How employee awareness can combat SME security threats

data privacy, cyber threats, best practices
Secured Mobile Device. Tablet Computer with Security Concept on the Screen. Closed Padlock Concept. Mobile Technology Security.

While small businesses have always navigated a unique mix of issues, the last year has undoubtedly caused them to adapt to disruption at record speed. Stability is front of mind for all small businesses seeking to find their feet in the changed marketplace. The last thing businesses need is a cyberattack putting the business, employees and customers all at risk.

One of the most common threats facing small businesses is phishing, the primary distribution method for malware, which can lead to extremely derailing attacks like ransomware. Australians reported over 44,079 phishing scams in 2020 according to ScamWatch, 18,911 higher than the year prior.

Which is why business owners must prioritise supporting employees in learning how to successfully identify and avoid phishing scams. Utilising the below insights for promoting and adopting cybersecurity awareness and employee knowledge and resilience, small-business leaders can take the reigns on greatly reducing risks to the business.

Understanding security weaknesses

Every business should routinely evaluate its cybersecurity posture and layers of defence. SMEs are no different, though they do encounter unique security challenges. One of the biggest impacting factors is that SME IT teams are often short-staffed or financially unable to retain dedicated IT personnel at all. This is why many turn to a managed service provider (MSP) who can tailor and recommend catered approaches after evaluating a business’s unique security strengths and weaknesses, while carefully considering budgets and industry-specific needs.

Another key challenge over the past year and more has been adapting to the security vulnerabilities resulting from remote work, namely the large increase in workers connecting to dispersed home networks and using work and personal devices interchangeably. Both present significant issues. As the average home network is significantly less secure than corporate networks, remote workers are more vulnerable to attacks.

Arming employees with knowledge

Empowering staff with knowledge is key to combatting cybercriminals – if employees know what to look for, they’re able to avoid falling for the scams aimed at them. Which is why security awareness programs are a proven way to build resilience against attacks by changing employee behaviours that can lead to security compromises.

Training to help combat phishing attacks typically starts with a baseline phishing campaign distributed to all employees to test their level of awareness. Good components of any security awareness and training program include teaching employees how to avoid phishing and other social engineering cyberattacks, spot potential malware behaviours, report possible security threats, and adhere to applicable data privacy and compliance regulations such as GDPR, HIPAA, etc. Phishing simulations are some of the most effective ways to teach your employees how to avoid phishing and also hold them accountable. But most of all, it must be consistently repeated and refined to adjust to the current threat landscape to be most effective.

What to do after implementing training

Security awareness and training is not a one-time fix. Going further beyond just a program or service itself, encouraging an open discussion channel around cybersecurity will reduce the likelihood of someone falling for a phishing scam. If employees communicate when they see a strange email it will help other team members identify and avoid it. In using a healthy dose of suspicion with regards to emails, employees can make their small businesses much more secure by putting phishing knowledge into practice.

To consistently reinforce that cybersecurity is a priority all employees need to embrace, small-business leaders should report on the latest risks and threats and provide tips to staff about cybersecurity trends and best practices. They can also easily incorporate reminders and updates into company meetings about new training assets or new threats to be on the lookout for online or possible simulation.

Tyler Moffitt, Senior Security Analyst, Webroot