Small and medium-sized enterprises (SMEs) face an evolving range of security threats that can compromise operations, data, and reputation. Roland Singer, VP IT Services Sharp Europe, believes that key to protecting any business is regular security awareness training at all levels of the business.
SMEs have long been recognised as the engine room of the European economy. According to the European Commission, 99% of European businesses are SMEs, providing jobs to more than 85 million European citizens.
Technology is enabling these firms to grow faster, offer services across borders, and generally operate regardless of location. Therefore, it comes as no surprise that businesses across Europe are also more exposed than ever to being victim of cyber security breaches.
There are many reasons for this, as revealed in recent pan-European research carried out by Sharp Europe. They surveyed 11,000 SME employees and identified that 37% of UK workers do not feel prepared to spot and prevent a cyber threat at work. Equally, the rise of AI has increased employee fears around making a cybersecurity mistake at work.
An overwhelming majority 84% of workers say they are more concerned about cybersecurity than they were a year ago, while 27% are more concerned about making mistakes at work that could lead to a cybersecurity attack than they were a year ago.
AI is making its presence felt in business beyond simply being a productivity tool. The survey found that growing concerns about cyber threats at work have been accelerated by the rise of AI with 37% of UK SME employees not feeling confident they could spot and avoid a cyber threat at work. Digging deeper, the survey revealed that 34% believe that AI will make it more difficult to spot a potential cyber-attack, while 18% of employees would not be able to spot an AI security threat, such as a phishing email or message.
This makes for alarming news, especially when at the same time, the same survey found that 3% of UK SME workers have received no security training from their employers in the last two years. Possibly even more worryingly, 16% have never received any training from their employer about these emerging cyber threats.
But what should organisations of all sizes be doing to ensure that employees are empowered to not only recognise but react in potentially threatening situations?
Why the Need for IT Security Training?
Technology is constantly evolving, so cybersecurity training should be adapting at the same pace. Regular IT security training keeps staff updated on evolving cyber threats and builds a security-conscious culture, which is crucial since human error causes most security incidents. Furthermore, it helps SMEs protect sensitive data and prevent costly breaches that could impact their business – so saving jobs.
To this end, it is the responsibility of SME leaders to implement a robust cybersecurity training programme and update it on a regular basis. In doing so, they can maintain a higher standard of security awareness across their workforce that can be regularly adapted according to needs.
This may sound like a daunting challenge for many smaller organisations, especially those lacking their own internal IT operations, but there are clear steps any business can and should take to train its staff efficiently.
Creating a security conscious culture
The first, but maybe not the most obvious, is to develop a security-conscious culture. Employees are the lifeblood of any SME. They are also the frontline defence against cyber threats, but that digital defence is only as strong as an employee’s knowledge. Therefore, it is essential to create and maintain a culture where security is understood and respected openly within the business.
This ought to start with encouraging the reporting of potential security incidents in a safe and open way. Businesses should also look at how they recognise and reward security-conscious behaviour with the workplace. Equally, it is important that the leadership team visibly supports this emerging culture and actively gets involved with security training and staying abreast of the threat landscape.
In terms of upskilling staff and leadership, developing a comprehensive training program, one which is structured to cover all the essentials, from password management and data protection, to phishing awareness and other potential threats, is vital. This program should be tailored to suit the needs of different roles and technical skills levels, but to be most effective should be updated regularly to address emerging threats.
What Should IT Security Training Involve?
Once a comprehensive IT security training program has been developed, it should be a priority of the business to ensure all employees conduct mandatory annual comprehensive security training within specified timeframes. Just as the program should be regularly updated, so should staff beyond annual training, providing short refresher sessions at regular intervals – typically quarterly – which ensure that employees stay engaged and informed.
Training need not be formal – no one wants to feel as though they are going back to school or forced into a learning environment. Instead, look to utilise online learning platforms with interactive modules, so that staff can work at their own pace without the feeling of being pressured to learn.
That said, training should be completed to regular deadlines and include practical demonstrations and hands-on exercises, as well as use realistic simulations, such as phishing tests, and similar social engineering scenarios. Social engineering attacks can be sophisticated and may appear to come from a legitimate source asking the receiver to share sensitive information.
Ultimately, such training sessions should be tracked and measured for their effectiveness. The most effective way of doing this is via post-training assessments, and even monitoring things such as incident reporting. In this way, training can be better tailored to suit the workplace and the individual.
Sharp Security Awareness Training for SMEs
Cybersecurity training for employees may not be a new concept but as the results of our survey found, it is often overlooked, or not maintained. We believe that regular, ongoing training is essential to keeping security at the forefront of employees' minds and to address new threats as they arise.
That is why we introduced Sharp Cyber Security Awareness Training to reduce the complexity of IT security training within any business. Using a cloud-based training platform, it enables businesses to raise cybersecurity awareness and minimise the risk of successful attacks. With it, employees will find it easier to identify phishing emails, attack simulations, and avoid clicking on potentially hazardous social engineering links.
To make ongoing training easier to access, we use a micro-training approach that does not sacrifice productivity. Bite-sized training modules can be completed in a matter of minutes and offer a solution that minimises disruption to work while keeping employees engaged and reinforcing their knowledge.
Sharp Security Awareness Training does not end there, our service includes simulated phishing and social engineering attacks, tailored to the user and the organisation to continually test the users’ understanding and training effectiveness. By continuously measuring training completion rates and assessing individual performance, organisations can gauge the effectiveness of their training programs – as well as identify areas for improvement.
In conclusion, the success of any security awareness training program relies on giving employees the knowledge and skills to identify and respond to potential cyber threats. By prioritising security awareness training, organisations can start to create a security-conscious culture while at the same time protect their sensitive data and intellectual property.
Contact us to find out more about the Sharp Security Awareness Training and how we can help your business transform its greatest vulnerability into their greatest asset.