Sign up for our Newsletter
Keep up to date with the latest IT news, tips and guides from Dragon IS and sign up here:
Employee cybersecurity training tips for SMEs
Cybersecurity isn’t always a top priority for small businesses, who are often busy focusing on the task at hand – landing sales and keeping customers happy.
Unfortunately though, if you’re an SME, then splashing out on the latest antivirus software and sitting back and crossing your fingers is unlikely to offer much protection against the growing threat of cybercrime.
The result of a successful attack could be devastating – both financially and for the company’s reputation – and sadly there is no magic bullet or quick fix. It’s about introducing layers of security that together help reduce the risk and minimise the potential damage an attack might cause. And that includes reducing the risk of human error.
Stopping employees being a ‘way in’
Phishing emails remain one the most successful forms of attack and all it takes is one click by an unsuspecting employee. Impersonating customers and using social engineering techniques that aim to entice important information to be shared by employees, are also common strategies used by scammers.
Which is why promoting employee cyber awareness and education is so vital, whether you’re a small business or a large multinational.
In our recent blog, How to prevent human error from causing a cyberattack at your business, we looked at the steps small businesses can take to lower their risk of a successful attack. And here, we going to specifically focus on the issue of employee cybersecurity training and what you need to think about.
What is employee cybersecurity training?
Employee cybersecurity training is exactly what the name suggests – training given to employees that helps educate them on cybersecurity risks, challenges and procedures.
There are numerous forms it can take and ways it may be delivered, including online courses and enlisting the support of an external training specialist.
Helping employees understand the importance of cyber awareness is a vital first step. According to the National Cyber Security Centre (NCSC): “Some organisations struggle to explain why cyber security is something that all staff should care about. Even larger organisations (with dedicated training resources) find it difficult to explain the technical aspects of cyber security in ways that are relevant to their staff, so that they can help keep their organisations (and themselves) safe from cyber attack.”
It is for this reason that the NCSC has pulled together an e-learning training package, called ‘Staying Safe Online: Top Tips for Staff‘. It is totally free, easy-to-use, takes less than 30 minutes to complete and is a great place to start if you’re totally new to implementing training of this nature.
What to think about when it comes to employee cybersecurity training
- Make it a priority – The importance of cybersecurity and your employee training programme needs to be driven from the top down. It needs the buy-in of your top team, managers and the board (if you have one). Treat it like any other core function – ensure you have a strong policy in place that includes employees’ use of social media (the perfect place for social engineering scams to target them).
- Run training regularly – Cybersecurity training needs to be an ongoing task. It should be part of your onboarding process for new employees but then be regularly run and reaffirmed with employees. This is particularly important as cyberattacks and the scams used by cybercriminals are constantly changing and your training needs to keep up!
- Be engaging – The key thing with any training programme or cyber awareness campaign you may run, is to make it interesting and engaging. You don’t want it to become a chore. If employees find it easy to understand and useful, then there is far more chance the information will sink in. Always avoid jargon and death by PowerPoint!
- Consider different working patterns – Where and how different employees work may have an impact on how you need to deliver your cybersecurity training. For example, if you have salespeople who are on the road a majority of the time, or staff who work remotely or part time, then solely holding training in the office is not going to work for everyone.
- Get the basics right – Help employees develop positive cyber habits that will benefit them in their professional lives but also their personal lives. For example, address the importance of using strong passwords and help employees learn how to generate them. Signpost useful tools, such as password managers and explain how they work. And help them learn how to spot suspicious emails and calls.
- Conduct fire drills – One of the best ways to check if your training has been understood and is being put into practice, is to do a spot check – a ‘live fire’ test as it’s better known in the IT world. For example, send out a fake phishing email you have created and monitor who clicks on it, then work with those individuals to do more training. Do this regularly.
- Keep talking – The key piece of advice we can offer is to ensure you are communicating with your employees about all these issues and their importance. Hold regular briefings to help employees recognise different types of attacks and remind them about best practice and any internal processes and policies you have put in place.
Get expert IT support
One of the reasons small businesses are a target for cyberattacks is because they tend to lack the IT resource of larger organisations, leaving them more vulnerable. However, this needn’t be the case.
Outsourcing your IT to a professional company gives you the technical support you need to prevent a cyberattack in your business. You’ll benefit from round-the-clock monitoring and the latest system updates, so your IT infrastructure is always as secure and resilient as it needs to be.