A May 2022 Security Magazine article illuminates the severity of the threat that small businesses face when it comes to being hacked. Statistics reveal that 43% of cyber attacks are aimed at small businesses, with consequences ranging from severe productivity loss to actually closing their doors.
Many small business owners erroneously believe that hackers are after bigger targets than them. And, the same article reveals that 47% of businesses with less than 50 employees do not have a dedicated cybersecurity budget. And for these small businesses, there may be other complicating factors, such as systems that are outdated and unsupported, as well as the software needed for older devices may no longer be supported.
But, in analyzing how a small business’s network gets compromised, numerous cyber experts reach the same troubling conclusion: nearly 90% of all cyber attacks and intrusions on a business network happen because of human error.
Or, said differently, your employees – no matter how well-intended they may be – often inadvertently allow a hacker access to the company network. It could come from an action such as clicking on a link
Therefore it makes perfect sense for companies – including small businesses who may have previously thought they were not vulnerable to cyber attacks – to develop and implement ongoing employee training programs to make employees proficient in detecting cyber threats.
Not only is this good business practice, but it may also be necessary if you are contemplating buying cyber insurance to protect your company against liability from cyber damage.
The Travelers offers some recommendations for establishing cyber security training programs for employees. They recommend new hire training and refresher training courses that include being responsible for company data, procedures for document management and notifications, strong password planning, a “no unauthorized software” policy, and training in Internet use, along with responsible email use.
The cornerstone of employee training is awareness. Business owners should make their team members aware of what the common cybersecurity risks are, and how to recognize them – and avoid them. Training should include the basics of phishing, malware, and general cyber awareness. Training should be more than an occasional or “one-off” event; it should be ongoing since hackers are continually coming up with new ways to hack into infrastructures.
Some companies develop and implement training programs internally, whereas others will partner with an IT/Managed Services company to come in and provide the training. However your company tackles this problem, it is important that it be a part of your company’s culture and that management makes it clear that this is very important. Reinforce with each employee the importance of protecting your company data. In addition to legal and/or regulatory requirements, you and your employees have an ethical obligation to protect your data and the data of your clients.
The purpose of training should be to educate, not to blame. If an employee inadvertently caused a breach, for example, it’s a better policy to gently correct the mistake with education. Your employees are your biggest asset. Show them that you buy into the importance of training and get them to see the value of the training you are providing them. In return, you’ll get more dedicated and conscientious team members.
The training content should include, but not be limited to:
-Email awareness: What are the common telltale signs of a phishing scam, such as a suspicious link, awkwardly-phrased language, spelling errors, and requests for personal information.
- Personal device best practices: The “what’s” and “why’s” behind the company’s policy of what company information can be stored on employee personal devices such as iPhones (in general, no!)
- Data incident reporting: Reporting procedures if a computer slows down or becomes infected by a virus.
- Alerts: How to recognize a legitimate warning message or alert.
- Security policy: In case of detection of a problem, who employees should immediately report the incident to
- Social media policy
- Training on the latest anti-virus software
- Vulnerability training: Scheduled sessions with experts who will test the weaknesses in the company’s infrastructure.
In future blogs, we’ll look at some of the steps in the employee training process in more detail. If you have questions about how to set up a training program for your employees, we can help! Contact us, firstname.lastname@example.org.