Cyber attacks are complex, but they can often be traced to one simple flaw: human error. It's easy to see how this could happen at a large company, where training and oversight are distributed across a vast network of managers. But close-knit small businesses aren't immune, either.
Human error is a leading cause of cyber security incidents—and an ounce of prevention is worth a pound of cure. With security teams shrinking and the remote workforce expanding the digital landscape, it's time for small businesses to put employee cyber security training on the front burner.
Small businesses, big security needs
Social engineering is a common cyber attack vector, yet only 27% of companies provide social engineering awareness training for their employees, as a September 2019 GetApp survey found. Twenty-eight percent of cyber security incidents in 2019 affected small businesses, according to the 2020 Verizon Data Breach Investigations Report, and their most common causes were phishing, stolen credentials and password dumps. Those are all significant threats, but small businesses can easily train their employees to defend against them.
Still, too many small businesses don't do enough security training—and some don't do any at all. Why? One reason could be the false belief that small businesses aren't big enough fish for cyber attackers to worry about. Small businesses might also make the mistake of thinking that employee cyber security training is a luxury they cannot afford. It isn't. In fact, quite the opposite: Because the financial burden inflicted by a cyber attack can be so severe, many small businesses can't afford to not train their employees.
Deploying best practices
The frequency of cyber attacks isn't abating, and remote work security threats are a critical consideration for businesses. For most small businesses, the best approach to defending against cyber attackers is to embrace the best practices for small business training.
- Assess your needs. A simple security exam can let you know where your employees are secure and where they might need more support.
- Develop a list of training objectives. Then, test against these objectives to measure success and failure—and to craft future training sessions.
- Train on specific security risks and scenarios. Gamify simulated cyber attacks by breaking into competitive teams. Remember to train knowledge and skills—employees should know exactly how to choose a strong password and know not to install unauthorized software.
- Emphasize new-hire training. But don't neglect to train existing employees on incident reporting procedures so that every potential breach and security issue can be examined and resolved.
- Train on the cyber security employee awareness policy. Training on a policy means you need to have one—and many small businesses don't. A cyber security employee awareness policy is a living document; update it frequently, and refresh the training every time you do.
- Know the cyber security hotspots. Emphasize the use of social media posts as vectors for social engineering attacks, the importance of mobile device security and the manifold ways that remote employees can be attacked or compromised in their home offices.