Jul 10 2025
Security

User Awareness Training Gives SMBs a Bang for Their Buck in Cybersecurity

Cybersecurity awareness training is the lowest of the low-hanging fruit for small and medium-sized businesses when it comes to cost-effectively achieving cyber resilience.
Eric Marchewitz
by

Eric Marchewitz is a field solution architect with a 23-year career in cybersecurity solutions, working for companies such as PGP Security, McAfee, Cisco and Check Point. He is also a CISSP and cloud practitioner.

Cyberthreats are multiplying and getting more complex. No one is immune, and that includes small and medium-sized businesses. One in every three small businesses was hit by ransomware in 2024, according to Microsoft research. Most of those attacks were ransomware-based, according to Sophos, and many of them began as common phishing schemes.

For a small IT team with a big list of responsibilities, fighting the volume and sophistication of these attacks is not the easiest of undertakings. 

That’s where user awareness training shines. 

Click the banner below for deeper insight into cyber resilience strategies.

x-cyberresillience2-static-2024-na-desktop x-cyberresillience2-static-2024-na-mobile

 

People Are the Front Line and the Most Common Point of Failure

Small businesses are often targeted by cybercriminals because hackers perceive them to be vulnerable targets. In some cases, hackers may also see SMBs as an easier potential avenue into bigger companies. 

It's not unusual for a 100-person company to have just a few folks in the finance office who receive and process most, if not all, invoices. If those people are targeted with a convincing fake invoice or a spoofed email from a vendor or customer, the odds of an error are high, especially if there’s no policy requiring a second verification step.

This is why awareness training is so critical. It teaches people to slow down, ask questions and verify. The most effective training programs are lightweight, recurring and tailored to staff. Rather than requiring a long information session once a year, provide 10-minute modules every month or quarter.

Cyberthreat simulations can also add value. For instance, tools from Trend Micro and Proofpoint offer phishing simulation campaigns where businesses can test their staff with real-world scenarios (such as department-specific phishing) and adjust based on the results. With AI-generated examples and platforms that support customization, these training opportunities become more relevant, and therefore more effective.

Click the banner below to keep reading stories from our new publication, BizTech: Small Business.

bt-smb-animated-2025-na-desktop bt-smb-animated-2025-na-mobile

 

Policy and Process Matter Just as Much as Training

Cybersecurity awareness training doesn’t exist in a vacuum. It only works when paired with clear, enforced policies. In many ways, policies are the answer to the question, “What are we training them to do?” 

A great example of a policy at work would be treating email-based processes the way we treat account logins: with two-factor verification. In the same way that multifactor authentication protects your login, your workflow should have a second layer of verification. For instance, invoices over a certain amount should trigger a policy-mandated phone call or in-person confirmation.

Too often, small businesses fail to document workflows, let alone implement controls that govern them in accordance with a clear policy. When a request looks plausible enough, staff may default to trust rather than protocol, and that’s when things can go wrong. This constitutes the opposite of zero trust, a model in which no user or device is ever trusted by default.

Everyone from the finance department to marketing should know the red flags to watch out for and what steps to take if something feels off. Combine that with regular training, and you create not just cybersecurity awareness, but true cyber resilience.

EXPLORE: Cloud security’s shared responsibility model is a big boon to SMBs.

Other Tools That Make a Difference Without Breaking the Bank

Beyond awareness and policy, small businesses need to know that there are affordable tools to support and enforce safer user behaviors, including:

  • Privileged access management. When attackers get in, the damage depends on what accounts they can access. Shared administrator logins and reused passwords are common in small teams, making lateral movement easy for attackers. Tools such as Fortinet offer low-cost PAM options to help prevent this.
  • Anti-phishing tools. Email gateways such as those from Check Point, Abnormal Security, Trend Micro and Mimecast offer much better protection than native operating system defenses. Blocking malicious email before it even hits the inbox is the best-case scenario.

It’s also worth noting that many cyber insurance policies require businesses to implement security controls such as PAM and MFA. Meeting those standards can sometimes lower premiums and, more important, prevent a situation where a claim is denied because a requirement has not been met.

Cybersecurity doesn’t necessarily have to be expensive to be effective, but it does need to be intentional. Training people, creating good policies and investing in a few critical safeguards can go a long way toward protecting even the smallest businesses from today’s increasingly sophisticated cyberthreats.

Delmaine Donson/Getty Images

More On

Related Articles

Close

Unlock IT Success for Your Small Business

Click here to sign up for our newsletter and get the latest expert insights.

Click Here to Sign Up Now