The greatest security risk to any business, large or small, is awareness. People who don’t understand the security risks of their behavior are unpredictable, they can be resistant to change, and are often led by emotion. That makes them a vulnerability within your organization. Still, people are required to operate your SMB, and your time is limited. How do you mitigate that risk?
“Awareness is not a technical solution, it’s a human solution. You need to talk with, engage, and collaborate with others—and that takes time.” – 2017 Security Awareness Report, SANS Institute
Security training. It’s the simplest, and yet the most difficult strategy for securing your business. Train your employees. Do it frequently. Then reinforce that security training with additional training. A regular schedule that includes different methods of education is essential to ensuring your employees know how to avoid security risks. According to the book Your Brain at Work by David Rock, repetitive training occupies a different space in your brain than first-time training. When training is repeated often, it becomes habit and is easier to recall.
That kind of training requires time but don’t look at it as taking time away from your business. Instead, view security awareness training as time invested in your business. It’s a reduction in time and resources because without the training, you would spend them on security remediation. The difference is time invested on the front end will cost you far less.
Quick Security Education
The blocks of time that SMBs build for security training don’t have to be disruptive. An hour a month can go a long way. For example, here are seven security practices you can teach your employees in under and hour:
- Log off. Log out of software when you’re finished with it and log off the computer when you’re walking away. This prevents unauthorized access by vendors, visitors, and even other employees.
- Build better passwords. It seems the password issue will always exist. Users shouldn’t use the same password repetitively, and the password they use should contain a mix of capital letters, lowercase letters, numbers, and symbols. It should also be a minimum of 8 characters long. Also, commit passwords to memory. Documents or slips of paper that contain passwords mean easy access.
- Learn to recognize phishing emails. Phishing is the largest attack vector because it works. It plays on human emotion, and users respond to emotion. The most effective defense against phishing is to understand how and why it happens and to be prepared when a phishing email lands in your inbox.
- Secure mobile devices. This is especially important if your employees use their personal phones for both work and home life, which is often the case with SMBs. Educate the employees about the risks of unlocked devices if they are lost or stolen and then create security policies that require devices to be locked.
- Stay secure when traveling. Public networks are just that, public. Anyone can use them, and some do, for nefarious purposes. Use virtual private networks (VPNs) when traveling to protect your machine and company data.
- Stop using USB devices. Thumb drives and other USB storage devices are second only to phishing as an attack vector. Viruses and malware are frequently spread by USB device when employees use these devices to make data portable. If any computer the device is plugged into has been compromised, then so is the device.
- Download apps judiciously. We live in an app culture. Nearly all devices rely on apps for some level of functionality. Just because an app is available in a reputable provider’s app store doesn’t make it safe, however, and direct download apps are even riskier. When downloading an app, do some research first to be sure it’s safe. Then also scan the app before installing it.
Creating a long-term, sustainable culture of security awareness doesn’t have to be a problematic strategy. It does have to happen, however, and the best way to make it happen is through frequent, repetitive training. Simple exercises like those mentioned here are a good way to start, but follow-up with additional training, and use different types of security training including video-based, in-person, and self-paced methods. Help your employees be invested in your SMB’s security. In doing so, you’ll be saving the time and resources a cyberattack or data breach would cost.