ransomware front, it’s good news/bad news. The downside is that organizations that paid a ransom paid much more this year than they would have in 2023, with a sharp increase in respondents indicating that their organization paid a ransom of $50,000.
On a positive note, though, 56% of this year’s survey respondents have not experienced a ransomware attack, and only 11% paid a ransom after an attack. Further, most organizations that did experience ransomware attacks were able to recover their data. More than two-thirds (69%) of survey respondents said their organizations were able to successfully decrypt their data after paying the ransom or by using other recovery methods.
The decline in ransomware attacks “absolutely is indicative of MSPs doing a better job at security,” McKie says. “MSPs have to do everything—they’re fixing printers one minute and they’re addressing ransomware attacks the next. They’ve got their plates full. But it does say to me that they’re getting better at the bigger picture of security. You’re seeing MSPs look at security more holistically, more comprehensively. And in doing so, they’re giving their clients a better security posture by adding defense-in-depth capabilities across the spectrum.”
The research also finds that downtime from cybersecurity incidents has decreased, with only 8% of respondents seeing two-to-three-day downtimes in 2024, and only 7% of respondents reporting being down for a full day. More than one-quarter of respondents didn’t experience any downtime, and one in five didn’t experience a cybersecurity incident at all. And businesses experienced fewer high-cost cybersecurity incidents compared to 2023.
“Recovery now is also part of that security discussion,” McKie says. “So detection and response, that now matters more. And then how quickly can you recover? So we’re seeing MSPs be much more involved holistically in that whole circle of activities.”
Another positive inroad is the percentage of organizations getting hit with a supply chain attack has decreased significantly, from 61% last year to just 19% this year. Respondents also do not anticipate supply chain risk to be a major attack vector in the next 12 months.
RELATED: Kaseya’s Multimillion-Dollar FedRAMP Commitment Aims To Position MSPs For Future Opportunities
The Role Of AI
No surprise that AI is a double-edged sword. While 53% of respondents say it will help them be more secure, many weighed in with concerns that bad actors will use it to make phishing attempts more realistic, find vulnerabilities, and automate attacks.
“AI gives you a lot of efficiencies, and we’re seeing use of AI in things like incident response,” McKie says. “AI can play a great role for an MSP in helping them build security policies for their clients. So a lot of efficiencies can come out of that. The flip side is it’s being used by the bad guys in many ways for the same bad purpose.”
In the future, he says, “I would expect to see AI play a major role, certainly in security operations. I wouldn’t be surprised if in the next few years AI is a core component of every EDR tool out there because it’s going to spot the anomalies.”
Looking Ahead
Cybersecurity will continue to be a steady source of revenue for MSPs, according to the findings. Almost half (47%) of respondents say their security budget will stay the same, and 40% expect to spend more.
The top areas they plan to invest in are cloud security, automated pen testing, network security, and security awareness training.
“Cloud security definitely is a top area of not only investment, but certainly concern,” McKie says. “And the reason being, we’ve moved workloads to the cloud. Over the last few years, we’ve also become highly reliant on those cloud resources, whether it’s your Salesforce or O365. These things are now part of [workers’] day-to-day activities, and the bad guys know this. And so they are working very stealthily and cleverly to get credentials.”
Focus On The User
Clearly, there will be no shortage of opportunities for MSPs to help clients with their weakest security link, whether that’s protecting users in the cloud, educating them in good cyber hygiene practices, or getting involved in policy creation to save them from themselves.
