In small businesses, build a culture of security by harnessing the power of your employees

Small-business owners often don’t believe they are of interest to hackers, but half of all small- to medium-sized businesses were hacked in 2016.

Small-business owners often don’t believe they are of interest to hackers, but a recent  Ponemon survey found that in 2016 half of all small- to medium-sized businesses were hacked. Those are businesses with under 100 employees and less than $50 million in annual revenues.

Protecting your business against cyberattacks is a good news, bad news proposition. The good news is that almost all business are running some form of malware/anti-virus protection. The bad news is that 53 percent of you are using free tools designed for home, not commercial, use.

Even if you have chosen stronger tools — like Symantec or Sophos —they only stop about 75 percent of malware and infected emails.

The fact is that no technology system can succeed alone. True security is three-pronged:

  1. Hardware like firewalls and segmented networks, edge systems with intrusion detection.
  2. Software such as anti-virus and malware detection, email-filtering systems with learning algorithms.
  3. Humanware, the often neglected but it is the most critical of the three. No amount of technology, regardless of the cost, can protect a business from an authenticated user who clicks, opens, or installs something they shouldn’t.

Security is not an IT problem. It is a business problem.

Building a Cyber-aware Culture

An awareness workflow, training, testing, and rewarding program are all part of the process necessary to fully involve your employees in protecting your business.

  • Workflow. Your staff are going to get malicious emails, and they may click on something they shouldn’t. They must know the basics, who to notify and feel safe in admitting that they made a mistake. There must also be a process to quickly act to isolate the threat and remediate the problem. A final part of the workflow is notifying others of the threat. An email that reaches one of your employees will almost certainly go to others.
  • Training. Do not assume everyone knows how to identify risky emails. The 2016 Verizon Data Breach Report evaluated data from 8 million sanctioned email tests and found 30 percent of bad emails were opened and 12 percent of employees opened the attachment or link. Assuming they aren’t trying to hurt the business, they must not be recognizing the threats. Training can help, either through online programs or even a quarterly lunch that reviews threats your business has seen over the period.
  • Testing. Many businesses regularly test their employees by sending random bad emails to see how many will click. This should not be a pejorative exercise, but a training opportunity.
  • Reward. The Verizon report found that fewer than 3 percent of employees who got a malicious email via sanctioned testing alerted management. That’s a very low rate. Employees need to know why it matters, that an attack is rarely focused on only one employee, and that the company will act quickly to warn others. For their efforts, employees should get some reward. Recognition does matter to employees. In a hectic and demanding world of work, who doesn’t love a public pat on the back?

Although all of this seems expensive, it isn’t as expensive as you might think, especially when it is factored against the costs of ransomware, data breaches, or remediation.

For more information, have a look at the article on our BACKS program that looks at the complete picture, knowledge, understanding, attitude, motivation and behaviour.



Popular Posts