One of the most common misconceptions about cybersecurity is that small- and medium-sized businesses (SMBs) don’t need to worry about cyber-threats or attacks. This simply is untrue. Over the last few years, more than 70 percent of the organizations that have lost money to cyber-crime have been SMBs. Make no mistake: Small businesses are a big target. There are many reasons for this, but one of the most prominent causes is a lack of training and awareness among employees. People are the biggest threat to an organization’s security. But you can make your people your first line of defense.
Every person – from the President, CEO, and Chairman of the Board to the custodians, cashiers, and administrators – should receive cybersecurity training and be held accountable for following all security policies. It is important to note that almost half of the losses associated with cyber-crime have been attributed to insider fraud and carelessness.
Given how widespread the usage is of personal devices among employees, on and off company premises, BYOD security policies must be addressed, as well. This is particularly true when employees use personal devices to conduct company business – including accessing work email accounts. Any device that connects, even sporadically, to company systems and accesses business data can be targeted by cyber-criminals and should be subject to specific security requirements.
Employees need to understand not only what the risks are but why training is so critical. Most millennials and post-millennials are well-versed in the use of technology, but even the savviest tech user is easily tricked by ransomware. And most people are unaware of the extent of cyber-attacks in today’s business world.
Employees cannot avoid nor help address what they do not understand and recognize. Whether the potential risks are phishing emails, malware, ransomware, out-of-date software, or the use of unapproved applications, employees must be taught to recognize and report suspicious activity, to avoid clicking on links and opening attachments, to think before clicking. Threats are far more likely to be handled properly and avoided altogether when employees are routinely trained. Thus, it is critical to make cybersecurity training an integral part of the onboarding process, as well as an ongoing practice throughout their employment. This training should include the basics of current threats and information regarding emerging threats.
The following elements should be a part of both initial and ongoing training:
None of these measures are terribly difficult; none of them are particularly time-consuming; none of them are overly-burdensome; all of them are critical. Given the rise in cyber-attacks over the last decade and, especially, the recent, coordinated, worldwide ransomware attack, not providing cybersecurity training to employees is not an option for any company that wants to survive and flourish. Of all expenditures that do not generate revenue directly, this is one of the most fundamental and unavoidable. It cannot be ignored.
While thinkCSC believes that employees will always be the first line of defense against ransomware attacks, the only real solution is for leaders of all organizations and businesses of all sizes to invest in stronger IT security that includes offsite backup and recovery. These protections, combined with ongoing staff training, strict security policies, and constant vigilance, are an absolute necessity in today’s cyber-environment.
For new customers interested in information on obtaining our services, please contact us at firstname.lastname@example.org.