When thinking about cyber security, it is easy to get caught up in technical measures, such as anti-virus software and website security. These elements, although critically important, are only part of the safeguards that organizations must implement to ensure a resilient and effective cybersecurity program. Many of the most common attack vectors target the so-called “human firewall,” meaning the employees, contractors, and other personnel within an organization. Seemingly innocuous emails, overly simple passwords, and the proliferation of bring-your-own-device (B.Y.O.D.) environments can all serve as vulnerabilities to a company’s data security and, for small- and medium-sized businesses (SMBs), basic vitality. At the same time, the nature of SMBs sometimes requires constant email communication with clients and the ability to connect to company software outside of the office.
These circumstances necessitate sophisticated knowledge of potential cyber threats and how to guard against them while maintaining agile business operations. However, for many SMBs, this knowledge is severely lacking, due in large part to the absence of training that employees at these companies receive on cybersecurity-related topics. A recent survey by ESET North America and Google Survey found that there are notable knowledge gaps in emerging topics such as email threats, protection of mobile devices, and ransomware. The same survey showed that the smaller the company, the less likely it was for employees to receive any sort of cyber security training. However, given the cost and increasing frequency of cyber-attacks against SMBs, these organizations are especially in need of closing cybersecurity knowledge gaps.
Cybersecurity training can be a useful and cost-effective tool to strengthen a company’s protections against digital threats. Common topics may include Wi-Fi and mobile security, phishing, and password security. However, according to Bob McCarter, Chief Technology and Innovation Officer at NAVEX Global, “The nature of the ‘cyber threat’ is always changing, and cybersecurity training topics must be equally dynamic. Most people now understand basic data security threats like overly simple passwords, but topics like pharming, social engineering, and watering hole attacks – people have never heard of those, and that is where hackers will find their way in.”
There are many free resources available that offer basic cybersecurity training videos, such as a set of training courses offered by the U.S. Department of Homeland Security, a training course through the U.S. Small Business Development Association, and the Michigan Small Business Development Center’s “Small Business Big Threat” training webinar. There are also a plethora of companies that offer in-depth cybersecurity training services for those SMBs that have the budget. Costs for training generally depend on the number of users, languages, types of training, and number of courses.
However organizations choose to approach cybersecurity training, security experts agree that it should be done early and often. Christopher Hadnagy, from the security firm Social-Engineer, advocates monthly cybersecurity training, which “provides consistency and repetition.”
Strengthening your “human firewall” through frequent training can be one of the most efficient elements of a strong cybersecurity program. Moreover, with a variety of resources available, effective training is achievable for SMBs, and can help contribute to a safer business environment.