Because humans are the greatest security vulnerability, organizations should educate employees to spot common forms of cyberattack.
Many small to midsize enterprises (SMEs) continue to operate under the misconception that they’re too small to be hacked. It turns out, however, that SMEs are attractive targets precisely because they’re small. Hackers recognize that small businesses don’t have the security resources of the Fortune 500. In addition, SMEs that have large corporations as customers are viewed as potential entry points into those bigger targets.
Despite the risks, few SMEs are prepared for cyberattack. A recent survey by Digital.com found that just 42 percent of SMEs have cybersecurity measures in place. Another 21 percent said they are in the process of developing and implementing a cybersecurity plan. However, 30 percent have no cybersecurity measures or plans to implement them. Of those with no security controls, 59 percent said they’re too small to be targeted by cybercriminals.
Small business owners and nonprofit leaders often say they don’t have the budget to maintain effective security controls. That’s a legitimate issue, although the cost of a security breach can be much higher. However, some of the most important steps that organizations should take will have minimal impact on the budget. Chief among these is emphasizing everyone’s role in effective cybersecurity and providing regular training to raise awareness.
The Human Factor
Cyberattacks continue unabated despite continued advancements in firewalls, antivirus software and other security technologies. That’s because humans are the weakest link in the security chain. The Verizon 2023 Data Breach Investigations Report found that 84 percent of cyberattacks exploit human beings as opposed to hardware and software vulnerabilities.
Email continues to be the top attack vector. According to research from Deloitte, 91 percent of cyberattacks are delivered via email. Hackers often use phishing techniques to lure employees into clicking links or opening attachments that launch malware infections. The 2023 State of the Phish report from Proofpoint found that more than 80 percent of organizations fell victim to at least one phishing attack in 2022.
Even employees who should know better are duped into opening malicious emails. Business executives and in-house IT personnel are among the biggest insider threats because they’re frequent targets and sometimes forget to stay vigilant. Everyone needs to be reminded frequently what these attacks look like.
Employees also need to understand why they must use long, complex passwords and have a different password for each system and account. They need to be aware of the risks associated with emailing sensitive business data or storing it on public cloud services such as Dropbox or iCloud. If they use their personal devices for work, they need to take basic security precautions and avoid using public Wi-Fi.
These may seem like commonsense steps but people will take shortcuts with the rationale that they’re just trying to get their jobs done. Regular training helps make cybersecurity best practices part of the organizational culture.
What’s Your Policy?
Before implementing a security training program, organizations should develop a comprehensive set of cybersecurity policies that align with the organization’s goals, strategies and tolerance for risk. An acceptable use policy defines the organization’s IT resources and permissible ways employees can access and use them. Other policies should cover data protection, change management, remote access and mobile device use.
Security policies should guide the actions of everyone in the organization. They should be well-defined but flexible enough to respond to changes in the IT environment, workflows and organizational structure.
Organizations should also establish the roles, privileges and responsibilities associated with IT systems and data, and develop procedures for assigning and periodically reviewing roles and access rights. It’s important to err on the side of “least access” privileges — each individual should have only the access rights needed to do their jobs.
IT security policies shouldn’t be static documents in the HR manual — employees need to understand why the policies are in place and the steps they need to take to prevent a security breach. The security training program should include both an onboarding process for new hires as well as ongoing education to provide guidance on evolving security threats.
SMBs face resource limitations when it comes to IT generally and cybersecurity specifically. However, organizations of all sizes can dramatically strengthen their security posture by establishing security policies and training employees to follow best practices. Given the high risk of a cyberattack, few organizations can afford not to take these steps.
