Let’s say one of your employees receives an email that looks like it’s from one of your clients filled with links out to “urgent” documents. Are you confident they won’t click one?
If your accounting team receives an email asking them to wire a payment to a different account, how certain are you that they would know better?
What about when one of your employees is at home, checking their work email on their mobile device and suddenly gets an email with a chance to win an iPad in exchange for taking a simple 5-minute survey. Are you confident they’d ignore it?
In small businesses today, one area that is often overlooked is cybersecurity training for employees. Your team may be unprepared for the growing cyber threats that target both small and large businesses alike.
When employees do not have basic cybersecurity training the companies they work for are left at risk. Just as new hires are given comprehensive job training and current employees are given comprehensive training on new policies, all staff should have thorough ongoing security awareness training.
In this article, we examine why cybersecurity training for employees is essential for all small businesses. Our hope is that these insights and ideas will help equip your team with the skills and awareness to thwart cyber threats and help protect your company from attacks.
The Top Cyber Threats Facing Small Businesses
Hardware failures, malware, and weak firewalls are just some of the IT security threats currently aimed at small businesses because small businesses are increasingly in the crosshairs of cybercriminals.
Because small businesses usually have fewer resources to invest in cybersecurity and IT support than their larger counterparts, they’re considered low-hanging fruit and make easy targets.
In this section, we’ll look at the top IT security threats that small businesses, like yours, should be aware of. To learn more about each individual threat, read our article on the The Top 10 Threats to Prepare For.
- Hardware & Software Failure
- Cyber Attacks (viruses, worms, trojans)
- Ransomware Attacks
- Bring Your Own Device (BYOD)
- Password Login Reuse
- Weak Firewall
- Internet of Things (IoT) Leaks
- Employee Ignorance (Lack of Training)
Many of these cyber threats can be avoided by implementing employee awareness training to make sure that your employees aren't unknowingly putting your company in the crosshairs.
Phishing is one of—if not the most—dangerous issue in existence today for small businesses. Since 2015, PICS ITech has seen the volume, sophistication, and impact of phishing scams steadily increase.
While conducting mock phishing attacks for our clients we’ve seen just how many employees, and business leaders, click on email links carelessly.
One common phishing attack is an email that encourages your employees to click on a banner to win a free iPad. Another might encourage employees to log into a bank account or other company account to verify something or address an issue.
These emails are aggressive attempts to get the information that cyber-criminals need to hack your company, but they seem so non-threatening that many employees won’t even realize what information they just gave away.
Password Login Reuse
Another issue is password login reuse. Studies have shown, that the majority of the population uses the same, or slight variations of the same, password because it's easier to remember. Your employees are no different.
Cybercriminals are very keenly aware of this and are eagerly looking for patterns to enable their attacks.
Employees are the largest threat to your small business.
One of the most important steps your small business can take to avoid falling victim to ransomware or phishing is employee education. Teach everyone to think twice before opening an attachment or clicking a URL, even if it appears to be from someone they trust.
In addition to this, conduct security training at the time of hire, as well as regular company-wide training.
Finally, we strongly recommend you require regular password changes on all systems and enable two-factor authentication for additional security on every account.
Other Factors That Lead to an Increase in Cyber Threats
The employees at your small business receive and send a lot more email than ever before. This means there are more opportunities for them to click a link and a higher probability of falling for a phishing scam.
Hackers phish you or get information. The smart ones might go to your LinkedIn profile, see who you're connected to, see who else works in your company, and then reach out to them via their work email with fraudulent requests that seem to come from an actual client or another employee.
Current State of Small Business Cybersecurity Training for Employees
While we already mentioned this to you, it’s worth repeating: When it comes to your small business cybersecurity, your employees are the weak link. Employee awareness training is no longer optional.
Oftentimes businesses use firewalls combined with anti-virus/anti-malware software and believe that its enough to protect them. However, in reality, nearly 90% of successful data breaches start with what's called a “spear phishing attack”, which basically is when a hacker gets an employee to click a link in an email.
On top of this, there's also “CEO fraud” to contend with. In this scenario, an employee receives a very valid looking email with specific instructions that they assume originated from a controller or executive in their own company. In reality, they're being emailed by a hacker with a spoofed address and an offshore bank account. If the employee trusts the email and sends the funds, you could be out thousands of dollars.
Lack of Quality Tools and Training in the Past
One reason small businesses have not prioritized this type of training in the past was due to a lack of awareness—they simply did not realize how serious the threat is. The other is that effective toolsets to conduct the training didn’t exist.
In addition, your workforce is always changing. It’s not enough to have one session at the beginning of the year and think that it will protect your employee base. People are coming and going all the time, with new threats cropping up on a regular basis, which necessitates an ongoing, managed program to keep your company safe.
Recommended Cybersecurity Training Methods and Tools—Best Practices
The first step to create a cybersecurity training program at your small business is to establish your company’s baseline result. You can’t manage what you can't measure, so you have to know where you're starting from.
Second, find out who's clicking what, when—or what percentage of your employees are “clickers.”
You should then begin training them. In fact, your goal should be to train everyone. Anyone who has an email account or that answers a phone. (Cybercrime takes place over the phone as well as via a computer.)
You will then want to test, regularly and consistently over time to maximize results.
In summary, we recommend the following:
- Establish a baseline
- Train everyone on the team
- Use on-demand, engaging, interactive training
- Test the results of the training
- Repeat regularly
Testing employees through mock phishing training has been proven to provide real results and increase cybersecurity protections at small businesses like yours.
How to Train Employees on Phishing
You have the freedom to test your employees on your own, however, it’s not always something that most companies have the time, expertise, and budget for.
At PICS ITech, we use a sophisticated toolset, because the bad guys are always changing the rules. We continuously adjust our tactics and make sure we're testing with upgraded techniques and different campaigns including very specific, custom campaigns as needed.
The goal is to get employees to be more aware, help them learn about cyber threats, and to develop an understanding of what they need to be doing to keep the organization safe, all of which has a very positive impact for our clients.
Training Procedure: Step-By-Step
Here is a detailed break down of our employee cybersecurity training approach to demonstrate how we can help you protect your small business.
The first thing we do is make sure we have everyone involved, including owners and managers.
Then, we put together a baseline test where employees have no idea that we're the ones phishing them. We use custom offers and special landing pages, which we tailor to each client’s employee base.
We tend to have phishing campaigns centered around current events, literally right down to the day and the minute. We do this to entice people to click. Then we gauge the effectiveness of our attack and how well it worked.
We call the employees who fail the test “clickers” for obvious reasons.
Then after the baseline test is done, we start to communicate with your team. We enroll them in training and can even install a phishing alert button on their Outlook so that they can report attacks and add that email into our system.
We follow the baseline test by repeatedly testing clickers on a bi-weekly basis and each time we ramp up the attacks and make it a little more difficult to know that they're being tested. We have over 2,500 phishing templates, and that number increases every day, ranging in difficulty from one to five.
As we increase the testing difficulty the company becomes more and more aware, so we start moving to more sophisticated templates. Maybe we'll interject a name of a vendor or a partner that they work with, know, like, and trust.
Outcomes of Cybersecurity Training for Employees
You learn a lot about your employee’s risky behavior through a mock phishing attack, but to really see the benefit you have to understand how dangerous real attacks can be.
A real phishing attack can result in substantial financial losses. At PICS ITech, we have seen customers, prospects, and companies wire transfer a half a million dollars to threat actors. Then, if they don't have the appropriate insurance, they don't get that money back. This could put you out of business very quickly—in one click of an email.
The bigger issue, which is a little harder to manage and gauge, is what happens to your reputation in the industry. Let's say, for example, that an employee has unknowingly given out a password. It’s not just your company that is at risk, your customers could be compromised too.
Modern businesses interact with customers in a lot of ways and a hacker can gain access into their systems via EDI or some other method which you're using to communicate with clients. Third Party Data Breaches are very common and can have a serious effect on your bottom line.
The real advantage of implementing cybersecurity user awareness training in your company is to protect your assets and what you've built by making sure that an employee with good intentions doesn't put you out of business.
CLICK HERE to find out what percentage of your employees are click or phish-prone with a free phishing security test. Plus, see how you stack up against your peers with the new phishing Industry Benchmarks!