how to protect small enterprises in safety awareness training

Posted by punzalan at 2020-03-01

Small businesses are gradually using information technology in business processes, but this process is not carried out safely. In fact, when several other large and profitable organizations attack them, they don't believe that their opponents will attack them. Therefore, they ignore the important measures such as security awareness training, which makes them firmly controlled by cyber criminals.

In many ways, small companies take more risk than large ones, because adverse events can be very expensive for them. According to the statistics of the network security alliance of the United States, 60% of small enterprises are unable to maintain their business within six months after the occurrence of network security vulnerabilities. Opponents attack them to steal information such as customer identities, bank records and even intellectual property rights.

Common events leading to data loss and security vulnerabilities include: employees reusing credentials on multiple websites, downloading malicious attachments sent by e-mail, the use of social networks, using devices that lose confidential data, and inadvertently providing sensitive information over the phone. So we must pay more attention to safety awareness training to prevent this kind of incident.

Why do small businesses need safety awareness training?

Small businesses face severe challenges. Owners often find that they don't have enough money to invest in strong security systems. Resources are limited, and their IT departments are not the same size as large organizations. Fortunately, building a culture of safety awareness is within their reach.

For small enterprises, security awareness training is a necessary condition to prevent all kinds of non-technical and technological intrusion. By ensuring that people are managed securely from top to bottom, small companies can maintain the confidentiality of their most valuable assets. At the same time, safety awareness also ensures the following:

Regulatory compliance: as Sarbanes Oxley and PCI rules know, human beings are the weakest link in information security. Safety awareness training ensures full compliance with these regulations.

Customer trust: consumers doubt the company's commitment to data security. The frequent occurrence of data leakage headlines has overwhelmed consumers. Security awareness training motivates PII employees to do everything possible to protect the personal identity information of customers.

Cost reduction: Kaspersky Lab's survey shows that on average, small businesses need to spend $38000 to recover from data leakage, which is higher if reputation loss and indirect costs are taken into account. Safety awareness training ensures that companies are prepared to prevent this; seeing it as an investment can save a lot of money.

Obviously, in order to protect their own assets and reputation, it is one of the best things small companies can do to actively make their employees aware of safety.

What risks / threats do small businesses face?

Small businesses attract cybercriminals because they lack the level of security that large organizations can implement to reduce threats. Here are the security challenges they face:

Spear fraud: adversaries use technologies such as bec (business email compromise) and use deception to send forged emails. Use the identity of a trusted supplier, business advisor, or financial institution to create legitimacy. In the past few years, phishing attacks on small companies have increased dramatically.

Ransomware: This is when the virus is installed on the business system, the authorized user is completely locked. When the data is encrypted by the adversary, the data becomes inaccessible, after which, the cash is required to regain access. Ransomware is usually delivered through downloads and attachments. Depending on the importance of the blocked data / system to the company, an attack can paralyze the operation.

Penetration based on byod: as more and more small enterprises adopt byod, the risk exposure software downloaded from their applications and Trojan software from unencrypted network connections increase. This usually happens when company personnel use their personal devices to access business information through public WiFi, share data through third-party applications, or ignore changing account passwords.

Ignorant / malicious employees: This is the root cause of most security threats faced by small businesses. Ignorance or malicious attitude towards employees will make your plans, business information, payment details, customer information, etc. vulnerable to attack. Typical ignorant or malicious behavior includes visiting illegal / insecure websites, visiting applications from unauthorized sources, and using weak passwords.

Security awareness training is essential to reduce the risk of these threats.

How does a small company build a safety awareness project?

A security awareness project is essential to stop using security as a one-time implementation to deal with threats and to establish a universal, proactive security culture in which people can identify risks and make appropriate decisions. Here's how small businesses can create a safety awareness training program that involves everyone.

1. Assign roles and hold people accountable

Role based security awareness training is a cross section of the business. Training should be consistent with different roles and responsibilities. For example, managers should understand safety needs and take responsibility for encouraging employee awareness. On the other hand, employees should play an important role in protecting company data and privacy. Security awareness training at the employee level may involve identity theft and the discovery of suspicious information.

2. Personalization where possible

The best way to convey security awareness is to instill it into the company's culture in a personalized way. Work with your IT department to translate security terms into simple guidelines that everyone can easily follow. Another thing you can do is to teach employees about safety risks through real life examples. If you are concerned about the weakness of password operation, please contact the real world to help employees resonate with good password practice training. For example, a strong password protects confidential information just as a strong immune system protects the body from disease.

3. Remind safety behaviors

The core essence of safety awareness training is to continuously improve safety behaviors. Use communication tools like slack and Google hangouts to communicate security behavior frequently. For example, you can flag the danger of connecting to a unsecured WiFi network on slack. Or use a simple calendar reminder to provide security notifications when needed.

4. Establish metrics for access security awareness training

Metrics need to be developed to measure the success of a security awareness training program. Different types and levels of training will vary. For example, reducing system downtime and e-mail fraud will mean that employees have a better understanding of security threats and of social phishing. You can use performance evaluation and behavior tracking to see if security aware programs are set up successfully.

The establishment of a mature security awareness program will reduce the risk of unauthorized access and theft of business information by competitors.

Security awareness resources of small enterprises

Every small business is different and there is no specific way to build a security awareness program. However, the following resources contain some useful tips and indicators that will give you a clear idea.

PCI Security Standards Committee: this resource provides small businesses with the awareness to protect payment card data, which is the transaction on which small business households rely. This resource provides a variety of guides for small businesses.

NCSA (national network security alliance): NCSA provides a resource to help protect your business from cyber attacks, privacy violations, and other threats.

Barry Horne training: BH training provides a special safety awareness course for small businesses. Students learn how to protect the most valuable business data from the common security threats faced by small businesses. The course is designed in a non-technical language.

Last thought

In the next 10 years, with the growth of the security awareness training sector to exceed $10 billion, it's time for small businesses to make security awareness training an essential part of their threat prevention strategy. The guidelines and resources mentioned above provide direction for measures to protect confidential information, so that you can avoid enemies that seem to be easy targets.

Original link:

This paper is compiled by the cat who watches the snow translation team

The topic of the 2020 SDC (security developers Summit) was collected in Beijing, China in July!