Security awareness

How Security Awareness Training Can Protect Small Businesses

Dan Virgillito
March 29, 2017 by
Dan Virgillito

Small businesses are progressively utilizing information technology in business processes, but aren't doing it securely. In essence, they do not believe adversaries will target them when there several other big, profitable organizations to attack. As a result, they neglect important measures like security awareness training, which leaves their firm in the crosshairs of cyber criminals.

In many ways, smaller firms have more at stake than larger businesses because an adverse event can be extremely costly to them. According to the US National Cyber Security Alliance, 60% of small businesses fail to sustain their operations within six months after a cyber security breach. The adversaries attack them to steal information like customers' identities, bank records, and even intellectual property.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

The common things that lead to data loss and security breach include employee reuse of credentials on multiple websites, download of malicious attachments sent via emails, social network use, loss of devices with confidential data, and inadvertently giving sensitive information over the phone. Increased focus on security awareness training, from the ground up, is needed to prevent such incidents.

Why Do Small Businesses Need Security Awareness Training?

Small businesses face a challenging situation. Owners usually find they do not have enough finances to invest in robust security systems. Resources are limited, and the size of their IT department is not equivalent to that of bigger organizations. Fortunately, establishing a culture of security awareness lies within their reach.

Security awareness training is essential to small businesses for preventing a variety of non-technical and technical breaches. By ensuring personnel is well-schooled on managing security from bottom up, smaller firms can maintain the confidentiality of their most valuable assets. Also, security awareness ensures the following:

  • Regulatory Compliance: Regulations like Sarbanes-Oxley and PCI know that humans are the weakest link in information security. Security awareness training ensures full compliance with such regulations.
  • Customer Trust: Consumers are getting skeptical about the companies' promise regarding the safety of their data. They are overwhelmed by the frequent appearance of data breach headlines. Security awareness training motivates employees to do everything possible to protect customers' PII (personally identifiable information).
  • Cost Reduction: Kaspersky Lab's survey revealed that small businesses need to spend $38,000 on average to recover from a data breach, and the cost is even higher if the reputation damage and indirect costs are accounted for. Security awareness training ensures the company is prepared to prevent such instances; think of it as an investment that results in significant savings down the line.

It is clear that being proactive in making their staffers security aware is one of the best things small businesses can do to protect their assets and reputation.

What Risks/Threats Do Small Businesses Face?

Small businesses appeal to cybercriminals because they lack the level of security that a large organization can implement to reduce threats. Following are the security challenges they face:

Spear Phishing: Adversaries use techniques like BEC (business email compromise) and spear phishing to send bogus emails that ask for money. The identity of a trusted vendor, a business advisor, or a financial institution is leveraged to create legitimacy. Spear phishing attacks on small companies have increased significantly in the past years.

Ransomware: This is when a virus is installed on business systems and authorized users get locked out completely. Data becomes inaccessible as it gets encrypted by the adversary, after which cash is asked for to regain access. Ransomware is generally delivered via downloads and attachment. Depending on how critical the blocked data/system is to a company, an attack could cripple operations.

BYOD- based Infiltrations: As more small businesses adopt BYOD, their risk exposure to app downloads malware and Trojan software that come from unencrypted network connections increases. This usually happens when company personnel use their personal devices to access business information via public WiFi, share data via third-party apps, or neglect changing account passwords.

Ignorant / Malicious Employees: This is the root cause of most security threats faced by small businesses.An ignorant or malicious attitude on the part of employees makes your plans, business information, payment details, customer information, etc. vulnerable to hacks. Typical ignorant or malicious behavior includes visiting illegal/unsafe websites, accessing applications from unauthorized sources, and using weak passwords.

It is crucial to have security awareness training in place to reduce your risk exposure to these threats.

How Does a Small Business Set Up A Security Awareness Program?

A security awareness program is essential to stop considering security as a one-off implementation to combat threats and to build a pervasive, proactive security culture where personnel can detect risks and make appropriate decisions on their own. Here's how small businesses can create a security awareness training program and get everyone involved.

1. Assign Roles and Get People to Take Responsibility

Role-based security awareness training represents a cross-section of the business. Training should be aligned to differing roles and responsibilities. For instance, managers should understand security requirements and take responsibility for encouraging employee awareness. Employees, on the other hand, should be given the role in safeguarding company data and privacy. Security awareness training at employee level could involve briefing on spotting identity theft attempts and suspicious messages.

2. Personalize Where Possible

The best way to deliver security awareness is to instill it inside your company's culture in a personalized manner. Work with your IT department to translate security jargon into simple guidelines that everyone can follow easily. Another thing you could do is teach personnel about security risks via real life examples. If you are concerned about weak password practices, make a link to the real world to help good password practice training resonate. For instance, strong passwords protect confidential information in the same way as a strong immune system protects the human body against diseases.

[download]Download the BEST PRACTICES FOR DEVELOPING AN ENGAGING SECURITY AWARENESS PROGRAM whitepaper[/download]

3. Give Reminders of Safe Behavior

A core essence of security awareness training is the ongoing promotion of safe behavior. Use communication tools like Slack and Google Hangouts to communicate safe behavior frequently. For instance, you can pin items that highlight the dangers of connecting to unsecured WiFi networks on Slack. Alternatively, simple calendar reminders can be used to deliver security notifications when they are needed.

4. Establish Metrics to Access Security Awareness Training

Metrics need to be laid out to measure a security awareness training program's success. They are going to vary for different types and levels of training. For instance, fewer system outages and reduced email scams would imply a better awareness of security threats and improved recognition of social phishing attempts. Performance evaluations and behavior tracking can be leveraged to know whether the security awareness program was successfully set up or not.

Setting up a mature security awareness program will mitigate the risk to small businesses of adversaries gaining unauthorized access and stealing business information.

Security Awareness Resources for Small Businesses

Every small business is different, and there's no specific way of setting up a security awareness program. However, the following resources contain helpful tips and hints that will give you a clear idea.

PCI Security Standards Council: This resource provides small businesses with awareness on protecting data of payment cards, something small merchants rely on for transactions. The resource features a variety of guides for small merchants.

NCSA (National Cyber Security Alliance): The NCSA offers a resource that helps your business safeguard its operations from cyber attacks, privacy breaches, and other threats.

Barry Horne Training: BH training offers a special security awareness course to small businesses. Students learn how to protect the most valuable business data from the common security threats that small businesses are exposed to. The course is designed in a non-technical language.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Final Thoughts

With the security awareness training sector poised to grow over $10 billion over the next decade, it is high time for small businesses to make security awareness training a fundamental part of their threat defense strategy. The guidelines and resources mentioned above provide direction to the measures that protect confidential information, enabling you to ward off adversaries that look to victimize easy targets.

Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.