Employee Awareness
SMEs should provide regular cybersecurity awareness for employees to ensure they can recognize and appropriately deal with the various threats.
- Published
- September 01, 2021
If staff are not made aware of cybersecurity threats, the reasons the SME has employed certain cybersecurity policies and controls, or how employees should react to a suspect security breach, then the risk of a security breach occurring increases significantly.
The security awareness program should be tailored for the audience and should focus on topics relevant to the audience’s role. For example, the content of the training for people working in finance may be different for those working within the sales and marketing function.
Records of the training courses and those who attended should be maintained to ensure staff members have received the correct training.
Although financial and personal resources of small businesses may be limited, cybersecurity training does not necessarily mean hiring a specialized lecturer. There are great education sources on-line, and every SME will surely find one suitable to their needs. Basic tips include:
- Cover the main areas: how to recognize a phishing e-mail or an e-mail with a malicious link or attachment; why an unknown USB drive should not be plugged into any computer connected to the enterprise network; and why pirate software should not be installed.
- Do not forget to include basic physical security measures, like never leaving your laptop unattended, or locking devices when not in use.
- Consider testing your employees, and if you decide to do so, openly communicate it. After cyber awareness training, test them with a simulated phishing email of your own making. If they fail, do not „name & shame“, but educate further.
- Collect feedback on the training process and act accordingly, further customizing it to your needs.
The purpose of these training activities is not to make every staff member a cybersecurity expert, but rather to provide a basic understanding of the actual and practical cyber related risks, what the impact to the organization may be, and how their behavior can affect the outcome. Training should be practical and periodical, tailored to SME’s special conditions and needs.