2019 has seen a massive increase in Security Awareness across the Globe, yet in more areas more and more people don’t lock their doors and windows at night. How is that possible?
The largest area of criminal activity worldwide has now been officially identified as cybercrime. They don’t need to force entry through the dodgy window at the back of your house, or smash the lock on your front door. The cyber criminal uses a net, a phish, a virus and a crack to break in. This has been widely talked about, written about and marketed intensely for well over a thousand days now. That being said, hundreds of thousands of small and medium businesses have not taken then most important and most accessible step towards securing their business, and that is what we will consider briefly today.
In our previous Cybersecurity 101 Blogs we have focused on the importance of security awareness your initial business security assessment and Malicious Emails it is now time to share some simple tips for your business around Staff Security Awareness Training.
SAT (Security Awareness Training) really grabbed my interest when I attended a dynamic SAT session run by Joy Belinda Beland and I saw how it clearly combined some of my key personal areas of interest: Education, Cybersecurity and Small Business Protection. Here at Your Cloud Works we started by sharing our SAT with our own customers and offering it as part of our onboarding for our new MSSP clients. More than that, it has become an integral part of our Security Culture here at Your Cloud Works, in our daily conversations with clients or prospects, in our office activities and daily workload, even with our family and friends we are constantly sharing solid Security Awareness tips. You may be able to apply some of these tips to your business immediately and with very little cost.
Unlike some expensive security solutions that you may require for your business, you could actually prepare some SAT for your staff and set up a session at your offices with almost zero cost, other than the time required to prepare and deliver. Or you may to have some SAT delivered by a managed security service provider at your offices. As with any educational content there are a number of format options: Online video content, webinars online, printed reading material or even podcasts. We will focus on In-Person SAT in this article, to amplify some of the benefits of this training format.
The First Line of Cyber Protection for your Company is your Staff –
You may have fantastic IT security software, daily data back-ups, antivirus protection and feel quite comfortable with your data security. The reality is that if just one of your team members, yes just one out of fourteen innocently uses an infected USB drive, clicks on a malicious email link or shares a key company account password with their Facebook group by accident you have a problem. There are now countless court cases to read about where a poor employee has given away thousands of “your” money to an internet phishing scam, and the company is at fault because that “poor” employee was never trained, never guided through Security Awareness Training. Who really is to blame there?
Create a Cybersecurity Culture Throughout your Company-
Before we even sit down and plan content for SAT for your company, the first objective should be to establish the current level of security awareness and discover misconceptions about cybersecurity that already exist inside your business. Age old phrases such as “IT will deal with that“, “We’re fine, these machines come with antivirus“ or even “have you got a pen handy, I’ll give you my password so you can go in and check“ are all tell-tale signs that the security belt really needs to be tightened, the security culture at your company requires change. To borrow a great quote from that Joy Beland session I attended: “Security Awareness Training needs to be: Mandatory, Valuable and Regular” these are 3 key requirement that will change that security culture across your whole team.
Mandatory: The example should be set from the top, as the owner of the business you have to be seen to set the example and lead from the front. You don’t have to prepare and direct the training, but you should be present, involved and a loud advocate for that change in culture that the training is promoting. You cannot allow the “I don’t do technology!” players to avoid SAT, everyone needs to be on board and signed in.
Valuable: The timing, the content and the style of training will all add to the intrinsic value of your employees improving their cyber safety culture. Everyone hates boring, repetitive, soul destroying Friday afternoon “chats” when all they can think about is leaving the office for the weekend. We always enjoy learning about something that we understand the value of, whereas we grow to despise education that appears to be a waste of our time. Make every effort to help your team to understand the value of their SAT, and enjoy it’s content.
Regular: We often start projects with a blast, with lots of enthusiasm and participation, which sadly trails off over time. Cybercrime is constantly evolving, and as new threats appear, brand new SAT content will also be required. Once you have eradicated one set off bad habits from your team you will find that new dangers appear, and more education is required. Shorter, more regular sessions have proved to be of great benefit to SMBs. Rather than a 6 hour day of Cybersecurity Training, your staff will appreciate regular weekly sessions broken down into digestible portions. LUPIP – Listen, Understand, Put Into Practice, allows everyone to consider that week’s SAT content as they use it during the week. Weekly content allows you to focus on weekly projects and communications around specific SAT content and feedback from your staff. We would be happy to discuss your SAT requirements if you feel that you require some guidance, please do give us a call.
All of these points will allow a change of security culture to permeate each level of your business, to reach every frontline asset that you have.
Be Aware of Current Examples of Cyber Breaches in Your Area and Line of Business
Part of training your staff to value their SAT will be educating them around the cyber dangers that they should all be aware of. Do you have a digital company notice board? A monthly newsletter or simply an internal daily company update email? Find a channel that is available to every member of your team and regularly publish one important news article regarding a serious data breach, a company cyber attack in your line of business, or even an attempted attack on your company and how it was dealt with. This practice will keep Security Awareness at the forefront of your business, and help your team to understand that every business is under threat, in fact every individual needs protection from cybercrime.
Where will you find updates on cyber breaches? You can find thousands of examples online, or subscribe free to just one site for regular updates. They will generally send out a daily report on breaches of all shapes and sizes, and you can share your chosen example with your team in a simple “SAT Breach Update” format. One company that I spoke to simply assigns one team member per week to share one data breach example with the rest of the company, each week. The import point is to maintain that security awareness within your company. I know that if I read an email in the morning about a an admin manager in Accrington that shared a malicious link with eight associates, and subsequently cost the company £82,000, I would be more aware of my actions that week.
In-Person Live Security Awareness Training-
There are arguments that favour all sorts of learning methods and strategies, and they will all be correct in different circumstances. Here at Your Cloud Works, we have given training in a variety of locations, with different sized groups. We have run webinars, created training videos and written sets of training slides and PDFs. Our training has been CPD certified and we have had all kinds of positive feedback from different sectors. That is why through our experience we are happy to agree with Joy Beland again, when she says: “every member of staff will need some face-to-face SAT to measure their real understanding, and their progress towards a new secure culture. That visual feedback can only be seen at in person training sessions.” It is an easy concept for those of us that has spent years in front of groups of students, educating groups on a daily basis. You can gauge levels of understanding through facial expressions, gestures, group participation and student satisfaction. These things are impossible to completely perceive if you are not in-person or face-to-face. Although, we use and recommend a range of training techniques, we have seen that Security Awareness Training is more productive and effective in-person, whatever size the group is.
Cyber criminals will always sniff out the weakest link in any business. The one with a ridiculous password, the one who never logs out, the one who take company data home to work on insecure devices. Every member of the company must be involved in the training, must be on the same page regarding security awareness, and must be aware of the consequences of a data breach for your company.
We haven’t considered specific training content in this post, as we discuss your requirements in detail when we talk about preparing Security Awareness Training for you. There are between 15-20 key elements to cover in general SAT, but every company will have specific areas of concern that may need more attention. Don’t wait for 2020 to come around to change the security culture at your business. Don’t think that your company is too small to be targeted. Don’t think you need a large budget to begin your Security Awareness Training Programme, drop us a line today or call direct on 01908 410261. Ask for Tony or Neil to have a conversation around any of the points in this blog, or any questions around Business Security and Support for your company. Finally a big thanks to Joy Beland for her support and guidance in this SAT journey.
Keep your eye out for the next episode of Cybersecurity 101 as we continue to make the overly complicated easier to understand, next week it’s all about: Passwords.