Cofounder and chief marketing officer at Coro.
getty
Myth: We already have cybersecurity tools in place to protect our business, so there is no need to invest in building a security-aware company culture.
Myth busted: Employees pose the biggest risk to any company. Not because they are malicious but because they don’t know better. While having strong cyber defense tools in place is table stakes, your staff still needs to be properly trained on cybersecurity threats, policies and processes. Building a security-aware culture is not as overwhelming or time intensive as it may sound. With a few simple steps, even resource-stretched mid-sized and small businesses can create a mindset within their companies that promotes cybersecurity.
With cybercriminals becoming more sophisticated and seeking easy targets, it’s critical for SMBs to be armed appropriately. Investing in the right tools and establishing clear security policies are important factors. But considering that 95% of global cybersecurity threats are linked to human error, employees also need to realize that they play a critical role. This is why creating a culture of cybersecurity awareness is important.
What exactly is a security-aware culture, and what’s the point? According to SANS senior instructor, security author and expert Lance Spitzner, a security-aware culture is defined as “your workforce’s shared attitudes, perceptions, and beliefs towards cybersecurity.” In short, the goal of building a security-aware culture is to reduce the risk of cyberattacks by educating employees about the importance of cybersecurity and teaching them to be more vigilant and proactive in protecting company and customer data.
Why should this be a priority for SMBs? If something goes wrong at a big company, it has the money and people to throw at it to make it go away. If something goes wrong at a small company, it can be utterly disastrous. For resource-strapped SMBs, creating a security-aware culture is an important part of a cost-effective cybersecurity strategy.
Can I create a security-aware culture if I don’t even have a security team? Yes, you can. You just need to start simple. Here are a few tips.
1. Make security awareness a company-wide directive.
From the CEO to your interns, it’s important to treat cybersecurity awareness as a company-wide commitment. Clearly convey why you’re embarking on a security-awareness initiative and show the effect it can have on managing your company’s risk. As many SMBs do not have a CISO, CSO or CIO to take the lead, you need to equip all of your people with the know-how to make smart, secure decisions on a daily basis and trust that they’ll do so.
2. Remember that security awareness training should not be a one-and-done thing but an ongoing activity.
Instead of holding security training once a year and making it something that employees and leadership dread, you’ll see better results by conducting regular security training. Include training as part of any new employee onboarding, commit to monthly training for all of your staff and regularly review your cyber hygiene practices. SMBs can also leverage free external resources for ongoing education, including cyber hygiene assessments, webcasts and seminars, online training tools and newsletter tips. Amazon offers a free cybersecurity awareness training module, and the National Initiative for Cybersecurity Education (NICE), SANS and CISA are also wonderful resources to tap.
3. Run simulations to expose any weak points and improve overall awareness.
Similar to how fire drills help plan for real emergencies, simulated cyberattack exercises can reveal how employees would react in the event of an actual attack. This can help employees learn which red flags and warning signs to look out for, give them a clear understanding of how effective your security policies and training initiatives are and keep everyone on their toes.
For example, phishing and social engineering scams account for 57% of all cyberattacks on SMBs, yet employees spend less than one hour per year learning how to handle phishing emails. By conducting frequent simulations, you can uncover areas for improvement, provide hands-on training to better prepare your team if the real thing ever happens and give employees constructive feedback on how they performed. A recent study examining the effectiveness of phishing simulations found that with regular tests, a company can reduce its propensity for phishing scams by nearly 15%.
While there are other actions that SMBs can take to protect against rising cybersecurity threats, be mindful that it will always be humans who pose the greatest risk. If you put in a little elbow grease, you can take the steps to build a culture of cybersecurity awareness that will reduce this risk and help with your overall security stance. Employees who are aware and engaged will be less likely to fall prey to attacks and more likely to take the right steps if a breach does occur.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
