This article is part of a series exploring the cyber-crime threat facing small and mid-size organizations (SMBs), and how such organizations can mitigate their risk of compromise. In Part 4, we review the need for staff cybersecurity training and provide tips on how to develop the most effective program.
In cybersecurity, your employees are your greatest strength and weakness. They are the most powerful, most dangerous, unknown variable of your network defenses. Products are highly predictable – programmed to perform their tasks as designed. Policies are point-in-time standards which are codified for reference and enforcement. Employees, however, are an entirely different matter.
The human element is an unpredictable aspect of your IT network and its safety. A trained employee who exercises caution in his/her use of technology is a repellent to cyber-attacks – more potent than any next-gen software. On the other hand, negligent staff are the #1 cause of cybersecurity breaches at SMBs. The key differentiator here is training, and thusly, this article will address training approaches and tips to transform unknown risks into known strengths.
Part 1 – The Threat Landscape
Why is the human element target #1?
People don’t “just know” – As mentioned earlier in this series, cybersecurity is not instinctive. For example: millennials (a generation immersed in technology from childhood) are arguably the biggest cyber risk factor for companies. Multiple studies find millennials to be more vulnerable to tech support scams, work around company controls, and re-use passwords in comparison to Gen X and Baby Boomers. Cyber-hygiene must be learned through repeated study and exercise.
Staff interaction required – What do phishing, pretexting, and spear phishing attacks have in common? They all require human interaction. Whether to install ransomware or receive a wire transfer, these social engineering attacks are the method used in 93% of successful breaches. Your IT network can be “Fort Knox” and still fall prey to an $8000 breach because an employee opened the front gate.
The number of employees required to cause a malware attack – What is one. Unfortunately, even with increased cybersecurity awareness, cybercrime is still on the rise because of this reality. This is yet another reason why employee training is crucial to your business operations. Each individual at your organization must receive clear guidance and repeated training to ensure all the links in the chain are strong. I’ll take ‘where people screw up’ for $100, Alex.
Where people screw up
Desk appearance – 1-in-4 employees admit they leave their computer unlocked when they go home for the day and 36% admit to leaving sensitive documents and folders on their desks at clock-out. These are baby-step practices being ignored, causing physical and cyber vulnerabilities (fyi, energy costs too).
Passwords – We’ve highlighted the weaknesses of single-factor authentication (SFA) in this series, but even so, people are very lazy with passwords. Using personal passwords for work accounts, writing them down, using dictionary terms, reusing the same “key” for 20 “locks” – you name it, it’s being done (at your company, most likely).
Email – Once again, this is the main vehicle of successful cyber-attacks. Whether it’s due to a desire to provide prompt customer service, an obsession with a clean inbox, or plain-ole-negligence, people continue to get fooled by cybercriminals. As a result, cybercriminals continue to cash out with ransom payments, wire transfers, and identity fraud as employees continue to action malicious emails.
WiFi – People love free WiFi. When employees take your devices into the field, there’s a good chance they are connecting to whichever network is most convenient, not considering whether the network is secured or legitimate. This can lead to intercepted traffic (emails, CC info, credentials) and even malware installation onto the device.
Data storage – There is a trade-off between convenient access and security. Which do you think your employees prefer? The more places data resides, the easier it is to intercept for cyber-criminals. In a pursuit of convenient access, files are often copied from their designated residence to personal computer drives, flash drives, and Cloud storage.
Device travel – Also related to remote/field work, many practices can put SMBs at risk. Examples include taking devices from office without permission, leaving devices in vehicles in plain view, and allowing non-staff to use. Such practices can easily lead to data theft.
Starting your training program
It all starts with policy – A one-time staff meeting (complete with stereotypical slide show) will look like a “college try” to employees, not a serious addressal of cyber threats. Every effort to train employees needs to flow from a company standard and resulting cybersecurity policy. As we covered in Part 2 of this series, a simple cybersecurity policy with top-down buy-in provides guidance, accountability, and control.
Onboarding – One of the easiest ways to get your staff serious about cybersecurity is to cover it day one. Requiring new employees to review and approve your information security policy is a good starting point and will hopefully stoke dialog on cyber hygiene. This strategy helps avoid the assumed “they just know” risk.
Recurring – Ongoing training can be approached in a number of ways, but one example might be a three-pronged attack involving formal training, random testing, and on-demand resources.
- Formal staff training: the subject matter can vary due to management objectives, but this training should be conducted by a relevant manager or IT administrator. These meetings should be mandatory and occur at least often enough for every employee to attend within each calendar year. Thusly, you’ll need to gauge frequency based on how often your company adds or turns-over personnel.
- Random testing: A burgeoning part of the industry, businesses can purchase phishing attack simulations for staff testing and training. This service creates opportunities for training and enables employees to learn the importance of vigilance without costing the company days of pain and thousands of dollars.
- On-demand resources: Your employees shouldn’t have to wait for a formal training to get the resources they need for cyber hygiene. Your information security policy, videos, best practices slicks, and articles can all serve this purpose to educate and avoid confusion. Feel free to use our resources, like our cybersecurity best practices video series!
Bonus tip: form a cybersecurity committee – Many small businesses form committees to lead the charge on charities and health/safety, why not cybersecurity? It’s a great way to get workforce buy-in and delegate responsibility via “self-policing” approach.
Bonus tip: carrots and sticks – Will there be any repercussions for putting your company at risk or rewards for protecting your assets? Creating such policies and practices can make your program that much stronger. Here are some examples to consider:
- “Carrots”: information security policy trivia (with prizes), newsletter/meeting recognition, bounties for identifying and blocking attempted attacks.
- “Sticks”: (following failed phishing test or policy violation) mandated review of policy, testing, featured in “fail list” announcements.
What’s the payoff?
Proper cybersecurity training will require some time and money – just not as much as a ransomware, spear phishing, DDoS, or banking trojan breaches. Overall, financial investment can be minimal as phishing simulations are likely to be the greatest expense. Regarding time investment, most small businesses could write up their entire training program on a one-page document. All these efforts are well-spent given they bolster your #1 cyber weakness and risk.
Remember, cyber-criminals target your employees because of employee oversight and neglect of security in favor of convenience. While few intentionally put their employer at risk, poor practices like leaving computers unlocked, using simple passwords, and “itchy mouse fingers” in email put small businesses at risk of monetary loss and brand damage.
To get your cybersecurity employee training program started today: create/review your information security policy, then consult with IT management to create resources for onboarding, formal training, and on-demand resources. The proactive work your business puts in today will go a long way in operational stability and security.
Unfortunately, there is no fool-proof method for preventing breaches, so in our final edition of the Small Business Cybersecurity Series, we’ll highlight how to mitigate damage in the event of a successful network breach.