Security awareness

Building a Security Awareness Program for Small Businesses

January 21, 2019 by Penny Hoelscher

InfoSec Institute is dedicated to increasing security awareness and has an enormous repository of information to help individuals, small- and mid-sized businesses and enterprises to increase their security awareness.

In this article, we are going to focus on building a security awareness program for small businesses in-house and making it fun.

Spend money on teaching people not to click on suspicious links? You’ve got to be kidding me!

No. Between 43 percent and 70 percent of cyber-attacks are aimed at small businesses. In 2017, the cost to an SMB was, on average, $2,235,000. Depleting their capital to clean up the mess, up to 60 percent of SMBs shut down within six months of an attack.

Before we begin: Are you actually a small business?

Use the Small Business Administration’s online tool to find out.

An SMB (aka SME) is usually considered a business with up to 500 employees, although revenue, assets and industry are considered, and this figure may be as high as 1500. With a small workforce, SMBs have the opportunity to innovate security awareness strategies in a way many large conglomerates often can’t do due to logistical difficulties and costs.

7 Creative and Practical Security Awareness Ideas That Can Also Add Business Value

1. Stay informed at home, at work and in the chill room

Colorful, informative posters catch people’s eyes, particularly when they are packed with interesting or startling statistics. InfoSec Institute has a collection of 30 security infographics to download and decorate the office with messages that make people think about security.

2. Use a carrot, not a stick

An information security student carried out an experiment to discover whether positive inducements could tempt users in a particular department at a company to properly log off their mainframe terminals. Open sessions were disrupting operations and posed a security risk. At night, the student left a chocolate on the keyboards of the computers that were turned off.

As reported by Network World, the results were surprising: “At the end of the month, she found that compliance with the logoff policy had climbed to around 80% in that department but remained at 40% elsewhere.”

If you can do it for your Christmas party, you can do it in the name of security. Competitions and rewards are great motivators.

3. Shared laughter is contagious and spreads like wildfire

If shares on social media are anything to go by, everyone likes a good giggle and to pass it on. Memes, jokes, comics, cartoons and parodies make security awareness more palatable than a text-heavy manual of your company’s (let’s be honest, boring) security policies.

4. Engage employees face-to-face and get personal

Davey Winder from Solar Winds MSP says employees will retain more when it is pointed out that security awareness will benefit them at home as well as at work. Q&A sessions, round-table discussions and one-on-one chats with security professionals help to pique employees’ curiosity, make them feel like valuable team members, and give them the opportunity to ask questions and share their ideas.

“The worst thing that you can do is make security awareness training a boring and non-personal lecture. I’m not saying it has to be fun, fun, fun all the way but it does have to be relevant to the individual as well as to the business they work at.”

To keep up the pace year-round, add a suggestion and feedback box.

5. Schedule security time with beer and pizza (or coffee and donuts)

Employees start watching the clock around lunchtime on Fridays. That is the perfect time to schedule some light but pertinent security awareness training and get conversations going. InfoSec Institute has a number of security videos on YouTube you can stream or ask employees to take turns scouring the net for their favorites. Some suggestions:

Not keen on bonding? Try this free online cybersecurity course from the U.S. Small Business Administration that employees can do in their own time, alone.

6. Gamification and competition

TechGenix suggests “exciting activities” will get employees out of their chairs and having fun while learning. Some ideas:

  • Quiz time: Sort of like Quiz Night at the bar, but with prizes for answering security questions
  • The hunt is on: Set staff loose to find sensitive documents left carelessly in sight or in bins, or unlocked doors to computer equipment.
  • Offer a bug bounty: Primarily for the techies, this activity could reward anyone who finds a system vulnerability. Non-techies may surprise you: these guys are the ones who notice reception is empty when they arrive at work in the mornings with office keys left in unlocked drawers.

InfoSec Institute’s SecurityIQ program keeps staff on their toes all year round. Try the interactive app to find out who’s vulnerable and phish your co-workers for free! (You will need a work email to do this.)

7. Annoy or scare the heck out of them

As reported by, frustrated CISOs have successfully used some techniques to annoy or scare security-complacent workers so much that they finally take notice and buck up their security.

  • QA Training technical director Bill Walker suggested an app that shut down employees’ computers and informed them all their data had been lost. “When you then tell them that this was a drill, they would sit up and listen. It’s one of those things that people only take seriously when they see the consequences directly,” he says.
  • Lee Barney, IS head at Home Retail Group, said: “We got a guy dressed up as a gnome and went out across the office and handed out pamphlets and asked the employees to come to us if they had any questions. After a couple of weeks we had been very successful in ensuring that phishing emails were no longer an issue.”

Key Elements of a Security Awareness Program

Follow a Step-by-Step Plan

The Security Awareness Company keeps it focused and simple:

  1. Assess your requirements
  2. Outline your company culture so you can choose appropriate content and learning methods (not everyone is up for “fun”)
  3. Set goals you can measure
  4. Define a budget
  5. Plan a timeline
  6. Launch your program
  7. Track the metrics
  8. Adjust, where necessary

Security Awareness Doesn’t Have to Be Boring

Modern innovative methods make use of high-tech to make e-learning fun. What should you include?

  1. Metrics: In a Business News Daily article Serge Borso, instructor at cybersecurity academy SecureSet, said metrics was the key for a successful awareness program. “Start by thinking about the areas of concern that training is designed to address, and formulate a method to calculate successes and failures.”
  2. A cocktail of training tools and methods: The element of surprise works for the hackers, so make it work for you. Some techniques include: e-learning modules, email and SMS messaging campaigns, phishing simulations, posters, one-on-one training and paid ethical hacking courses for technical staff.
  3. Communicate: Set up a channel for users to ask questions and log issues, perhaps using an online app like Slack. Have a designated area, such as a corporate wiki, to store security-related material.
  4. Regular training: Reinforce the message with regular training and updates. This is especially important for departments that are audited regularly. Have your own Security Awareness Week or throw a Security Awareness Party.


Resources From InfoSec Institute and 3 Top Tips

  1. Security Awareness & Training for Small Business: Appoint a security awareness champion, a leader who can foster a security culture and drive the program.
  2. Security awareness, training, and education: Use a role-based design for your training program so you can distinguish between learners’ knowledge requirements within the broader organizational context. If your company is a heavily regulated one, you may need professional compliance training for your staff. IT staff may need in-depth technical training.
  3. Security Awareness — Definition, History, And Types: “One good indication of whether or not a company is taking security awareness seriously can be found in their budget.” What does yours look like?



  1. Cybersecurity statistics every small business should know, Cyber Dot
  2. The biggest risk to your business can’t be eliminated. Here’s how you can survive, Inc
  3. Online tool to size an SMB, U.S. Small Business Administration
  4. Free online cybersecurity course, U.S. Small Business Administration
  5. Security awareness programs can be imaginative and fun, Network World
  6. 5 tips for creating a meaningful security awareness program, Solar Winds MSP
  7. Humans: The Biggest Risk to Cyber Security, Jagdish Mahapatra for TEDxGateway
  8. The 1s and 0s behind cyber warfare, Chris Domas for Tedx Columbus
  9. Viral on Advanced Keyless Entry Hack, from Pinnacle Productions
  10. Not so long ago, in a galaxy not so far, far, away, The Information Warfare Site
  11. Cybersecurity Awareness Month, TechGenix
  12. Innovative ways for CISOs to raise cybersecurity awareness,
  13. Build your own security awareness program, Security Awareness Company
  14. Security training program tips, Business News Daily
Posted: January 21, 2019
Penny Hoelscher
View Profile

Penny Hoelscher has a degree in Journalism. She worked as a programmer on legacy projects for a number of years before combining her passion for writing and IT to become a technical writer.