Endpoint

5/1/2017
09:20 AM
50%
50%

Cybersecurity Training Nonexistent at One-Third of SMBs

But nearly half of US SMBs in a new survey would be willing to participate in security awareness training at their workplace - even if it was optional.

Employees at small-to midsized (SMB) organizations often do not receive any form of cybersecurity awareness training, according to a new survey.

Some 33% of SMBs surveyed by security firm ESET don't get training for security. The stakes are high for SMBs because the impact from a security breach can be far more detrimental to the survival of a smaller company than a larger one. "A large enterprise has a number of backstops and usually has a response ready when it happens. But a small organization … the initial infection can probably lead to something more serious and greater," says Stephen Cobb, ESET senior security researcher, noting that a security breach potentially could put an SMB out of business.

Large enterprises with a dedicated security team also have reason to care about the security profile of SMBs. SMBs can be supply-chain vendors or service providers to large firms. For example, the massive and high-profile security breach at retail giant Target is believed to have orginated from its HVAC contractor getting compromised.

Cobb says he was surprised that 49% of the roughly 600 US respondents of the ESET Cybersecurity Training in the Workplace survey noted they would be willing to take a cybersecurity training course at their workplace, even if it was optional. He added that in the past it would like "pulling teeth" to get employees to take cybersecurity training, but now employees want to not only learn how to secure their work-related IT, but also their home devices and email.

Large v. Small

SMBs are increasingly catching the attention of cybercriminals undertaking a spear-phishing attack, but those types of attacks are also converging on fewer organizations, according to the 2016 Symantec Internet Security Threat Report.  

"SMBs are a sweet spot for attackers. While large companies have more to steal, they are better defended. While consumers are less well-defended, they have less to steal. This puts SMB in the bullseye," says Kevin Haley, director of Symantec Security Response. But he also noted that the overall risk for SMBs is usually lower than large companies because there are so many more SMB companies than large ones to target.

Spearphishing Attacks by Size of Organization

Risk Ratio of Spearphishing Attacks by Organization Size
Images' Source: Symantec
Images' Source: Symantec

Regardless of the lower risk for SMBs, large companies are pushing the issue for small vendors and service providers to ensure their employees undergo cybersecurity training.

Over the last two years, Christopher Hadnagy, chief human hacker at Social-Engineer LLC, has seen this mandate. Social-Engineer, a security firm of 11 employees, is required by some of its clients to provide cybersecurity training to its own workers at least once every year, says Hadnagy, whose firm already as a policy does so several times a year.

Most security awareness programs today are fairly rudimentary. "The way security training is currently done at companies is crappy. They show you a 20-minute video and test you afterwards. If you were being trained in martial arts or boxing, do you think watching a 20-minute video will prepare you to immediately step into the ring? That is what we are asking employees to do with the way cybersecurity training is handled," Hadnagy says.

A better approach is to provide regular, mock-phishing training, he notes. Once a month, he sends a mock-phishing email to his employees. The monthly training provides consistency and repetition, he notes.

One of his clients that has 300,000 employees carried out a similar regiment with its employees and after three years reduced the malware incidents on its networks by 89%, Hadnagy notes. SMBs would likely benefit by taking similar measures, according to Hadnagy.

A recent update of the National Small Business Association survey found that 42% of its 845 survey respondents acknowledged they were a victim of a cybersecurity attack in 2015.

Of those 2015 survey respondents:

  • 63% were hit with a cyberattack within the past 12 months
  • 58% needed up to three days to resolve the cyberattack
  • 48% stated their service was interrupted due to the attack (respondents could select more than one issue)
  • 25% suffered a down website because of the attack (respondents could select more than one issue)
  • 22% found false information was sent from the company's domain. (respondents could select more than one issue)
  • $7,115.26 was the average estimated business cost because of the attack

Despite these figures, SMBs clearly are not yet at the point of jumping on the bandwagon to get their employees cybersecurity training. According to an NSBA spokesperson, the lack of training is likely due to the cost and logistics involved. It's also unclear whether SMB owners would expect their cybersecurity to vastly improve if their employees received training, the spokesperson says.

Free SMB Cybersecurity Training 

Meanwhile, ESET today also rolled out free online employee training modules including phishing, social engineering, and mobile security.

Other free SMB training and information is available from the US Small Business Administration's Cybersecurity for Small Businesses and the Federal Communications Commission's 10 Cybersecurity Tips for Small Businesses

In addition to addressing the knowledge gaps SMB employees said they were lacking in the ESET survey, Symantec's Haley also advises training on best practices for cloud computing and password management.

Related Content:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WSJ Report: Facebook Breach the Work of Spammers, Not Nation-State Actors
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/19/2018
Good Times in Security Come When You Least Expect Them
Joshua Goldfarb, Co-founder & Chief Product Officer, IDRRA ,  10/23/2018
Getting Up to Speed with "Always-On SSL"
Tim Callan, Senior Fellow, Comodo CA,  10/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.