Anyone in Connecticut with a computer and an internet connection is at risk of being a victim of cybercrime. When cybercriminals are thinking about their next attack, they’re looking for the easiest money. Individuals probably won’t pay up to get their stolen data back, and big corporations are well protected by full-time computer security people. Who does that leave as the most vulnerable? Small to medium businesses with no full time IT staff and who would be willing to pay to get their data back just to stay in business.
What Can Small Businesses Do To Protect Themselves?
It takes an army. Of employees.
Who’s in your cyber security army? Bob is the best sales guy in the company. James should know, he provides customer service for all of Bob’s customers. Susan in finance can tell you how much you’ve made this year. None of them can tell the difference between a real email with a past due invoice and a malicious email with a fake one. They’re not alone, though. More than half of small business owners cite employee negligence as a top concern when it comes to data breaches.
For an army to be effective, they need proper training. Security Awareness Training.
Security Awareness Training
Security Awareness Training is not just sending an email around the office saying “don’t click on links from people you don’t know”. And it’s more than having people watch videos on YouTube. It requires everyone to change the way they think and act when it comes to technology. There needs to be accountability. And it can’t be boring.
A study by the Ponemon Institute on the value of employee cybersecurity training has shown that businesses that deliver Security Awareness Training see an average improvement of 64% in their phishing email click rates, and that number improves the more times training is delivered. More training = better results.
Goals of Security Awareness Training
- Provide a clear understanding of all the different ways cybercriminals will try to infiltrate your business – Malware, Phishing, Social Engineering
- Teach best practices – passwords, email, physical access, how to work safely and securely
- Test your knowledge through simulated scenarios
- Hold employees accountable to do better when they don’t pass the test
Must-have Topics in Security Awareness Training
- Password best practices – why good passwords are important, common ways hackers exploit passwords, how to create strong memorable passwords
- Email and browser security – how to spot suspect phishing emails, how to use browser protection, how to identify malware and viruses
- How to avoid malicious downloads – protecting yourself through antivirus, and what to do if your system is compromised
- Social engineering – what it is and how it works, and what questions to ask to protect yourself
- Mobile security – most common threats for mobile phones, risks of point of sale devices, what to be careful of when using your own device
- Remote working – how to stay safe on free or guest wi-fi, what to watch for to prevent getting hacked on the go
- Social media security – safe ways to use social media as not to make yourself vulnerable, what’s acceptable for work and for home
- Anti-virus – the importance of staying protected and up-to-date, and how to react when a virus is identified
- Physical security – accessories for privacy when traveling, securing your devices, reporting security violations
Free Security Awareness Training Options
Looking to test-drive security awareness training for yourself? NSI offers a Free 30-day trial. If you’re looking to keep do more, we have a Security Awareness Training for small to medium businesses, along with services ranging from IT security to managing your entire IT environment. Security training can be delivered remotely or on-site.
Tips for a Successful Launch of a Security Awareness Training
Cyber security is important to the business, but everyone already has their day jobs and other priorities to deal with. What are some ways I can get people to listen?
- Make it personal. A lot of the topics in Security Awareness Training bleed over into employees’ lives outside of work - passwords, social media, mobile devices. Giving them something they can use at home will help keep their attention.
- Make it emotional. In general, people want to do the right thing, and don’t realize the impact of their bad cyber security habits. Explain how failing to keep good security practices can lead to hurting the company.
- Reward good behavior. Gamify the flagging of phishing emails, track scores on security quizzes, and acknowledge when people contribute to the security of the business. The benefit of staying secure will far outweigh the cost of a rewards program.
- Stay top of mind. If your employees only think about cyber security for the week following the annual Security Awareness Training, you’re left unprotected the rest of the year. Reminder emails, posters in common areas, and mentions in company newsletters are great ways to maintain visibility with employees without being annoying.
- If the carrot doesn’t work, use the stick. Make management your advocate and drive the initiative from the top down, aligning with leadership to tell employees “this is important”. Many companies now make completion of compliance and cyber security training mandatory for eligibility of annual bonuses.
Having an cyber educated workforce is arguably the most important layer of protection a business can have.