Creating a cybersecurity training program for SMBs and MSPs
Cybercrime is essentially a cat-and-mouse game. As cyber attacks become more sophisticated and widespread, security solutions must also innovate and evolve. One misstep can give the bad guys an advantage, and too often it’s not the technology, but the employees that give them the edge.
According to a 2023 Global Cloud Security Study, human error remains the leading cause of successful cloud breaches. A separate Data Breach Investigation Report states that 74% of all breaches involve a human element.
Every company, regardless of size, is a target. In fact, the same Data Breach Investigation Report claims that small businesses experience more incidents than much larger organizations. The good news is that companies are improving their security posture by investing in their people, through their Business Security Awareness Training (SAT) program. In fact, small and medium-sized businesses (SMEs) provide training at almost the same rate as enterprises. According to a 2023 Global Ransomware Survey, 83% of SMBs and 96% of enterprises require employees to take SAT.
While the value of training is well known, the way we work – and the cybersecurity threats that follow us – has evolved into a fluid, always-on modality that creates a new level of cognitive challenges for us in our personal and professional activities. lives. These new mental challenges are not effectively addressed through the cumbersome, time-consuming training sessions that are perfunctorily delivered on a quarterly or even annual basis. New threat variants continue to emerge, new vulnerabilities are being exploited, while employees are juggling more tasks than ever before. And the cycle continues. Cybersecurity awareness training sessions need to be shorter, more relevant, and more frequent to have any chance of improving cybersecurity behavior.
And don’t forget the administrators. Due to limited resources and limited budgets, Managed Service Providers (MSPs) often burden their administrators with SAT tasks for which they are often ill-suited. Essential SAT tasks such as content management and campaign reporting are specialized and not typical administrator responsibilities. Therefore, these tasks become time-consuming and challenging for most administrators to maintain, especially when assigned in addition to their other responsibilities. Keeping this administrative overhead to a minimum is an essential aspect of a sustainable SAT program.
Consider these five tips to create and maintain an effective exercise program.
Senior product manager at OpenText Cybersecurity.
1. Use phishing simulations and microlearning together
Phishing remains the most common type of social engineering attack – and the level of sophistication remains surprising. Phishing messages are increasingly based on local news or publicly available information about a company or employee. And these scams aren’t limited to email; Threat actors are improving their skills and creating fake voicemails using AI voice generators.
Using short, course-based learning and phishing simulations, students gain the knowledge they need, along with the opportunity to practice responding to attacks. Choose course content that presents topics that ideally take no longer than 10 minutes. Combine the course with a phishing simulation that presents a relevant scenario to what is covered in the course. The goal is to keep relevant security topics top of mind and encourage employees to think before they click, including verifying sensitive requests, and to report any suspicious incidents.
2. Make password management easier
Ensure an effective password policy that employees know and understand. Most employees are probably familiar with the theory behind creating strong passwords: avoid simple and guessable words and numbers, and create a unique, complex sentence for each site visited. However, the challenge of creating and then remembering multiple complex passwords often leads end users to take risky shortcuts – from reusing an identical password to keeping a physical list of credentials next to a workstation.
Organizations vary and no one solution is always best. Awareness training should go beyond warnings and provide best practice solutions that fit their specific culture. For example, a quick refresher on creating strong, memorable passwords with minimal time and effort could include creating passwords with common elements but customized to specific settings (such as ABT2_uz_sAg! for ‘about to use Sage’) or using the keyboard as a canvas to create shapes, instead of typing words. Add fun exercises that stimulate employee creativity, increase engagement, and make strong passwords less daunting.
Some organizations specify the use of password managers to securely store login credentials for multiple sites. Regardless of specific tools or tactics, it’s wise to emphasize the importance of password hygiene and the role employees play as a company’s first line of defense against threat actors.
3. Reinforce remote work best practices
In today’s hybrid work environment, it’s critical that employees understand how to keep their devices and information secure while working away from the office. Remote devices are often the first targets of cybercriminals. While endpoint protection solutions, multi-factor authentication, and virtual private networks (VPNs) all help mitigate the risks of remote access, they are not foolproof; especially if best practices are not followed. After all, when employees are not at the workplace, they can easily become lax.
Risks and best practices for remote work should be a regular part of all SAT programs. In addition to mandating the use of a VPN to access sensitive corporate data, audits should also be conducted to confirm (and encourage) compliance. Continued education about the dangers of accessing corporate data over unsecured networks such as public Wi-Fi can ensure security remains top-of-mind.
4. Don’t forget physical security
In today’s digital age, it’s easy to forget the basics of physical security: never leave laptops and desktops unattended. All devices must have a screen saver that automatically locks when left unattended and requires a password to prevent unauthorized access.
Likewise, awareness of the physical environment, especially when away from the office, can prevent the theft of information or credentials. For example, shoulder surfing, a form of data theft where criminals simply look at nearby screens to steal credentials, is a very real threat to organizations.
And again, it’s important that employees consider the potential risk of public Wi-Fi hotspots. These are high-risk and often unsafe ‘conveniences’. Using a VPN is an easy way to stay safe.
5. Increase training frequency
Decades of experience with digital training tools and techniques have proven that short, continuous learning sessions are effective in changing security behavior. And data shows that with ongoing sessions, the click-through rate on phishing simulations drops from 37% to 13% in just six months – a drop of 65%. While each organization must determine what works best for their goals and culture, the perceived standard for effective SAT programs is increasingly deploying SAT sessions on a monthly basis.
By paying constant attention to security essentials, it is possible to better protect the business and ensure that employees are a security asset rather than a security risk.
We’ve highlighted the best business VPN.
This article was produced as part of Ny BreakingPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of Ny BreakingPro or Future plc. If you are interested in contributing, you can read more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro