The cybersecurity threat landscape is constantly evolving, but one vulnerability remains stubbornly consistent: human error. In a recent Right of Boom Cyber Call, hosted by Andrew, the discussion turned to a concerning trend—employers holding employees financially accountable for falling victim to phishing and social engineering attacks. The implications of this go far beyond HR and into the legal, operational, and strategic domain of Managed Service Providers (MSPs).
Attorney Eric Till shared a powerful real-world case: a CFO who fell for a phishing email was at risk of losing vested equity due to the resulting financial damage. The company claimed negligence as justification for clawing back the CFO’s stock options. This scenario prompts a critical question for MSPs: where does accountability begin and end in a breach caused by human behavior? Could the responsibility ultimately land on the MSP who failed to recommend stronger controls or training?
The conversation emphasized that while technical defenses like spam filters and endpoint protection are vital, the human element demands just as much focus—if not more. Nat, a VCISO, pointed out that MSPs have a unique vantage point due to their cross-client visibility. This allows them to design and implement smarter, more adaptive human-centric defenses.
To stay ahead, MSPs should implement foundational frameworks like CIS or NIST, conduct comprehensive security assessments, and deliver role-based security training—enhanced with real-world simulations to ensure it sticks. Monthly strategic check-ins with client leadership help keep cybersecurity top of mind, while regular social engineering tests provide real metrics on progress. Reviewing cyber liability policies is also essential to ensure coverage matches today’s evolving risks.
The core issue is liability. If an employee is blamed for clicking a malicious link, the question becomes: Who was responsible for preparing that employee? Was training documented? Were risks communicated clearly? And was the MSP proactive in advising on best practices?
MSPs must adapt. That means incorporating social engineering defenses into broader strategies, assuming compromise, segmenting networks, and preparing for lateral movement. It also means partnering with legal experts to update contracts and scopes of work to reflect today’s threat realities.
The takeaway? The line between user error and business risk is blurring—and MSPs are on the hook for ensuring their clients understand, prepare for, and mitigate those risks. By addressing the human element head-on, MSPs not only strengthen client relationships but also shield themselves from downstream blame and liability.
