[BreachExchange] Security Awareness & Training for Small Business

Audrey McNeil audrey at riskbasedsecurity.com
Mon Oct 1 20:20:20 EDT 2018


While it’s the attacks on well-known companies that make the headlines, the
threat is just as worrying for small businesses. And the problem is made
worse by many small business owners not believing they’ll be attacked,
considering cybersecurity a lower priority than other business issues. In
reality, they’re seen as a soft target for cybercriminals and an easier way
of getting to the criminals’ bigger target: the small business’s corporate

The financial cost of disruption and reputational damage, leading to
customer loss, can be so severe it could threaten a business’s existence.
This makes it even more surprising that many haven’t made cybersecurity
part of their day-to-day business operations.

However, even for those that understand its importance, they claim
protection is expensive — hiring the right technical skills and buying
expensive training programs — and the whole subject complicated and
difficult to understand. Most will deploy basic tech tools such as
firewalls and antivirus programs, but these aren’t necessarily much good:
the most common threat for small businesses is their employees being
targeted by attacks like phishing, ransomware, watering holes and drive-by
downloads. And the best way to address those is through regular awareness
and training activities.

Fortunately, a lot can be done at low cost. Here are five tips for keeping
your small business secure.

Appoint an Awareness Champion

Find someone inside the business who can take the lead on issuing awareness
communications and delivering or coordinating basic training. They’ll only
need to spend a few hours a week on it, little enough time to fit around
their normal activities.

Using an insider also means you know and trust them, they know your
business, and they’re already on the payroll and accounted for in the
business plan.

Make Use of Free Resources

There’s a huge amount of free resources available, so look at those before
you spend anything.

A couple of hours reviewing what’s out there is enough to compile a list of
do’s and don’ts that are most relevant for your business, and to find basis
awareness and training material. It’s time well spent and means you don’t
buy anything you don’t need.

Online guides, such as those offered by the U.S. Small Business
Administration and Homeland Security are credible, up-to-date and
comprehensive, so consider starting there. Added to that are specialist
cybersecurity training companies who publish regularly on every topic you
could think of.

Local chambers run lunch-and-learn sessions, and there are webinars on
YouTube, vendor or government sites if you prefer to watch and listen.

National Cybersecurity Awareness Month can be a good event to rally the
business around and included as one element of your own internal awareness
event. There are even printable posters and flyers that can help.

Prioritize Topics for Awareness and Training

Focus on the most common threats: password management, phishing and other
email-based scams, file and data sharing, remote working and physical
security (preventing devices from theft and securely storing documents). If
you can cover all of those, you’ll have taken care of the basics.

Another way of reducing time and cost is by organizing awareness and
training according to job responsibilities. Different roles have different
skill levels and will be exposed to different threats, so don’t waste time
telling employees what they know already or don’t need to know.

Consider External Help

If you’ve still got gaps after having exhausted the free resources and the
capacity or capability of your awareness champion, think about outside help.

The term “consultant” often puts small business owners off because it
usually means expensive, but some government-supported agencies have good
advisors, at a much lower cost — free, in some places — than the private
sector, so consider that as a first option.

Otherwise, look at suppliers who specialize in small business. Check costs
and references and eyeball the advisor to make sure they’re a good fit for
your business.

And remember: tech vendors will offer to help, but only if it results in
you buying their products.

Use Online Training Tools

Online training tools are user-friendly, easy to access and cheaper than
employing trainers, especially if you have a few offices. They’re also
modular, so you buy what you need, and cater for different roles and skills

Some products include phishing simulators for exposing employees to
real-world examples without inviting real-world problems, and learner
scorecards and dashboards to make it easy to check progress at individual,
team or organization level. They’re easy to configure and cover metrics
like planned and completed modules; score, pass rate; number of retakes.

Finally …

Be prepared. Awareness and training activities should include details of
what staff need to do in the event of a breach. Your plans should spell out
how employees should report a breach or near-miss, roles and
responsibilities for recovery, and business continuity arrangements.

A business continuity plan is an established practice for bigger businesses
but often forgotten for smaller businesses — now’s the time to make sure
yours is ready to use.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20181001/6fbe365c/attachment.html>

More information about the BreachExchange mailing list