Guest blog courtesy of Bitwarden.According to a survey of independent IT decision-makers across a range of industries, 60% of respondents reported their organizations experienced a cyberattack within the past year. Almost half (49%) reported struggling with employees who use unauthorized devices or software without IT’s approval. For MSPs, this represents the critical and persistent risk facing client environments. These statistics reflect a corporate landscape that is saturated with data security risks – a reality that directly impacts the environments MSPs are tasked with securing.Another recent industry study found that 66% of respondents reported their organizations were affected by ransomware, with the average (mean) ransom payment almost doubling from $812,000 in 2022 to $1.5MM in 2023. Client organizations are frequently targeted by cybercriminals seeking to exploit vulnerable internal behavior and an inadequate cybersecurity culture. For MSPs, cultivating a strong security culture across managed environments enhances overall resilience and reduces long-term support costs.This piece explores common habits that create data security vulnerabilities and outlines strategies MSPs can use to instill stronger client habits, including identity security best practices and recurring cyber awareness training.Up to 60% of individuals say they reuse passwords across multiple sites Up to 30% of data breaches at organizations are caused by individual users sharing passwords, reusing passwords, or falling for phishing scams IT decision-makers may generally be perceived as more security-conscious than the average employee. However, additional research reveals that poor password habits persist across end-user groups. A global survey of internet users found:Almost a fifth (19%) have used “password” as their password A majority (68%) of respondents manage passwords for 10+ sites or apps, yet 84% reuse passwords Although 30% use a password manager, nearly double (58%) rely on memory, and 34% still write passwords down on paper These behaviors compound the threat landscape MSPs manage. Using weak passwords makes it easier for cybercriminals to brute force account access. Writing down passwords on paper creates internal security risks. Practices such as using public Wi-Fi for workplace access or clicking on suspicious links can introduce malware and compromise client credentials. MSPs should utilize password management to enforce better practices and enhance their clients' overall security habits.Encouraging people to lean into personal cybersecurity best practices has an effective compounding result on the enterprise security posture MSPs should promote a culture that encourages users to report suspicious activity and
prioritize training exercises throughout the year Executive sponsorship is key – MSPs should work with client leaders to develop and
enforce security policies Implement recurring, bite-sized training with interactive content to maintain awareness
and reduce behavioral risks Password managers enable MSPs to implement credential management strategies that improve client security while reducing operational overhead. These tools support both individual and organizational vaults, offering secure storage for shared credentials, visibility into password health, and fewer support tickets related to lost or forgotten passwords.79% of employees prefer their company to require the use of a single password manager, signaling a strong case for MSPs to standardize password management across client environments.Modern password managers also support multifactor authentication (MFA), biometric unlock, and passkey storage, allowing MSPs to layer protection in ways that are intuitive for end users but difficult for attackers to exploit. Strong security cultures depend on effective tools, and password managers remain a foundational component for MSPs looking to reduce client risk at scale.
What is a security culture?
Security culture refers to the collective attitudes, values, and behaviors that an organization or community promotes to minimize security risks and protect its assets. It is a set of customs shared by a community to mitigate risk, making safe behavior online habitual and ensuring employees can confidently identify and deter attempts by bad actors to exploit vulnerabilities through phishing, malware, ransomware, and more. A strong security culture is essential for any organization, and MSPs play a critical role in shaping that culture within client environments.Evaluating client security culture
MSPs can evaluate client security culture by assessing internal controls, training coverage, and password management habits. Consider conducting security assessments or questionnaires during client onboarding and annually thereafter to identify gaps. Layering password management and vault health reporting tools into this workflow can enable additional visibility into weak or reused credentials.Risky behavior that can compromise security posture
49% of IT decision-makers navigate the challenge of employees using unauthorized devices or software without IT’s approval. These ‘shadow IT’ behaviors create risks for organizations by introducing new attack vectors that MSPs and client security teams may be unaware of and unable to control. Shadow IT introduces unauthorized access points that can become exponentially more dangerous when combined with widespread, poor password habits and a lack of security awareness:MSPs can lead the shift toward a security culture
Building a culture of security within client organizations doesn’t happen overnight. But it represents one of the greatest opportunities for MSPs to reduce incident response workload while driving long-term client value. By leaning into the following guidelines, MSPs can leverage behavioral touchpoints to reduce client attack surfaces. For example:prioritize training exercises throughout the year
enforce security policies
and reduce behavioral risks
