People are a problem in cybersecurity and amplified in small businesses. Fixing that problem is more of an art than a science, as different techniques work for different companies. How do you prepare your employees to be the first line of defense against cybersecurity attacks? Using best practices from across public and private sector organizations.
As the owner of an SMB cybersecurity services company, I’ve gathered proven tips to help you establish – then mature – a cybersecurity training program for your staff.
The Culture Connection
Having a military background, information security has been drilled into my brain from day one. The consequences had national security implications and slip-ups weren’t viewed lightly.
For Main Street businesses and operations with a few dozen employees, the idea of being at risk can seem distant and small. That’s why the initial step of any good cybersecurity protection and training program is to create a cultural understanding that the information your company has been entrusted with has significance.
When employees value the organization, they can see the impact of cybersecurity, whether that’s protecting a single customer from a stolen credit card number or establishing partner trust as part of their supply chain.
Culture can also help employees internalize their role in protecting the brand; their actions are part of the trust brokered with customers, patients, or the public.
- Empower your defenders: Define each employee’s role in cybersecurity (and your other goals!) and spell out expectations
- Join the team: Nurturing feeling part of the group and responsible to other colleagues helps establish a sense of responsibility to do one’s part
- Stress vigilance: Make it easy to report anything questionable or concerning
Level The Lessons
Because different people in your organization have different roles and access, it’s important to tailor cybersecurity training. The 80/20 rule applies: approximately 80% of your staff requires basic training, and the other 20% will be more advanced. Everyone, regardless of their role or title, should have enough instruction to know what kinds of things are suspect, what to do if they see it, and other basic cyber and password hygiene.
For those in service with access to customer data or company files, additional annual training should include Identifying and Protecting Personally Identifiable Information (PII); industry standards such as HIPAA, CMMC, or ISO27001; system configurations; emergency response to a breach; and any civil or legal penalties for data leaks. And, don’t forget about training your remote or hybrid employees! Those employees often have a direct connection to company systems and critical data.
For your IT team, C-suite, and senior-level managers, who may have access to banking and confidential information that could cripple the organization, annual training is should be joined by monthly or quarterly programs that provide updates on new schemes and risks; exercises to identify insider threats; and advanced training on new technology or new approaches to cybersecurity.
- Microlearning: Modules that take just a few minutes a month can remind employees about scams, risks, what to do, and their role.
- Outside expertise: Identifying outside training programs may be more affordable than developing lessons internally, allowing for individualized training programs.
- Gamification: Engaging content “sticks.” Adding entertainment to training, including videos, quizzes, or interactive elements, is more motivating and more memorable. And good, old-fashioned competition (like a leaderboard or rewards) will have employees clicking on training links within seconds of getting the email.
Cybersecurity training can’t be effective if it’s haphazard. To embed a true culture of security, you need to create a formalized training program with a regular cadence, delivered in such a way that employees can’t opt out. Participation and results should be monitored and tracked to show progression in knowledge or skills. It also never hurts to call out those who are top performers or compliers.
In addition to training, make sure your company has policies and processes that back up solid cybersecurity, including guidance for everyday issues like setting passwords, downloading apps, scheduling data backups and security patches, and handling payment cards. Spelling out your “rules” establishes expectations. However, no one is excited about a 200-page security manual, so also be sure to provide cheat sheets, flow charts for “how to,” and other resources or hotlines for employees who have questions or a problem. Engraining security is about making it easy to do the right thing.
- Testing: Simulated hacking and phishing can be used as a learning tool, creating teachable moments and reinforcing how easy it is to be tricked. Those who get “caught” shouldn’t be punished; instead, reinforce the correct skills to prevent the same mistake from happening again.
Run The Numbers
If your small business wants to take cybersecurity seriously, you’ll need to budget for training. People are your greatest asset and also your greatest liability. Human error is part of nearly all data incidents and it can be shaped.
A new Panaseer survey found that although businesses increased their cybersecurity budget by an average of 29% for 2023, respondents felt they needed an additional 40% rise to be confident in their ability to mitigate security risks. The survey reported that more than half would spend money on hiring additional security specialists, followed closely by investing in security awareness training (50%).
Your overall security profile is determined by security technology and your front-line defense, the actions of your employees. Don’t leave cybersecurity training to be an afterthought. Build your program on best practices from across the public and private sectors.