Security awareness

Security Awareness & Training for Small Business

Brian Hickey
September 29, 2018 by
Brian Hickey

While it’s the attacks on well-known companies that make the headlines, the threat is just as worrying for small businesses. And the problem is made worse by many small business owners not believing they’ll be attacked, considering cybersecurity a lower priority than other business issues. In reality, they’re seen as a soft target for cybercriminals and an easier way of getting to the criminals’ bigger target: the small business’s corporate customers.

The financial cost of disruption and reputational damage, leading to customer loss, can be so severe it could threaten a business’s existence. This makes it even more surprising that many haven’t made cybersecurity part of their day-to-day business operations.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

However, even for those that understand its importance, they claim protection is expensive — hiring the right technical skills and buying expensive training programs — and the whole subject complicated and difficult to understand. Most will deploy basic tech tools such as firewalls and antivirus programs, but these aren’t necessarily much good: the most common threat for small businesses is their employees being targeted by attacks like phishing, ransomware, watering holes and drive-by downloads. And the best way to address those is through regular awareness and training activities.

Fortunately, a lot can be done at low cost. Here are five tips for keeping your small business secure.

Appoint an Awareness Champion

Find someone inside the business who can take the lead on issuing awareness communications and delivering or coordinating basic training. They’ll only need to spend a few hours a week on it, little enough time to fit around their normal activities.

Using an insider also means you know and trust them, they know your business, and they’re already on the payroll and accounted for in the business plan.

Make Use of Free Resources

There’s a huge amount of free resources available, so look at those before you spend anything.

A couple of hours reviewing what’s out there is enough to compile a list of do’s and don’ts that are most relevant for your business, and to find basis awareness and training material. It’s time well spent and means you don’t buy anything you don’t need.

Online guides, such as those offered by the U.S. Small Business Administration and Homeland Security are credible, up-to-date and comprehensive, so consider starting there. Added to that are specialist cybersecurity training companies who publish regularly on every topic you could think of.

Local chambers run lunch-and-learn sessions, and there are webinars on YouTube, vendor or government sites if you prefer to watch and listen.

National Cybersecurity Awareness Month can be a good event to rally the business around and included as one element of your own internal awareness event. There are even printable posters and flyers that can help.

Prioritize Topics for Awareness and Training

Focus on the most common threats: password management, phishing and other email-based scams, file and data sharing, remote working and physical security (preventing devices from theft and securely storing documents). If you can cover all of those, you’ll have taken care of the basics.

Another way of reducing time and cost is by organizing awareness and training according to job responsibilities. Different roles have different skill levels and will be exposed to different threats, so don’t waste time telling employees what they know already or don’t need to know.

Consider External Help

If you’ve still got gaps after having exhausted the free resources and the capacity or capability of your awareness champion, think about outside help.

The term “consultant” often puts small business owners off because it usually means expensive, but some government-supported agencies have good advisors, at a much lower cost — free, in some places — than the private sector, so consider that as a first option.

Otherwise, look at suppliers who specialize in small business. Check costs and references and eyeball the advisor to make sure they’re a good fit for your business.

And remember: tech vendors will offer to help, but only if it results in you buying their products.

Use Online Training Tools

Online training tools are user-friendly, easy to access and cheaper than employing trainers, especially if you have a few offices. They’re also modular, so you buy what you need, and cater for different roles and skills levels.

Some products include phishing simulators for exposing employees to real-world examples without inviting real-world problems, and learner scorecards and dashboards to make it easy to check progress at individual, team or organization level. They’re easy to configure and cover metrics like planned and completed modules; score, pass rate; number of retakes.

Finally …

Be prepared. Awareness and training activities should include details of what staff need to do in the event of a breach. Your plans should spell out how employees should report a breach or near-miss, roles and responsibilities for recovery, and business continuity arrangements.

A business continuity plan is an established practice for bigger businesses but often forgotten for smaller businesses — now’s the time to make sure yours is ready to use.



Cyber threat is huge for small businesses, USA Today

Cybersecurity, U.S. Small Business Administration

Stop. Think. Connect., Homeland Security

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

National Cybersecurity Awareness Month, Stay Safe Online

Brian Hickey
Brian Hickey

Originally a software engineer, Brian Hickey has worked with enterprise technology since the early 80s and held roles in sales, marketing and project management. Most recently he led large scale implementations in financial services where security and compliance were critical components of the delivered solution.