Cyberattacks on SMBs continue to rise and they are more targeted and more complex than ever. Consider the following:
- 66 percent of SMBs experienced an attack in the past 12 months
- 69 percent experienced an attack that got past their intrusion detection system
- 45 percent of SMBs said that their organization’s security posture was ineffective at mitigating attacks
- 57 percent of the attacks were from phishing/social engineering
Source: 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses, Ponemon Institute
Why adopting better security practices matters
A high proportion of successful cybersecurity attacks – we believe it’s over 80 percent - are due to employee carelessness. Most come in through phishing emails in which a user opens an attachment or clicks on a link without thinking twice about vetting the sender. Email filtering works to some extent, but the bad guys have learned how to get around protections that organizations have put in place. For instance, some phishing emails even have the capability of waiting until human interaction is detected – a mouse click or typing – before downloading their nastiness.
Companies understand that employees are a major component of their organization’s information security challenges. In IDG’s 2019 Security Priorities Study, 44 percent of respondents said they wanted to increase security awareness and staff training, making it the second highest priority for the year.
But here’s the ugly truth: Training won’t work.
Part of the problem is the negative connotation of the term “training”. While employees need to understand the importance of adopting security best practices, “training” conjures up images of sitting in a stuffy conference room all day listening to boring lectures. And, like training at a gym, it’s hard to maintain good practices unless they are woven into your lifestyle.
Adopting best practices: make it personal
Instead of training, change the culture of your company to incentivize your employees to adopt good security habits whether in the office or working remotely. The best way to do this is to make it personal for your workers. Good physical security habits, like locking the door and installing cameras, keep people safe from physical burglaries and assaults. And, adopting good cybersecurity habits will help keep their personal data safe, protecting them while also protecting the integrity of your organization’s cyber security.
It’s one thing to say that a major data breach could lead to a loss of customers and revenue for the company. But, aside from the business risk, how might that affect employees directly? Maybe that loss will lead to corporate downsizing or a lack of annual salary increases.
You can also use examples of a personal data breach to bring home the point. How much distress would an employee experience – in terms of mental anguish and even possible financial damage and identity theft – if a hacker got into the corporate network and stole their Social Security number from the human resources department?
Make sure employees understand that this concept isn’t a stretch as most attacks do have the potential to impact employees personally. In doubt? Consider the following type of data which are often targets of cybersecurity hacks:
- Confidential business information, which includes financial data, customer data and also employee data
- Privileged account information (credentials, personal passwords)
- Sensitive personal information, including personally identifiable information (PII) and even protected health information (PHI)
Rather than talking about how a hacker could steal your company’s intellectual property or cripple your business through ransomware, talk about how your employee would react when finding out that their digital family photos were being held for ransom.
Building good cybersecurity practices into your culture is a matter of helping employees see these habits not as a burden but as personal protection for them as well as for the business. The process should start when you onboard new employees and then make sure it is constantly reinforced:
Build good security hygiene into your processes,
Require the adoption of multi-factor authentication,
Remind employees to use passphrases rather than passwords, not to reuse the same ones, and to secure them in a password manager.
At least once a year, have a security awareness refresher. But don’t call it training. Another of that term’s bad connotations is that it is the same, boring class that employees are obligated to attend each year, just so IT can check that box.
Instead, update the course with new information and tips for improving cybersecurity. Whether it’s in-person or you host it remotely, make sure to liven it up. Identify the latest twists in phishing and social engineering to watch out for. Use some recent examples of how a SMB experienced a crippling attack (and how that impacted its employees). Maybe even bring in a local victim of identity theft.
The truth is, most of us won’t go too far out of our way to protect a company, unless we own it. That’s why it’s so important for employees to understand the potential personal consequences of not adopting good security practices.
Learn more about our security capabilities and how we can help improve your organization’s security posture and protect your business from cybersecurity attacks.