3 Steps to Cyber Awareness in an SMB
Building cyber awareness in an SMB reduces the risk of a breach on the organization and protects your employees and customers from hackers.
If you’re reading this article it’s likely that you’ve realized cybersecurity is a risk to your business and that your people are part of that risk.
The goal of a cyber awareness program is to raise awareness of cybersecurity risks and best practices with employees so that they make better decisions and protect your small or medium sized business.
Cyber awareness is common for large organizations, but it’s relatively new for SMBs. The goal of this article is to show how you can build enterprise-grade cyber awareness in an SMB with limited resources, and potentially for free.
After reading this article you should be able to define why it’s important to build cyber awareness in an SMB, how to increase adoption of cyber awareness with your leadership team and ultimately your employees, how to structure a program for cyber awareness in an SMB, and how to execute on cyber awareness.
Ultimately, you’ll learn how to build cyber awareness into the culture of your business.
Why Build Cyber Awareness in an SMB
The threat landscape has changed over the last few years. In the past, the belief was that cyber criminals focused on big businesses with big payoffs. SMBs like law firms, consultants, and software companies thought they were safe. As cyber crime grew, big organizations increased their defense, making it much more difficult to access their crown jewels. Cyber crime started turning to SMBs because they were easier to access, had valuable information of their own, or can even act as a Trojan horse and walk the cyber criminal into their big customers doors.
The risk is increasing for these SMBs. The direct cost of a breach can put most SMBs out of business, and the indirect costs like losing clients can be just the same.
These risks have also changed how organizations work with SMBs. If you remember the Target hack from 2013, cyber criminals didn’t gain access directly into their systems, rather they gained access to an HVAC company that does business with Target. By gaining access to this SMB, the cyber criminal effectively walked right into Target. This was ultimately settled for $18.5 million.
As a result of these risks, organizations now run third party risk assessments which include all of their vendors. One of the requirements on most, or all, third party risk assessment is annual cybersecurity training for employees.
For all of these reasons the risk landscape has changed, and increased significantly for SMBs. Big businesses, industry groups, and governments are responding by requiring cyber awareness in an SMB.
There are 3 Steps to Building Cyber Awareness in an SMB
1. Define Your Why
The first step in developing a successful program that builds cyber awareness in an SMB is defining your why. The last section was very generic…and it’s easy to say that every company should practice cyber awareness. Period. But what’s your why? Why is cybersecurity and cyber awareness vital for your business?
Ask yourself what will happen to you and your business if there’s a breach. Will you lose your biggest customers? Will you lose future revenue? Will you lose trust from your employees?
Seems simple, I know, but this is really important. This is the cornerstone of successful campaign for cyber awareness for an SMB.
Developing Buy-in from your Leadership Team
Once you define why cyber awareness is important to your organization, you’ll have to communicate that to the team in a way that makes sense for them. Here’s what that might look like by department.
- Finance — How will a breach impact your top and bottom line in the future? How will it impact budgets?
- Human Resources — How will a breach impact recruiting and retaining top talent?
- Sales — Sales teams are notorious for hating any work that doesn’t help them reach their goals. This attitude also puts them more at risk — they are busy, and fast paced and operate under the belief that getting the sale is more important to security. So how does cyber awareness impact the sales person? Will they lose renewals? Will they lose new opportunities? Will they lose all of their big opportunities?
- Information Technology — Cyber awareness can build a bridge between IT and the rest of the business, so showing IT how cyber awareness will help them to connect and reduce the time spent fixing preventable mistakes will increase IT’s support of cyber awareness in an SMB.
We published an in depth article on Developing a Leadership Team that Embraces Cybersecurity Awareness, and posted a slideshare on the topic here.
The important thing is to define your why, and how that why impacts your team.
2. Develop your Plan
Remember that cyber awareness in an SMB is a process; it is not an event. So start with sharing why cyber awareness is important to your business with your leadership team, and how it impacts them in their roles.
Start this at a team meeting so you have the discussion with the group, and iterate it over time to show that cyber awareness is important to you and the organization, and it will be an ongoing theme, not a one time conversation. This is key.
Developing a leadership team that understands the role they play in cybersecurity is just as important as developing employees that understand their role in cybersecurity. We’ve discussed defining your why and developing that culture in leadership, so now we can take a similar approach to building it within your employees.
Cyber awareness in an SMB is really about teaching employees about the risks and best practices. You’ll need to decide what topics you want to cover in your cybersecurity awareness program. We went in depth on this topic in an article recently — What is Security Awareness?
Often the hot topic is phishing, but we recommend building a cyber awareness program that covers the full scope of risks and best practices from physical security to cybersecurity and everything in between. If you want to see common phishing attacks and examples that you can share with your team check out 6 Examples of Phishing and How to Identify Them.
3. Deployment and Execution
You’ve defined why cyber awareness is important to your business and leadership, you’ve defined what topics you need to cover in your program, so the last step is deploying the cyber awareness program.
An easy way to deploy a cyber awareness program for employees is to incorporate it into your weekly team meetings. Introduce a new topic every week, and train employees on that topic. Including even 1 minute in your team meeting every week creates a culture of awareness.
Another way to do this is to start emailing employees weekly or monthly on important topics, or risks that you’ve seen. Has there been an increase in phishing emails? Share an example and show employees how to identify it. Have you changed your guest sign-in policy? Share why, and how employees can follow your policy.
Cyber awareness training can be provided online. Our platform helps you to certify that you’ve trained all employees, and actually tracks that employees have completed the assigned training. This is really important when your purpose for cyber awareness training is driven by a third party or industry regulation where you may have to prove that you’ve done it for all employees.
We provide a free trial that’s actually free. No credit card required.
Our platform also allows you to simulate phishing emails to raise awareness. You can safely send a phishing email to an employees inbox with indicators that it’s a phishing emails like the sender is not who they should expect, the links in the email are directing them somewhere suspicious, misspelled words, etc. If the employee clicks on the link they will immediately be notified that it’s a (safe) phishing email, and trained on how they should have identified that the email was phishing. This prepares employees and raises awareness so they are able to identify the malicious emails. You can simulate phishing emails with our free trial.
Building Cyber Awareness in an SMB
Cyber Awareness in an SMB empowers employees and leadership to protect an organization from cyber threats. It’s often required by customers, industry regulators, and government policy, but cyber awareness is important for every SMB even if the requirement is not driven from an outside stakeholder.
You can grow your business by differentiating yourself through cyber awareness. Showing customers and employees the important that you place on their information can be the difference between new business and lost opportunities.
Before you go
Wuvavi provides the world’s only cyber awareness platform developed for small and medium sized businesses that you can buy, enroll employees, and deploy in under 3 minutes. Learn more and sign up for a free trial.
Originally published at wuvavi.com on August 27, 2018.
