Image: Jaiz Anuar/Shutterstock

Who better to give advice about how small- or medium-sized businesses should handle cybersecurity than an organization and expert with currency in helping SMBs survive? Anete Poriete, UX researcher at CyberSmart, in her Real Business article, The Best Practises for Cybersecurity Training in SMEs (small- to medium-sized enterprises), said there’s a common misconception that SMBs aren’t aware of cybersecurity threats. She explained the real problem: “In reality, it’s not that SMEs aren’t aware of cybersecurity threats. It’s more that they’re unsure what to do about them.”

Editor’s note: In this column, when referring to small- or medium-sized businesses, SME is used when quoting the article by Poriete; in all other instances, SMB is used. 

Cybersecurity training tips for SMBs

SMBs run on tight budgets and cannot afford the latest and greatest cybersecurity technology, which, honestly, hasn’t been working that well for those who can afford it and have knowledgeable people to put the tech to work and maintain it.

Poriete said a better approach is staff training. With phishing attacks increasing and becoming more sophisticated and there being no effective technical means to prevent them, educating SMB owners and employees about the potential cybersecurity threats they face, recognizing a threat in real-time, and ultimately countering the threat seems like a better way to go.

SMB owners and their employees need practical training. Everyone is busy trying to keep the company afloat and make money. Poriete said she understands this and has tailored the following best practices to owners and employees of SMBs.

1. What is cybersecurity awareness?

SMB owners and staff may know what cybersecurity risks are making the rounds—phishing, for example—but do they understand why these risks matter to the organization and themselves? Do they know what’s required to reduce the risk? “It’s important to note that raising security awareness is the goal,” Poriete said. “Security communication, culture and training are different types of methods that can be used to help SMEs get there.”

Each company has to decide whether to develop the training in-house or find a consultant specializing in cybersecurity to recommend or create a training program specific to the company’s needs.

SEE: Security Awareness and Training policy (TechRepublic Premium)

2. Understand an SMB’s prior awareness about cybersecurity

Poriete makes a good point here, and it is one that is often overlooked. Before training begins, it is important to measure and understand the attitudes and behaviors of all employees who use internet-connected digital equipment. She added, “This includes what they do or don’t do to stay secure and what they know and understand about cybersecurity.”

3. Avoid a one-size-fits-all approach

Cybersecurity advice needs to be effective, and this is where a consultant is valuable. “No one enjoys lessons that feel irrelevant or too generic,” Poriete said. “With this in mind, most SMEs would benefit from advice about specific threats and vulnerabilities to their industry or organization.”

This practice is where understanding an SMB’s prior awareness about cybersecurity pays off. The person responsible for the assessment will address questions, locate existing knowledge gaps and adjust the training to raise awareness.

4. Make no room for fear

A good IT department does not use fear when advising users. Sadly, we all know that fear is a powerful motivator, and it is used often; however, the use of fear hampers correct action by users not wanting to get in trouble.

“There is strong evidence that fear-based appeals in cybersecurity communication can be counterproductive and ineffective in changing long-term behavior,” Poriete wrote. “Instead, appealing to a person’s confidence in their ability to practice secure behaviors successfully is more influential than fear and more likely to lead to long-term change.”

5. Create an ongoing and non-intrusive training program

Learning about cybersecurity can be complex, and instructors provide too much information more often than not. The person responsible for training must avoid overloading employees with information they’re unlikely to remember.

“Training shouldn’t be a one-off exercise but a regular activity to help maintain employees’ level of awareness,” Poriete said. “Think short, sharp exercises so as not to interrupt their core work or create security fatigue.”

Also, giving employees the ability to manage their training time or preferred learning method—for example, text or videos—is a helpful consideration.

SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)

6. Measure the effectiveness of the training

Measuring training effectiveness is an important piece of the cybersecurity puzzle. “This will allow comparisons with initial assessments to measure the training’s effectiveness,” Poriete said. “This could include self-assessments, such as quizzes; or behavior observation and compliance monitoring.”

As important as measuring the effectiveness of the training, which is ongoing, should be ensuring that security assessments are also ongoing to have an accurate baseline.

Why security awareness training is important

Security awareness training will empower employees to behave more securely but only if the organization promotes a strong cybersecurity culture, along with practices and tools that employees understand and are willing to use. Poriete concluded: “Without all of these things working in tandem, an SME risks security fatigue, confusion, and, ultimately, weaker defenses against cyber threats.”

Learn more about Cybersecurity at TechRepublic Academy!