Small and Medium Business Training in 2021

In 2021, the reality is that any organisation has the potential to fall victim to an information security attack. Though there are many technical measures that can be taken to help mitigate this risk, it is invariably the practices and behaviours of employees which serve as an organisation’s ‘weak link’.

With attackers and malicious actors utilizing a variety of tactics to target weak spots in your organisation’s networks and systems, your staff’s security awareness plays an enormous role in defending information assets.

Key Information and Cyber Security Statistics

  • In 2020, almost half of businesses (46%) and a quarter of charities (26%) report experiencing cyber breaches or attacks within the previous twelve months.
  • The number of insider-caused cyber security incidences has risen by 47% since 2018, with the average annual cost of insider threats increasing to £8.32 million.
  • Organisations spend around £2.9 million recovering from security incidents, with malware recovery costing a shocking £3.4 million.
  • According to UK government research, in 2020, 82% of businesses experienced phishing attacks against their organisation.
  • 77% of all UK workers have never received any form of information security training from their employer.

Why Invest in Information Security Awareness Training?

With employees and teams now working increasingly remotely, as well as mounting threats such as phishing attacks and intellectual property theft, one thing that remains a constant in this shifting landscape is the value of having an educated and informed staff.

From issues such as compliance (e.g., UK General Data Protection Regulation), to defending against information security attacks, awareness training should be considered an essential for any SME operating in 2021.

One fact that should stand out to any organisation, SME or otherwise, is that 91% of all cyber attacks begin with a simple phishing email. An easily detectable and avoidable threat vector that relies entirely on employees not having the skills to mitigate such a basic risk.

By investing in information security awareness training, your entire organisation will not only be better equipped to defend against information security threats and attacks but will also be demonstrating to clients and potential customers a dedication and commitment to ensuring robust information security.

Essential Information Security Topics for Employees

There are many topics which a comprehensive and effective information security awareness training program should include, from encryption, out-of-office security, and the dangers of Wi-Fi, to backing-up, incident response and physical security.

With that in mind, below are just some of the most important training topics for employees that are essential to helping your organisation mitigate threats to information security.

Anti-Phishing Training

Given that the vast majority of cyber attacks begin with a phishing email, the importance of providing your employees with effective anti-phishing training cannot be overstated.

Though it may appear to be a threat vector that is easily mitigated, understand that to be truly successful at defended against phishing attacks, you and your organisation need to be accurate 100% of the time, whereas an attacker only needs one successful phishing email to break through to launch an attack.

From identifying the traits and signs of a malicious email, to understanding the need to take the time to inspect links etc., defending against phishing attacks is a fundamental to ensuring strong information security within your organisation.

Password Security Training

The integrity and security of our networks, systems and accounts all rely upon passwords, yet still a significant portion of organisations have no established password policy in place.

With access to key accounts, such as an email account, there is little an attacker cannot do once they have captured your passwords.

From setting out a clear and security focused passwords policy, to basic password management techniques and tools, the foundations of password security are far from complex, meaning password security as an information security awareness training topic is not only essential for all SMEs, but also simple and easy to understand.

Social Engineering Training

There are many ways in which people can be exploited, from phishing attacks which peak curiosity with promises of discount consumer products, to more complex schemes such as targeting a disgruntled employee into providing network access, though attackers typically rely on a small number of tactics to get what they are after.

For example, ‘baiting’. Several years ago, a group of Google researchers conducted a social experiment, scattering 300 USB drives across a university campus. Designed to understand how people react to this curious, but highly unsecure ‘bait’, the experiment found that over 45% of drives were plugged in and had their contents examined.

Though in this case the devices were harmless, it serves as a prime example of how employees may be socially engineered into making decisions and carrying out actions which can compromise the security of information.

Other methods, such as ‘pretexting’, ‘tailgating’ and ‘quid pro quo’ are all techniques which, by investing in information security awareness training, your employees are equipped with the tools to defend against.

Mobile Device Training

Personal devices such as smartphones, tablets and laptops typically contain an extraordinary amount of valuable company information, presenting a significant security risk. Therefore, to ensure information security, it is crucial for your employees to receive proper training in keeping personal devices secure.

From understanding security settings, to the importance of setting up biometric security protocols, training staff in the topic of mobile device security is ever more essential in our increasingly remote work environments.

Although many elements of mobile device security will be handled primarily by an IT/security team (i.e., remote wiping etc.), if employees are dealing with sensitive information, having staff appreciate and understand the information security risk that mobile devices present is a foundational element of any robust information security awareness training program.

Secure Culture Training

As previously mention, there are many information security topics that are absent from this short list, but perhaps one of the most overlooked elements is the topic of creating a secure culture.

Though there is no ‘fix-all’ solution regarding the issue of information security, but by helping to foster and maintain a culture in which information security is a consistent consideration and concern, where secure behaviour is second nature, will have an immeasurable effect on your organisations ability to mitigate risk and maintain effective information security.

By investing in information security awareness training, your organisation, or any SME, will be not only protecting themselves and others against a wide range of potential threats, but additionally demonstrating to clients, partners, and the public a commitment to security.