Small business IT managers buy and implement expensive security technologies hoping to keep themselves safe from cyberattacks.
But they’re missing one crucial thing: Employees are the weakest link in their cybersecurity strategy.
Ninety percent of successful cyberattacks are executed with information stolen from unsuspecting employees. Twenty-eight percent of cyberattacks involve an insider. In fact, one out of every five security breaches is the result of human error.
IT security technology alone won’t prevent cyberattacks that use social engineering techniques to manipulate people into divulging confidential information.
Security awareness training is an effective, inexpensive way to help employees improve their knowledge of cybersecurity best practices.
Organizations that design and implement a regular security training program to educate employees on security best practices will see user-related data breach risks such as phishing reduced by 40 percent or more over the next two years.
In this article, we’re providing examples and training materials that you can download and use to build your own security awareness training plan.
What is security awareness training?
Security awareness training is a formal process of educating your employees about cybersecurity best practices. It should condition employees to identify scam emails and harmful websites, as well as prevent them from clicking on malicious links or revealing confidential data.
Security awareness training plans include a combination of elements such as online training materials, employee acknowledgment of IT security guidelines through signed training documents, computer-based interactive security training materials, simulations of real cyberattacks, gamified exercises, and more.
Creating an engaging and continuous security awareness training program will help you realize many benefits. By 2020, Gartner expects that:
- Businesses that conduct interactive security awareness training activities at least once a month will experience fewer security breaches caused by human error.1
- Businesses that measure the effectiveness of
their security awareness training programs will see human-error related data breaches decrease by 40 percent compared to organizations that don’t
measure the success of their security awareness training plans.2
- Organizations adopting a holistic security awareness training plan that tackles multiple areas such as data privacy, password protection, and more, will see employee security competency rise by 40 percent compared to 2017.3
Preparing a strong and engaging security awareness training program will help you save millions in lost data and brand image. Use the free resources we provide below to prepare your own security awareness training plan.
Tackle phishing attempts with diligence
Phishing is a form of social engineering that involves sending emails purporting to be from reputable persons and/or firms and inducing the receiver to reveal information such as banking details or passwords or to click on certain URLs that are compromised.
Phishing doesn’t always come in the form of emails, though; it could also be a forged website that looks very similar to the original domain but captures your confidential information. It may also involve phone calls or text messages that try to gather confidential details or convince the subject to transfer money.
According to Cofense (previously PhishMe) research, 91 percent of successful cyberattacks are initiated through phishing emails. Findings from Verizon reveal that 66 percent of malware leading to data breaches was installed via malicious email attachments.
Phishing techniques are easy, and they target the vulnerable “human side.” While fear, curiosity, and opportunity were among the top human emotions that hackers once targeted, today, successful phishing attempts target the human need for entertainment, social media interaction, and reward/recognition.
Here is a real phishing email that one of my colleagues received:
How did we identify this as a phishing email?
Here are some clues that helped us identify this email as a phishing attempt.
- The salutation does not include the name of the receiver. This should raise suspicion, since professional emails address you by name.
- Look at the URLs in the email. Gartner URLs do not do not use a /doc or /pdf. It is usually /document. Also, this URL does not contain the document name but looks like has been cut-pasted after a search, which does not demonstrate professionalism.
- A client asking for just the first few pages is dubious. Clients usually purchase the report or see if a free, public version is available.
- There is no introduction about the sender. By mentioning that they want to “read your great work,” they are trying to appeal to the receiver’s emotional side that seeks appreciation or recognition. Such emails must be re-read and treated with caution to ascertain their authenticity.
For most users, business-context phishing emails are the most difficult to recognize. They tend to have very similar domain names and ask you to either complete a specific business function (such as take a training session, add personal details to the link provided, etc.). The fear of not complying with business orders often hastens the action that an employee takes, making them fall into the phishing trap.
The best way to tackle malicious phishing attempts is by training and educating your employees. Here are some tips to include in your training plan:
- Verify the authenticity of the email: Take your time to respond to emails, both from known and unknown sources. Do not immediately click on any URLs within the email, send any confidential data, or make a money transfer based on an email. When in doubt, contact your manager or supervisor, or wait until you can confirm the authenticity of the email.
- Double-check URLs: Often, you can identify fake URLs through the warning signs they leave. Compromised URLs may not be exactly like other URLs from the same website or may come from a domain other than the original one (for example, .co instead of .com). They may be partially masked, have multiple dashes, or they may be shortened. Antivirus software and internet security solutions help by providing alerts about harmful websites.
- Look for grammatical errors: Most (though not all!) phishing emails and websites have some spelling and grammatical errors in them. Look out for misspelled words and poorly written sentences to identify scams or fraudulent content.
- Encourage employees to report suspicious emails: Employees must be encouraged to report suspicious emails to their supervisors or IT team. Active reporting helps to reduce, on an average, the time to detect a breach from 146 days to just 1.2 hours. By creating awareness about a potential phishing threat doing the rounds, other employees can be prevented from opening the malicious email. Businesses must also recognize and reward employees who are alert and report suspicious activity.
Stay safe online: 10 best practices
Your employees, today, use the internet for a variety of business and personal transactions—researching potential clients, downloading free marketing templates, contacting potential business partners via email or social media, checking emails, watching videos, and more.
Safe and intelligent internet browsing practices will help your business grow revenues, reduce costs, and expand its customer base. Fall into the traps laid by cybercriminals, though, and it could even mean the end of your business.
Use your cybersecurity awareness training plan as an opportunity to enforce safe internet browsing practices among your employees.
Here are 10 tips for safe browsing that every comprehensive security training plan must include:
- Update browser and OS software regularly: Running older versions of your browser or operating system (OS) leaves you vulnerable to new forms of malware. Ensure that you update your software tools as soon as possible every time a new patch is offered.
- Check for HTTPS and the padlock sign: An HTTPS connection encrypts your connection with the third-party websites you browse. This becomes particularly important when you are sharing confidential information such as financial details when making an online payment. Only submit confidential details on websites that have the HTTPS certificate. You must also ensure that your own business website is protected using an HTTPS certificate to strengthen its security and to prevent hacks.
- Scan file downloads: Cybercriminals try to trick you into downloading malicious files laced with malware. Never download files from unknown websites. Install antivirus software that can help detect whether the files you’re about to download are potentially harmful.
- Use a VPN to connect to the office network when working remotely: Virtual private networks (VPNs) help to secure your connection with your office or business network even when you’re logging in from a public network. It secures and encrypts communications with your business network, ensuring that data transmission is safe.
- Use multiple strong passwords: Eighty-one percent of hacking incidents took advantage of stolen or weak passwords because hackers can easily break into accounts that use weak passwords. Using the same password across multiple websites also makes it easier for hackers to break into all your different accounts. Use a password manager tool to store multiple passwords securely.
- Update and run antivirus software regularly: Antivirus software solutions detect malicious files and alert you. It is important that you update your antivirus software regularly so it can detect all the latest forms of malware and spyware. Also, condition your employees to break the habit of delaying scheduled scans to ensure improved security posture at all times.
- Check URLs and webpage content for signs of phishing: Double-check all URLs to ensure authenticity. You should also roll your mouse over the hyperlinked text in a document to see where it leads. Be wary of websites that offer free games, ask for money, want you to recruit others, etc. since they could be harmful websites or phishing attempts. Always, when in doubt, seek help from a supervisor or IT team.
- Optimize privacy settings: Keep your privacy settings turned “ON.” This helps you keep your digital footprint less exposed. Otherwise, hackers and spammers will try to get a hold of your personal information.
- Optimize cookie storage: Cookies are temporary files in your browser’s cache that store details such as usernames and passwords. While this makes browsing convenient, it is a juicy target for hackers to steal your credentials. Manage your cookies using the various options provided within the browser, including deleting them on a weekly or monthly basis, depending on the sensitivity of information and the frequency of its use.
- Post judiciously on social media: People can go overboard with what they post on social media websites. Posting personal or professional details that would ideally stay confidential will only get hackers one step closer to you.
View and download for free the 10 best practices that will keep you safe when browsing online. Keep a copy on your desk so that it acts as a constant reminder.
Maintain data privacy and protection
Large businesses try to put adequate measures in place to safeguard data and maintain privacy by making employees sign documents, prohibiting emails to public domains such as Gmail, restricting access to certain websites, etc., but small businesses often have a more lax approach to data protection.
Many small businesses do not have tools to monitor what business data employees are taking home or to track emails sent outside of the company. Often, they do not even have any records or audit of what confidential, valuable, and private data the company possesses.
But, leaving data unattended and exposed can have serious consequences, including data loss, identity theft, ransomware attacks, and more.
It is therefore important to train employees to identify confidential data and follow data privacy and protection rules.
How do you identify confidential data?
Confidential data is restricted data that is not publicly available and is intended only for the eyes of the people directly working with it. Here are some examples of confidential versus publicly available data:
|Revenue numbers before they are announced||Revenue numbers available through annual reports|
|Payroll information||Name of businesses owner and of other employees obtained from websites like LinkedIn|
|Client names and the revenues generated from them||Client names mentioned through annual reports|
|Intellectual properties and patents||Names of product offerings available on the market|
|Personally identifiable details of employees and customers||Email/telephone numbers to contact the business|
|Financial data such as credit card numbers||Share price|
|Internally used business reports and presentations||Company address and location|
Identifying confidential and nonconfidential data is often walking a thin line. What was once classified as confidential data may no longer be confidential, as in the case of revenue numbers before and after being reported.
So, talk to a manager and the IT or HR teams whenever you are unsure of the privacy status of the data you are about to use or reveal to a third-party.
Data privacy best practices for small business
- Ensure that emails and attachments you send do not have confidential information, other than the required information for specific people who are approved to view it.
- Do not leave confidential papers and digital data unattended/unlocked. Shred papers or archive electronically confidential data no longer needed.
- Restrict access to confidential information and use systems such as multifactor authentication to ensure the security of privileged accounts.
- Regularly remind and train your employees on the need for data privacy and consequences if you lose confidential data.
Next steps for creating your own security awareness training plan
Building a culture of security is an ongoing process. It involves constant reinforcement of security best practices along with new ideas to tackle existing and evolving threats.
One of the first steps to take is to measure or understand where your organization and employees stand with respect to their understanding of key security issues. Your next steps in preparing your security awareness training plan will depend on how much your employees know now about IT security best practices.
We have developed a basic level quiz to help you determine you well your employees know the key cybersecurity concepts.
Free resource 3: Quiz
Know your security posture score. Security posture indicates overall cybersecurity strength of an organization including capabilities of its IT security technologies, employee knowledge, and other security controls.
Take our quiz and use it to learn your employees’ security posture score. I’ll call it their “stage 1 score,” since this is a basic quiz. As you progress, you may need to take more difficult quizzes to judge where you stand vis-a-vis security best practices.
A score of 9 and above indicates a high level of understanding of security awareness and is something every employee in your organization must strive for. Specialized training must be provided to employees after identifying where they fail to recognize security issues.
Security awareness training programs should be a combined effort of the IT and HR departments. Haphazard training with no defined objectives will be a waste of time and effort.
These are the key steps you should take as you prepare your own security awareness training program.
- Set clear objectives: Clearly define the goals that security awareness training intends to achieve. For example: increasing the reporting of phishing emails by 15 percent, attaining an average security posture score of 9 and above throughout the organization, minimizing the number of cybersecurity-related human errors by 10 percent, or any other item that is relevant to improving your business’s security.
- Create an internal security training team: Create a task force of employees who will administer and organize security awareness training programs. Ensure that the individuals on the team have the authority to drive the program. You can also rotate this team, say every 6 months or annually, with another set of people to bring in different perspectives and ideas.
- Design engaging content: IT security training sessions can be, in a word: boring. Providing engaging training content—team exercises, quiz competitions, security champion awards—will make employees more cyber aware. Tailor the content to meet the training needs of different employee demographics, e.g., regular employees, employees with privileged accounts access, contract workers, etc.
- Update your security training plan annually (at least): Conduct surveys and quizzes to understand how knowledge of IT security practices have improved among employees. Review and update your training plan at least once a year to meet the new IT security challenges faced by the business.
Check out more resources on IT security on GetApp Lab. You may also be interested in:
- Everything you need to know about security assessments to safeguard your data
- Small Business Technology Insight: Cybersecurity
- How to prevent DDoS attacks using blockchain – and 6 other strategies
- Endpoint security vs Antivirus: Which does your small business need?
- 5 tools to improve network performance and prevent cyberattacks
Full research available to Gartner clients: