Small companies prioritize cybersecurity training as they become more aware of the threat of attack and the harm that even a single breach can do.
Between 2020 and 2021, Microsoft saw a 300 percent increase in cyberattacks, 50% targeting small enterprises. Additionally, according to Hiscox, a small firm’s average cost of a cyber breach in 2019 was £11,000.
Additionally, according to Hiscox, one small firm in the UK experiences a successful hack every 19 seconds. According to government data, phishing efforts predominated among attacks in the year leading up to March 2022 (83%). Still, one in five organizations also reported experiencing more sophisticated attacks like denial of service, malware, or ransomware.
Here, we’ll look at the necessity for cybersecurity among remote workers and the appropriate training to provide them.
Why should I teach my house employees about cybersecurity?
First, there is an increase in cyber threats. The World Economic Forum has predicted that cyber hazards will be one of the main problems facing companies over the next five years.
Tiny companies are tempted to think that since they are so small, they are not vulnerable to hacking. In certain circumstances, this indicates that the company is unprepared and hence susceptible. A data breach may result in a fine from the Information Commissioner’s Office (ICO), which would add insult to injury.
Perhaps the biggest threat to organizations is a decline in client confidence. According to RedSeal, 33% of businesses claim to have lost clients due to a data breach. According to another research, 29% of businesses experience revenue losses due to data security breaches. For instance, if your website is broken, buyers can choose one of your rivals or leave a bad review.
Employees using their personal WiFi network at home may not always be aware of how vulnerable they are to a cybersecurity breach. They may not be aware that equipment on their home network might also increase the vulnerability of company data.
No small company exists in a vacuum. According to Andy Robertson, director of Fujitsu Cyber Security at Fujitsu UK&I, “SMEs are also appealing since they are often used as a supply chain link to attack bigger organizations. These major companies are often important partners, suppliers, or clients; nonetheless, strong security procedures guarantee no connection is harmed.
In-person or online training?
Though this may seem like an odd question for an article about home workers, it’s worth giving some thought. The nature, size, and sector of your business will likely be deciding factors in how you carry out your training. Smaller staff bases might just want to do in-person training whereas a tech team at an eCommerce company would need something more specialized.
At a glance, here are the pros and cons of in-person vs online training:
- Employees can ask questions
- Works well for small groups
- More expensive
- More difficult to arrange regular training
- More flexible for employees
- Access to a wider range of providers
- Easier to track employee progress
- Possibly less engagement with employees
- May not be able to get assistance out-of-hours
Whichever method you decide to go for, mix it up. Jason Stirland, CTO at DeltaNet International, believes that variety in training is crucial.“Businesses can implement a blend of microlearning (short five-minute courses) to gamified and interactive, scenario-led learning to engage employees,” he told Small Business.
What should be covered in cybersecurity training?
There should be basic training for everyone, with lessons that are easy to understand and delivered in smaller sections so that employees retain more information. Tailor any training beyond that so that it’s appropriate to the team being trained and how tech-savvy they are.
You have the option of carrying out the training yourself or hiring a third party. Of course, it’ll be cheaper to do if you have the expertise in-house and you can communicate with staff in a way that fits your business culture. That said, a third party would have professional training and experience, meaning they are less likely to have blind spots.
If you go for a third party, some courses are National Cyber Security Centre Training-certified, and delivered by experienced training providers. The content taught in these training courses must match up with the ‘knowledge areas’ of the Cyber Security Body of Knowledge. A list of training providers at each level can be found at the NCSC website.
When looking for a training provider, make sure they cover:
- How to create a strong password
- What common attacks look like
- Signs that a device might be affected by suspicious activity
- What multi-factor authentication is and why it’s important
- Securing at-home internet and devices
Training providers should also mention basic guiding principles such as locking screens whenever they’re away, keeping devices somewhere safe when not in use and frequently updating strong passwords.
Make sure staff know how to report a cyberattack and that they can do so witha reprimand – fear of punishment may put them off reporting it at all.
Training should even go beyond employee actions. Javvad Malik,the lead security awareness advocate at KnowBe4, said: “For home workers, employers should look to provide training not just for employees but give practical advice and awareness that can extend to all family members.” This could be keeping hardware safe from young children or teaching family members what a suspicious site or phishing attack looks like on their own devices. “Ultimately the goal isn’t to ensure people have undergone several hours of training, or that they are cybersecurity experts, but that they are equipped with the skills that allow them to make better risk decisions,” Malik said.
Engaging in regular simulation exercises where you send out, for example, a phishing email is an intriguing technique to ensure that lessons stay. Keep track of the number of responses and/or link clicks.
This is supported by John Blackburn, the operations director of Central Networks and Technologies. He said that it is conceivable to imitate a scam email and distribute it to the workforce, allowing employers to evaluate how exposed the company would have been in the case of an actual assault. This should be done frequently since it will assist in determining if any more training is necessary and whether any particular topic areas need focus.
It takes more than simply writing an email and expecting a response. Nick Ross, a cybersecurity consultant at Trend Micro, advises that you consider different campaigns targeted at different departments when deciding who the training is for. You should also consider what training you will run following a phishing campaign, how frequently you will run the campaign, and how you will record the results and track progress. Ross advised turning things up a notch when you’re up and running. Avoid tendencies that are simple to spot, like starting your advertisements on the first of every month or utilizing the same template for three consecutive quarters. Realistic evaluations will be ensured if you keep your users wondering.
Trend awareness will be useful in this situation. Also, remember that you are imitating the villains, Ross said. Attackers often capitalize on seasonal tendencies. The months of February, March, and April are ideal for a simulation with a tax subject. November and December are also ideal for assaults with an e-commerce focus. To maximize efficacy, consider when to run your simulations.
Resources following training
Having some constant resources on hand that your staff members may use whenever necessary would be beneficial. After completing the training sessions, provide staff with easily accessible printed instructions. The NCSC suggests “How to Do I?” manuals like “How Do I Create a Strong Password?”
It’s also crucial to have a business continuity strategy, which describes how an organization will continue to run in the event of an interruption like a cyberattack or workers starting to work from home once again. According to Lee Wall, co-founder and director of Everything Tech, these plans should define disaster recovery methods and specific ideas on how the firm will function in the short and long term.
If you want any more guidance on cybersecurity training for your remote workforce, check out the link below.