SMBs need to fortify their ‘human firewall’ with cybersecurity training

Effort should be ongoing, rather than one and done, and result in behavioral change

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Lack of resources is one of the top bar­ri­ers pre­vent­ing small- and medi­um-size busi­ness­es from imple­ment­ing cyber­se­cu­ri­ty train­ing for employ­ees. But small­er orga­ni­za­tions have sev­er­al advan­tages when it comes to training—and a much small­er train­ing scope could have a big­ger impact on pre­vent­ing a data breach.

There’s no ques­tion that SMBs are vul­ner­a­ble. Of 16,401 IT and IT secu­ri­ty prac­ti­tion­ers at small- and medi­um-size busi­ness­es sur­veyed by Ponemon Insti­tute in 2016, 55 per­cent had expe­ri­enced a cyber attack at their orga­ni­za­tion in the past 12 months. The study, spon­sored by Keep­er Secu­ri­ty, also found that 50 per­cent had a data breach involv­ing cus­tomer and employ­ee infor­ma­tion in the same period.

SMBs are start­ing to real­ize they need to do aware­ness train­ing as a stan­dard best prac­tice to make sure the bad guys don’t get in,” says Stu Sjouw­er­man, founder and CEO of secu­ri­ty-aware­ness train­ing com­pa­ny KnowBe4. “[Train­ing is] a fast-grow­ing trend.”

Grow­ing aware­ness of problem

KnowBe4’s own growth sup­ports this notion. The com­pa­ny, whose plat­form also offers sim­u­lat­ed phish­ing attacks, saw 260 per­cent year-over-year growth in the first quar­ter of 2017, and sim­i­lar growth in 2016. A big por­tion of busi­ness is com­ing from small­er companies.

The “human fire­wall,” as Sjouw­er­man calls it, adds a lay­er of secu­ri­ty in defend­ing against threats. Yet, despite the grow­ing inter­est, busi­ness­es of all sizes are still try­ing to catch up, accord­ing to a resent sur­vey from ESET, a ven­dor of inter­net secu­ri­ty software.

Of the more than 400 indi­vid­u­als sur­veyed by ESET, 33 per­cent said they had not received any form of cyb­ser­se­cu­ri­ty train­ing at work.

[That] is wor­ry­ing because we know it only takes one per­son who’s a weak link in secu­ri­ty aware­ness to com­pro­mise the orga­ni­za­tion,” says Stephen Cobb, senior secu­ri­ty researcher at ESET.

Refresh­er cours­es necessary

The num­ber is bet­ter than five years ago, when a sim­i­lar ESET sur­vey found that 68 per­cent of respon­dents didn’t receive any secu­ri­ty train­ing at work. Still, many com­pa­nies don’t make that train­ing recur­ring. Accord­ing to this year’s sur­vey, 45 per­cent of respon­dents felt their aware­ness stayed the same rather than increased, while 8 per­cent felt it actu­al­ly decreased.

Cyber­se­cu­ri­ty train­ing is not some­thing you do once and that’s it,” Cobb says. “It’s infor­ma­tion that drops from our con­scious­ness, so it needs to be refreshed.”

Inter­est in ESET’s free cyber­se­cu­ri­ty train­ing, launched in May, also indi­cates a grow­ing demand. More than 1,000 busi­ness­es signed up with­in the first month, accord­ing to Cobb.

Train­ing well-suit­ed to SMBs

Small busi­ness­es have an advan­tage due to their size, Cobb says, because it’s much eas­i­er to quick­ly train every­one in basics. It’s also eas­i­er to change the cul­ture in a small orga­ni­za­tion, says John LaCour, founder and chief tech­nol­o­gy offi­cer at Phish­Labs, a provider of secu­ri­ty-aware­ness train­ing and phish­ing protection.

John LaCour, Phish­Labs founder and chief tech­nol­o­gy officer

Larg­er orga­ni­za­tions have more vari­a­tion in secu­ri­ty aware­ness matu­ri­ty across the employ­ee base and have to invest more time and effort to get every­one to meet a con­sis­tent base­line of secu­ri­ty aware­ness,” LaCour says.

Anoth­er SMB advan­tage comes from the clos­er con­nec­tion of each employ­ee to the bot­tom-line impact, says Jere­my Wit­tkop, chief tech­nol­o­gy offi­cer at man­aged secu­ri­ty ser­vices provider InteliSe­cure.

Employ­ees in very large orga­ni­za­tions have dif­fi­cul­ty in rec­og­niz­ing how their indi­vid­ual actions could have an impact on such a large enti­ty,” he says.

Long-last­ing behav­ioral effects

In con­trast, in small­er orga­ni­za­tions, a good train­ing pro­gram that speaks about busi­ness risk and how employ­ees can mit­i­gate it “is more like­ly to cor­re­spond to a behav­ioral change.”

And behav­ioral change is what a train­ing pro­gram aims for. Take the exam­ple of South Dako­ta Net­work, whose ongo­ing train­ing for about 160 employ­ees includes month­ly sim­u­lat­ed phish­ing attacks. The first time SDN used KnowBe4 to send a sim­u­lat­ed phish­ing email, 3.7 per­cent of employ­ees clicked on it; the sec­ond test had a 1 per­cent “fail­ure rate,” which trans­lat­ed to just one employee.

(Please note: good to include link because it’s the source of this case study, vs. com­ing direct­ly from cus­tomer or KnowBe4)

Stu Sjouw­er­man, KnowBe4 founder and CEO

Sjouw­er­man says, on aver­age, the ini­tial per­cent­age of employ­ees who fall for the sim­u­lat­ed phish­ing email is much high­er than the SDN example—about 16 per­cent, based on aggre­gat­ed data from 300 KnowBe4 cus­tomers. Over a 12-month span of con­tin­u­ous train­ing, that rate drops to about 1 percent.

It needs to be an ongo­ing effort, an ongo­ing inter­nal cam­paign,” he says.

An effec­tive pro­gram needs to train users to avoid spe­cif­ic risky or unde­sir­able behav­iors iden­ti­fied by the orga­ni­za­tion, Wit­tkop notes.

The orga­ni­za­tion can then mon­i­tor after the train­ing to observe whether or not the train­ing cor­re­sponds to a reduc­tion in risky or unde­sir­able behav­ior,” he says.

Beyond the basics

While basic aware­ness like ESET’s free train­ing could serve as a base­line, Cobb says employ­ees who touch cer­tain lev­els of data, as well as man­agers and exec­u­tives, need the next lev­el of training.

Sjouw­er­man rec­om­mends that a pro­gram be run by IT rather than human resources. If the orga­ni­za­tion plans to do sim­u­lat­ed phish­ing, he also advis­es mak­ing sure the plat­form inte­grates with the network’s active directory.

LaCour’s advice is to look for an expe­ri­enced part­ner who can launch a pro­gram quick­ly with few­er mis­takes and less risk.

There’s far more to run­ning a good aware­ness pro­gram than sim­ply buy­ing train­ing con­tent or a plat­form, “ he says, “and there are land­mines you’ll want to avoid step­ping on.”

More sto­ries relat­ed to employ­ee secu­ri­ty training:
Effec­tive employ­ee train­ing helps take human fac­tor out of cyber breaches
Orga­ni­za­tions turn to in-house train­ing to close cyber­se­cu­ri­ty skills gap
Secu­ri­ty aware­ness train­ing gets a much-need­ed reboot