SMB Cybersecurity Awareness
What Every Small Business Should Include in Cybersecurity Awareness and Training
All it takes to undermine the IT Security protecting your business’s network and intellectual property is one wrong click or download by an employee. According to Verizon’s 2017 Data Breach Investigations Report, 43% of breaches occurred via a social attack such as phishing or pretexting which count on your employees to click on or open malicious attachments. Hackers are becoming more sophisticated at creating believable emails that spoof legitimate businesses and contacts, increasing the chances that even cautious employees will fall for the attack. In an ideal world, your IT security policies and tools would prevent these attacks from ever reaching your employee’s mailbox or web browser, but implementing a robust training program will prepare them for any encounters that do occur.
Let’s look at six topics which need to be in every business’s cybersecurity training program:
Verizon reports that “81% of hacking-related breaches leveraged either stolen and/or weak passwords”. It is the business’s responsibility to train employees on how to select strong passwords and then enforce strong password selection through IT policies.
Strong passwords will at a minimum follow these guidelines:
- contain multiple character sets (uppercase, lowercase, numeric, and accepted special characters)
- Are updated frequently to replace older passwords (example: forcing password change every three months)
- Use unique passwords that are not shared with other systems
- Are not “dictionary words” that can be brute force hacked
- Are not written down or stored in plain text
We strongly recommend a Password Management program such as LastPass or for centralized management, PassPortal. If you still want to keep your passwords in your head take a look at this article for some helpful tips!
Employees should secure physical devices and computer systems against theft. When leaving their desks at work, they should lock their screens so that a password is required and any passersby cannot access company systems and data.
Outside of the office, employees should never leave their computers unattended, in plain sight in vehicles, or placed in checked luggage. Even laptops in carry on luggage are at risk as travelers sometimes grab the wrong laptop/bag or even forget their laptops while going through security.
While we are discussing lost devices, don’t forget to secure smartphones that are more easily stolen, forgotten, or lost. These powerful devices often have access to your business data through employee email accounts and contain enough personal information for hackers to create plausible social engineering stories to gain further access.
Attackers know they have the best chance of success by personalizing their attacks using information about your company and its employees. Employees are more likely to open emails from coworkers and businesses whose names are familiar. While attackers may use public records and electronic research to gather some of this information, do not underestimate old school methods like calling the office and asking leading questions about the organization and employee roles. These calls may sound innocuous, and in many cases reflect sincere and legitimate business interests, but a good training program will teach employees to question callers who are acting too curious.
Email Links and Phishing
Attackers are getting better at spoofing emails and logos to create emails that look like the real thing. Employees should be cautious about opening any email attachment, particularly files they are not expecting or that seem unusual, and should verify links before opening them. These email attacks rely on employees opening them to install malware or gain further access to the network.
If the email address does not match the source, or if links in the email point to a site that is different than what it purports to be, they should not click or open anything in the email. Training programs can walk employees through the steps to mouseover a link without clicking to verify the target destination and identify fake emails.
Employees can verify email attachments by contacting the coworker or friend who sent them to verify it is legitimate.
Software Installs and Updates
Small businesses should implement a software policy that clearly identifies what software employees can install on their own. “Shadow IT” occurs when well-meaning employees install freeware or open source tools to facilitate their work when company provided tools are not meeting their needs. Additionally, employees may install personal software for entertainment purposes such as Spotify or Skype. Installing software from unknown sources may result in unknowingly installing malware or viruses, while installing copies of personally licensed software may open up the company to software piracy lawsuits.
In many cases, additional software can help employees be more productive during their time at work so businesses will need to determine the appropriate level of employee autonomy that balances individual workstyles with security. For commonly used publicly available software that has been approved, your company may preinstall those titles or keep an approved installation source for employees to access.
Reporting Suspected Attacks
It is important for employees to report suspected breaches. Part of cybersecurity training should include when and how to report spam, phishing attempts, suspicious social engineering, and lost or stolen devices. These reports can help stop the spread of an attack before it affects the rest of your business.
Putting it all together
We’ve discussed which topics should be included in a small business cybersecurity training plan, but when and how should training be presented?
Employees may be aural, visual, kinesthetic, or reading learners and simply issuing a written security policy will not address these learning styles. Aural learners retain information best through listening, visual learners respond best to visual aids and charts, reading learners will learn best through reading text, and kinesthetic learners will remember the material better through activities and sample scenarios. Training plans that adapt to and include different learning styles will be the most effective. For example, a traditional training class may include presentations with a trainer giving auditory information, backed up by visual information on slides, and reinforced through role playing scenarios. A recent trend in employee education has been gamifying the training program, where employees can earn badges or prizes for successful completion.
At a minimum, new employees should receive security training during their onboarding process. This is the ideal time to help them understand their role in keeping company data secure. For existing employees, we recommend annual training to refresh their security knowledge and cover any new trends and threats.