If you own a small business, you are under the threat of a cyberattack that could take down your company. You may not agree with that statement: According to a CNBC study, only 2 percent of small businesses consider a cyberattack one of their most critical risks. However, studies find that half of small businesses have suffered some sort of cyberattack. In fact, 7 out of 10 attacks specifically target a smaller business.
Cybercriminals use tactics like phishing emails and social engineering to trick people into downloading malware or sharing sensitive information. Educating your employees on how to detect and react to a scam should be the first step in your cybersecurity plan. Even the smallest company should invest in a security training program that provides at least the basics of security awareness. But where do you begin?
Serge Borso, adjunct instructor at Denver-based immersive, accelerated cybersecurity academy SecureSet, provided some insight on setting up a security training program for your business.
Q: Who should put together your training program? Should you do it in-house or contract it out?
SB: I am a proponent of leveraging in-house talent when there is a good fit. That said, you should consider costs and organizational core competencies to help guide your choice. Also, take into account that your own people likely know your business better than a contracted company does.
Q: What should you expect if you decide to go DIY?
SB: Choosing a DIY solution for your internal security training program involves identifying key areas to focus training on, determining the cadence of training as to ensure everyone gets the same message without grinding the business to a halt, and leadership buy-in. In addition, developing a plan to add components to the program over time is essential; training should be fluid and flexible to accommodate different learning styles and incorporate the latest knowledge on a given topic.
Q: If you go external, what should you look for?
SB: Depending on your organization, I would suggest looking for a partner that will create custom training material that speaks to the issues that are of concern for you. The threat of phishing is universal, and canned training on this may be sufficient. For more education more geared toward your specific needs and interests, users require topic-specific training. A use case for an incident that recently occurred, for example, often benefits from a tailored approach.
Q: Can a commercial program be tailored to your specific concerns?
SB: Commercial programs are great at addressing generic concerns. There is no shortage of commercial products with dozens of interchangeable modules to fit the needs of the majority of businesses. Commercial security training programs can be customized to address specific concerns, but time and money factor into this, as one would expect.
Q: What should every security training program include?
SB: In a word, metrics. You must have a way to measure the success of the program. Start by thinking about the areas of concern that training is designed to address, and formulate a method to calculate successes and failures.
Q: How often should you provide training sessions?
SB: If the goal of training is to check a box for your audit (that's a fail), then annual training is great. Your business, your culture and the program you develop will dictate frequency of training. The objective is to educate users to the point of behavioral change, and, simply put, this takes time.
Remember that this is a process. You want to keep your users learning, engaged and having fun.