Dec 14 2021

How SMBs Can Arm Employees to Defend Against Cyberattacks

When it comes to preventing phishing attacks, a little training goes a long way.

Small businesses may have tighter budgets and fewer employees, but they face many of the same cybersecurity risks as their larger counterparts.

The difference is that those threats — phishing attacks, ransomware and data breaches — cut deeper for small businesses. The National Cybersecurity Alliance found that a quarter of small and medium businesses that are affected by a breach file for bankruptcy, and 10 percent go out of business.

These high stakes push small businesses to ask themselves key questions around tackling these risks: “How can we invest in stronger security? Do we put our budget into fortifying our email software, or investing in endpoint security? What will help us spend our budget most strategically?”

The answers to these questions will vary, but they all need to include solutions for employees.

Give Your Employees the Tools They Need

Employees are often lost in security discussions. Workers are often on the front lines when a risk emerges, and the decisions that they make in those moments can determine if a threat becomes a breach.

Your team represents a human firewall of sorts, and if that defense breaks down because of an email with a questionable link that the user clicked, that can undo a lot of the work you’ve put into protecting your organization. And while insider threats can be innocuous in nature, there is always the risk that what your employees do could be malicious.

Click the banner below to unlock exclusive security content when you register as an Insider.

There are technology tools that your organization can use to help mitigate some of the risks that your employees might run into on a daily basis, such as implementing multi-factor authentication and offering virtual private networks to help keep those employees secure even if they’re outside of the office.

But ultimately, a human problem needs a human solution, and proper training can mitigate these risks. Employees can create risks for organizations by not seeing that something is malicious, failing to detect risky behavior, or falling victim to social engineering schemes. By the time they figure it out, it could be too late.

End User Awareness Training Strategies

Building an effective training regimen is essential to your organization’s ability to protect itself from risks in the long run. A training program that works for a business of 20 employees may not work for a business of 200, and if your business is on a path to growth, what worked a year ago might not work now.

It comes down to what your employees are most engaged with and whether that strategy can scale. For some organizations, it might involve leaning on amusing videos that underlines a broader point about security; for others, it might require the use of an automated tool to send fake phishing emails, something offered by providers like Mimecast, KnowBe4 and Proofpoint. These programs could involve IT and human resources, or it could be an automated process. Training isn’t a one-time lesson. A 2020 study from the advanced computing association USENIX found that employees often lose their attentiveness against phishing attempts after six months, meaning both new and existing employees need periodic refreshes.

MORE FOR SMALL BUSINESS: The IT trends that will shape 2022.

Build Your Organization’s Security Failsafe

Tools that can highlight weaknesses in employee security awareness are important, but it should serve as a starting point. While training is critical, businesses need to have procedures in place if a threat gets through that training.

As a result, what you learn from your training sessions might be a prompt to look at some deeper solutions for fortifying your firewalls, both human or otherwise. For example, bringing in outside voices, such as CDW Cybersecurity Advisory Services, could help you bring more in-depth approaches, like penetration testing and technical assessments, to help uncover gaps in your organization’s security infrastructure—and close them.

Oftentimes, there’s a belief that people would never fall for a social engineering scheme — but then they do, and that's where the worst attacks come from.

Take steps to understand your risks now, before they become a bigger threat to your business.

This article is part of BizTech's AgilITy blog series. Please join the discussion on Twitter by using the #SmallBizIT hashtag.


jovan_epn/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT