If you think your small business is not a target for hackers and cybercriminals — think again. An estimated 50-70% of ransomware attacks target small- and medium-sized businesses[1], likely because adversaries believe smaller organizations do not have robust security measures in place to defend the business and its data.

While cybercriminals rely on a variety of methods to attack a company, one of the most common — and often easiest — is by targeting employees through coordinated phishing attacks or other social engineering techniques.

To minimize this risk, small- and medium-sized businesses need to develop an employee cybersecurity training program that will educate their people about common security risks, promote responsible online behavior and outline steps to take when they believe an attack may be in progress.

Understanding Internal Cybersecurity Policies

Before employee training programs can be developed, your business must have a clear sense of its cybersecurity strategy, as well as the people, processes and technologies that will execute the security program. Here we review the essential elements of the cybersecurity architecture.

Are you using a cybersecurity platform?

A wide variety of solutions and services are available on today’s cybersecurity market. While a trusted and reputable cybersecurity partner can help businesses develop a custom toolset to meet their unique needs, every cybersecurity platform should start at a baseline with antivirus protection.

Develop an Incident Response Plan and Document Cybersecurity Procedures

An incident response plan is a document that outlines an organization’s procedures, steps and responsibilities to prepare for, detect, contain and recover from a data breach.

Document the Software, Programs and Internet Sources that Are Allowlisted for the Organization

Even small businesses should develop a clear acceptable use policy for employees who use corporate devices and networks, or have access to data and other sensitive assets. This would include listing the different software applications, programs, websites and social media platforms that are allowed to be accessed with a company device or via a corporate network, as well as the steps that need to be taken to secure and protect the device and its data.

As part of this process, it may also be helpful to outline unacceptable behaviors and prohibited activity.

Define Scope of the Cybersecurity Training Program

Cybersecurity awareness training should be a mandatory task completed by every employee, regardless of level, location or job scope. That said, it may be wise to tailor learning programs based on job type or level of experience, as well as location.

The training program may be adapted for the following audiences:

• Basic/individual contributor: A basic level of cybersecurity training suitable for all employees who have access to any internet-connected device or the company network. This course would review common cyber threats, how to detect attacks that are in progress and how to engage in responsible online behavior to reduce risk.
• Managerial: A managerial training module is specifically designed to help managers and supervisors answer questions from their teams, enforce corporate security policies, identify and mitigate high-risk behaviors and coordinate with the security team.
• IT staff: While IT staff are highly trained in technical matters, many do not have deep expertise in cybersecurity. This training module would provide IT professionals with a high-level overview of cybersecurity best practices and training on how to use the company’s existing cybersecurity tool set.
• Remote workers: As the remote work trend continues to grow, organizations must take extra steps to protect the company from risks that occur when an employee uses a personal network to conduct official business. As part of this process, the organization must outline what security measures must be in place for the employee to work from a remote location — whether it is their home, a partner site, a hotel or any location of their choosing.
• Contractors, freelancers, vendors: Similar to remote workers, contractors, freelancers and vendors often do not work onsite but have access to corporate devices, data and networks. These individuals should complete the basic cybersecurity training program. In addition, the company can also consider developing a special module to address the specific needs and limitations of this group.

Planning Your Training Program: What Topics to Include

The training program should cover common and significant cyber threats. These include:

Phishing and Other Social Engineering Attacks

Social engineering is one of the most common methods of cyberattack, where a hacker tricks an employee into sharing sensitive data or credentials by posing as another legitimate employee or partner. For example, a hacker may pose as a help desk agent to ask a user for sensitive information, such as a username and password.

Phishing is a type of social engineering cyberattack that uses email, text message, phone call or social media to entice a victim to share sensitive information — such as passwords or account numbers — or to download a malicious file that will install viruses on their computer or phone.

When creating your training program, include real-life examples of a phishing attack to educate your employees on the main key indicators like you’ll see in the example below:

Password Attacks and Credential Theft

Attackers are constantly after user IDs, email addresses and passwords because these items enable them to pose as a legitimate user to avoid detection while they carry out an attack.

Once the hacker has your credentials they can access any service or network the account is entitled to. One of the best ways to reduce the risk of password compromise is to require users to create strong passwords. Below are examples of strong passwords.