SMBs need to fortify their ‘human firewall’ with cybersecurity training
Effort should be ongoing, rather than one and done, and result in behavioral change
By Rodika Tollefson, ThirdCertainty
Lack of resources is one of the top barriers preventing small- and medium-size businesses from implementing cybersecurity training for employees. But smaller organizations have several advantages when it comes to training—and a much smaller training scope could have a bigger impact on preventing a data breach.
There’s no question that SMBs are vulnerable. Of 16,401 IT and IT security practitioners at small- and medium-size businesses surveyed by Ponemon Institute in 2016, 55 percent had experienced a cyber attack at their organization in the past 12 months. The study, sponsored by Keeper Security, also found that 50 percent had a data breach involving customer and employee information in the same period.
“SMBs are starting to realize they need to do awareness training as a standard best practice to make sure the bad guys don’t get in,” says Stu Sjouwerman, founder and CEO of security-awareness training company KnowBe4. “[Training is] a fast-growing trend.”
Growing awareness of problem
KnowBe4’s own growth supports this notion. The company, whose platform also offers simulated phishing attacks, saw 260 percent year-over-year growth in the first quarter of 2017, and similar growth in 2016. A big portion of business is coming from smaller companies.
The “human firewall,” as Sjouwerman calls it, adds a layer of security in defending against threats. Yet, despite the growing interest, businesses of all sizes are still trying to catch up, according to a resent survey from ESET, a vendor of internet security software.
Of the more than 400 individuals surveyed by ESET, 33 percent said they had not received any form of cybsersecurity training at work.
“[That] is worrying because we know it only takes one person who’s a weak link in security awareness to compromise the organization,” says Stephen Cobb, senior security researcher at ESET.
Refresher courses necessary
The number is better than five years ago, when a similar ESET survey found that 68 percent of respondents didn’t receive any security training at work. Still, many companies don’t make that training recurring. According to this year’s survey, 45 percent of respondents felt their awareness stayed the same rather than increased, while 8 percent felt it actually decreased.
“Cybersecurity training is not something you do once and that’s it,” Cobb says. “It’s information that drops from our consciousness, so it needs to be refreshed.”
Interest in ESET’s free cybersecurity training, launched in May, also indicates a growing demand. More than 1,000 businesses signed up within the first month, according to Cobb.
Training well-suited to SMBs
Small businesses have an advantage due to their size, Cobb says, because it’s much easier to quickly train everyone in basics. It’s also easier to change the culture in a small organization, says John LaCour, founder and chief technology officer at PhishLabs, a provider of security-awareness training and phishing protection.
“Larger organizations have more variation in security awareness maturity across the employee base and have to invest more time and effort to get everyone to meet a consistent baseline of security awareness,” LaCour says.
Another SMB advantage comes from the closer connection of each employee to the bottom-line impact, says Jeremy Wittkop, chief technology officer at managed security services provider InteliSecure.
“Employees in very large organizations have difficulty in recognizing how their individual actions could have an impact on such a large entity,” he says.
Long-lasting behavioral effects
In contrast, in smaller organizations, a good training program that speaks about business risk and how employees can mitigate it “is more likely to correspond to a behavioral change.”
And behavioral change is what a training program aims for. Take the example of South Dakota Network, whose ongoing training for about 160 employees includes monthly simulated phishing attacks. The first time SDN used KnowBe4 to send a simulated phishing email, 3.7 percent of employees clicked on it; the second test had a 1 percent “failure rate,” which translated to just one employee.
(Please note: good to include link because it’s the source of this case study, vs. coming directly from customer or KnowBe4)
Sjouwerman says, on average, the initial percentage of employees who fall for the simulated phishing email is much higher than the SDN example—about 16 percent, based on aggregated data from 300 KnowBe4 customers. Over a 12-month span of continuous training, that rate drops to about 1 percent.
“It needs to be an ongoing effort, an ongoing internal campaign,” he says.
An effective program needs to train users to avoid specific risky or undesirable behaviors identified by the organization, Wittkop notes.
“The organization can then monitor after the training to observe whether or not the training corresponds to a reduction in risky or undesirable behavior,” he says.
Beyond the basics
While basic awareness like ESET’s free training could serve as a baseline, Cobb says employees who touch certain levels of data, as well as managers and executives, need the next level of training.
Sjouwerman recommends that a program be run by IT rather than human resources. If the organization plans to do simulated phishing, he also advises making sure the platform integrates with the network’s active directory.
LaCour’s advice is to look for an experienced partner who can launch a program quickly with fewer mistakes and less risk.
“There’s far more to running a good awareness program than simply buying training content or a platform, “ he says, “and there are landmines you’ll want to avoid stepping on.”
More stories related to employee security training:
Effective employee training helps take human factor out of cyber breaches
Organizations turn to in-house training to close cybersecurity skills gap
Security awareness training gets a much-needed reboot