The world has changed significantly over the last few years, and cybercriminals are here to take advantage of the changing business landscape. Cybercrime has increased by over 600% since the start of the COVID-19 pandemic, and there’s no sign of that trend slowing down.
Cyber security has never been a more pressing issue. That’s why you must do everything you can to secure your business against the barrage of threats that are facing modern businesses. From ransomware to data breaches, social engineering attacks to malware, you need to be prepared.
However, securing your systems against hackers and cybercriminals is only half the battle. According to the IBM Cyber Security Intelligence Index, 95% of cybersecurity breaches are caused by human error. Humans and human nature are one of the biggest threats to your business’s digital security.
As a small business, you might understandably be concerned that you don’t have the budget to run security awareness training for your employees to the same degree that larger corporations do. While you might not have the resources to outsource your training, that doesn’t mean you can’t create a security awareness training program of your own.
With that in mind, here’s what you need to know about designing a cybersecurity training program for your small business.
What is Security Awareness Training?
Security awareness training is the process of training your employees in good cybersecurity practices. The core of any good training program should focus on three key areas:
- Common cybersecurity threats and attack vectors
- The roles employees play in cybersecurity, and the risks they can introduce
- How employees can improve their cybersecurity practices to reduce the risk of attack
The overall aim of security awareness training is to reduce the risk your employees introduce to your cybersecurity defenses. While you can’t reduce the risk to zero, this training will make your employees more aware of their responsibilities towards your business’s digital security.
Security Awareness Training: The Cost
One of your key areas of concern when considering security awareness training programs will likely be the cost of running these programs. The most popular training option is using online software to distribute training and monitor results, and will typically charge per user, per year. You can also pay to hire a cybersecurity expert to run in-person training, but the cost will vary depending on their expertise.
If you’re paying for an online training platform, you can expect to pay anywhere between $8 - $30 per user per year - so, up to $800 - $3,000. Most of these software platforms will charge a higher rate to businesses with under 100 users, which is worth bearing in mind.
These costs will, as you might expect, increase if you work in industries with specific data protection and compliance requirements. HIPAA and HITECH training will usually come with additional costs.
Designing and conducting your own training can save some of these costs, but it’s worth considering how much time it will take you to build a security awareness program. Purchasing a software license can potentially save your business money versus paying you for the time it takes to build and conduct your own custom training program.
With that being said, building a security awareness program isn’t complicated, provided you understand what needs to be included and why you need to run this training program.
The Three Pillars of Security Awareness Training
As we mentioned earlier, your cybersecurity awareness training needs to focus on three key areas to be successful. While the goal of your training program will be to get your employees to change their behavior, this needs to be presented in a way that highlights how a lack of behavior change is a security risk.
It might sound harsh, but a key thing to remember is that you need to assume that none of your employees care about your organization’s cybersecurity if keeping systems secure isn’t part of their job role.
So, your training program needs to make your employees care about cybersecurity. The most effective way to do this is to put into context how cybersecurity attacks will affect both your organization and its employees.
Cybersecurity Threats and Attack Vectors
The first section of your security awareness training program should focus on the cybersecurity threats facing your organization and your industry. It’s important to contextualize the threats to your business and, in particular, the team you’re training.
Not every team will be handling the same data each day, and different departments may work with different kinds of technology. Some departments may work with only a limited level of technology, like emails and phone calls.
For example, phishing attacks will likely concern every employee with access to an email account, or access to a company phone. While phishing is a common attack for introducing malware to a network and/or for stealing information, the threat will be higher or lower depending on what that employee can access.
Secondly, you’ll need to cover attack vectors, or how these cybersecurity threats can be introduced into your systems. The phishing example above shows that a single kind of attack vector can affect any of your employees. However, other attack vectors may only apply to some of your departments.
A good example of this is a physical attack vector, such as admitting visitors into your offices. Teams that work in your offices and don’t interact with visitors may not need the same level of training in this vector as, for example, a receptionist who has to sign visitors in and check their credentials.
This pillar of your security awareness training aims to contextualize how cybercriminals can target your business and employees, and how your employees can be affected by this.
Employee Roles and Responsibilities
In this section, you will need to talk to each team specifically about the software and hardware they use in their job, and what responsibilities they have as a result.
Taking a look at the phishing example again, you can make it clear that because an employee has access to a company email account, they are at risk of phishing attempts being directed towards them. It is therefore their responsibility to understand what phishing emails can look like and to avoid interacting with them.
The important thing here is that your employees understand the risks that come with them having access to company information, and how those risks can be exploited by cybercriminals.
Another example is access to confidential employee information. Only a handful of employees should have access to this information, but those that do are at additional risk of cybersecurity threats like session hijacking or spear phishing attempts. These employees should be educated on the additional risks they face because they can access that information.
Changing Behavior to Prevent Cybersecurity Attacks
The final stage will typically have advice that can apply to almost all of your employees, albeit in different contexts.
At this point, you will actively train your employees to both use preventative measures to protect your organization and how to recognize a potential threat.
If we use the same phishing example, employees who have access to emails or a company phone need to be taught how to recognize a phishing attempt, what to do if they receive a phishing attempt, and what they should do if they fall victim to one.
However, employees that store confidential information on their work devices, or have access to confidential information, will need additional training to keep that data secure. This could involve showing employees how to use two-factor authentication (2FA) to keep accounts safe, having a policy of locking their device when they leave their desk or having a policy in place that states only authorized individuals can access or move that data around.
Tips for Building an Effective Security Awareness Training Program
Now that you’ve structured your security awareness training for your employees, you need to make sure that it’s engaging. Most importantly, you need to make sure that your employees follow this training throughout their career, and not just for a short period of time following the training session.
Here are some helpful tips to ensure that your employees stay engaged with your security awareness training.
Appoint Cybersecurity Champions
One of the factors that are already working in your favor is that, with fewer than 100 people working for your business, you already have a closer-knit community of people compared to larger organizations.
This means that positive peer pressure - that is, having employees that can reinforce your training during the working day - is likely to be more effective.
With that in mind, appointing cybersecurity champions within each team, department, or even office room can help to remind employees of their obligations. Your employees are likely to take advice from their peers more seriously than if someone in IT spoke to them about cybersecurity, and you can use this to your advantage.
A key thing to remember with this strategy is that your cybersecurity champions should be offered some additional benefits for taking on this role. If you can’t afford to give them a small pay rise or bonus, consider other perks like merchandise or free cafeteria meals. This will help to keep them motivated and engaged with security awareness.
Phish-test Your Employees
There are two components to successfully phishing testing your employees. The first is, as you’d expect, crafting a convincing phishing simulation email and sending it to a handful of your employees.
The second is that you need to train your employees as soon as they click on the link or document within a phishing test. This training needs to be kept as short as possible and should educate employees on how they should have recognized that the email was designed to phish for their details.
Some security awareness training services will offer this tool. We do! However, if you’re running your own security awareness training, you can still conduct this “point of infraction” training.
You can use a custom domain name, ideally one that’s not attached to your business, for use as links in your emails. You’ll have to change this domain name frequently or use software to scramble the URL hyperlink to stop employees from guessing they’re being tested. You can then use that webpage to educate employees.
Similarly, you can use documents with the same educational material. However, typically this is an easier process if you use a specialized phishing testing tool for doing so.
Ideally, you should track which employees click on the link or document so you can offer them remedial training, and so you can track how your security awareness training is performing in a real-world environment.
Practice What You Preach
Employees are more likely to take your security awareness training seriously when they can see that the top executives and owners of your business are following the same training and procedures, too.
If these people aren’t seen as taking cybersecurity training seriously, then your employees will see no reason to take it seriously, either.
So, it’s important to train executive-level employees to the same degree as everyone else, conduct phish-tests against them, and simply hold them to the same standards as other employees.
In addition, executives often face the biggest cybersecurity risk and are a greater target for hackers and cybercriminals. Not only that, but they are often more likely to be impersonated in phishing communications and other hacking attempts. So, training your executives is just as important as training the rest of your employees.
Tell a Story
Narrative storytelling is one of the best ways to engage your employees. In your training, you should use examples and talk to employees through previous incidents of cybersecurity threats that your company has faced.
You can also research high-profile cybersecurity breaches and talk your employees through how they happened, why they happened, and what the outcome was for the company.
This helps to conceptualize how cybersecurity can affect them and the company as a whole, thus giving them more incentive to engage with the training. Not only that but telling a narrative is more likely to provoke an emotional response when done well, so the message is more likely to be remembered.
Make it Positive
A significant issue with security awareness is that many employees can feel like falling victim to a threat is a punishable offense. So, they may not be fully honest if they click on a phishing link or document, or have a suspicion they have downloaded malware. This can present a big risk to your company’s security.
During your training, you should talk about what points of contact employees should use if they have any suspicions. You should also emphasize that their honesty won’t be punished and that making the company aware of a potential breach is better than hiding it in fear of retribution.
Security Awareness Training for Small Businesses: In Summary
With human error being a significant cybersecurity risk in the modern business world, security awareness training has never been more vital. Cybercrime is no longer an “if”, but a “when”, so teaching employees how to stay safe before a breach has happened can make the difference between a crippling attack and fending off an opportunistic hacker or cybercriminal.
Having a small budget or limited resources isn’t a barrier to running effective, engaging, and empowering security awareness training for your employees. With so many free resources on the Internet and this guide, you’ve got all the support you need to build a training program that strengthens your company’s cybersecurity.