Security threats in the form of scams and misrepresentation have existing since the first wheel was sold shortly after it was invented.  In today’s world, these threats have been ‘technologized’ into various forms such as ransomware, phishing, and smishing (Michigan AG warns of new text messaging scams called ‘smishing’).  And while technology solutions have for the most part been keeping pace, it is still the people running the business that make the real difference and they require proper training and development to operate at their best.

Security awareness training for employee education—i.e. empowering users to make more savvy IT decisions in their daily routines— is typically passed over because of budget, lack of in-house expertise, and the general lack of availability of high-quality, low-cost, computer-based training. In particular, small- to medium-sized businesses (SMBs) have suffered from these types of constraints, compared to larger, more resource rich organizations.

As recently as August of 2017, a Better Business Bureau study on the State of Cybersecurity revealed that almost half of SMBs with 50 employees and under regard security awareness training among their top 3 security expenditures, alongside firewalls and endpoint protection.

This increase in interest and budget allocation for end user education is understandable. On average, more than 1 in 10 businesses in the year prior to the study have experienced a ransomware or data loss breach, facing $80,000 in annual losses.

Quick Tip: Pick up the phone
If an email looks phishy, call the sender personally using their official phone number, not a number listed in the email, and add phone verification to your payment/wire transfer process.

Today, it’s clear that end user education is a good business investment. Users are the front lines of your business, and even the most advanced security can’t stop them from willingly, if unwittingly, handing over sensitive access credentials.

Start out with a Phishing Campaign

Consider starting your security awareness program with a simulated phishing campaign. Use the first phishing campaign as your baseline to gauge the level of awareness your end users already have. We recommend using a template that mimics an internal communication from HR or the IT department to get the most eyes on the email. For early campaigns, it’s also a good idea to use a “404 Page Note Found” template so users who fall for the phishing lure are unaware. This will help keep water cooler talk at a minimum, giving you a more accurate baseline. After that, be sure to link your phishing campaigns to training pages and courses to maximize the training opportunity.

Share results with End Users

Try capitalizing on everyone’s engagement by sharing an overall statistical report, so users can recognize whether they clicked or avoided the phishing lure, without fear of embarrassment. Use this feedback to inspire smarter habits. A key objective for security awareness training is to engage end users and raise the level of cyber awareness throughout the organization.

Continuous Training: Set up your phishing and training program

There is no one-size-fits-all program, but we recommend running at least one to two phishing campaigns per month and a minimum of one to two training courses per quarter. Continuous training programs reinforce key principles at regular intervals, helping to build “muscle memory” and allowing users to convert suggested cybersecurity best practices into practiced habits. Learning Science has shown this to be an effective approach if knowledge retention is a goal (and it should be if you wish to maximize your training efforts and expenditures).

When you start seeing the significant impact that relevant, high-quality, and proven security awareness education has on your employees, you’ll wonder how your business ever managed without it.

Red Road Networks is an innovative leader in the Information Technology and Managed Service Provider (ITSP & MSP) industry.  We are a proud partner of Webroot, a provider of advanced endpoint protection, a key piece of our layered security service for business.