One of the most common misconceptions about cybersecurity is that small- and medium-sized businesses (SMBs) don’t need to worry about cyber-threats or attacks. This simply is untrue. Over the last few years, more than 70 percent of the organizations that have lost money to cyber-crime have been SMBs. Make no mistake: Small businesses are a big target. There are many reasons for this, but one of the most prominent causes is a lack of training and awareness among employees. People are the biggest threat to an organization’s security. But you can make your people your first line of defense.
Every person – from the President, CEO, and Chairman of the Board to the custodians, cashiers, and administrators – should receive cybersecurity training and be held accountable for following all security policies. It is important to note that almost half of the losses associated with cyber-crime have been attributed to insider fraud and carelessness.
Given how widespread the usage is of personal devices among employees, on and off company premises, BYOD security policies must be addressed, as well. This is particularly true when employees use personal devices to conduct company business – including accessing work email accounts. Any device that connects, even sporadically, to company systems and accesses business data can be targeted by cyber-criminals and should be subject to specific security requirements.
Employees need to understand not only what the risks are but why training is so critical. Most millennials and post-millennials are well-versed in the use of technology, but even the savviest tech user is easily tricked by ransomware. And most people are unaware of the extent of cyber-attacks in today’s business world.
Employees cannot avoid nor help address what they do not understand and recognize. Whether the potential risks are phishing emails, malware, ransomware, out-of-date software, or the use of unapproved applications, employees must be taught to recognize and report suspicious activity, to avoid clicking on links and opening attachments, to think before clicking. Threats are far more likely to be handled properly and avoided altogether when employees are routinely trained. Thus, it is critical to make cybersecurity training an integral part of the onboarding process, as well as an ongoing practice throughout their employment. This training should include the basics of current threats and information regarding emerging threats.
The following elements should be a part of both initial and ongoing training:
- Common Threats Employees must understand and be able to recognize signs of common threats. At the very least, these warnings should be written down and displayed in visible locations in every department. Download our email security guide to get started (PDF).
- Communication Employees need to feel encouraged to speak up and speak out if they suspect an issue. They need to feel empowered to take time away from normal business long enough to address concerns with a supervisor, manager, or managed services partner.
- Prevention Rules Employees need clear guidelines regarding the sites from which they can or cannot access information, as well as guidelines detailing what may or may not be installed on their company computers and devices. They need simple instructions about what attachments should not be opened and which links should not be clicked. They should be required to report any solicitations or non-work-related messages from unrecognized sources. Finally, companies should use high spam-recognition standards to minimize threats that otherwise would require skilled employee intervention.
- Password Standards One of the most frustrating aspects of our modern technological world is the need for multiple passwords on multiple devices and accounts, especially the frequent changing of passwords for the same accounts. While biometric capability may soon relieve some of this frustration, insisting on strong passwords, multifactor authentication, and password security is essential.
None of these measures are terribly difficult; none of them are particularly time-consuming; none of them are overly-burdensome; all of them are critical. Given the rise in cyber-attacks over the last decade and, especially, the recent, coordinated, worldwide ransomware attack, not providing cybersecurity training to employees is not an option for any company that wants to survive and flourish. Of all expenditures that do not generate revenue directly, this is one of the most fundamental and unavoidable. It cannot be ignored.
While thinkCSC believes that employees will always be the first line of defense against ransomware attacks, the only real solution is for leaders of all organizations and businesses of all sizes to invest in stronger IT security that includes offsite backup and recovery. These protections, combined with ongoing staff training, strict security policies, and constant vigilance, are an absolute necessity in today’s cyber-environment.
For new customers interested in information on obtaining our services, please contact us at firstname.lastname@example.org.