Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

Cybersecurity Training Nonexistent at One-Third of SMBs

But nearly half of US SMBs in a new survey would be willing to participate in security awareness training at their workplace - even if it was optional.

Employees at small-to midsized (SMB) organizations often do not receive any form of cybersecurity awareness training, according to a new survey.

Some 33% of SMBs surveyed by security firm ESET don't get training for security. The stakes are high for SMBs because the impact from a security breach can be far more detrimental to the survival of a smaller company than a larger one. "A large enterprise has a number of backstops and usually has a response ready when it happens. But a small organization … the initial infection can probably lead to something more serious and greater," says Stephen Cobb, ESET senior security researcher, noting that a security breach potentially could put an SMB out of business.

Large enterprises with a dedicated security team also have reason to care about the security profile of SMBs. SMBs can be supply-chain vendors or service providers to large firms. For example, the massive and high-profile security breach at retail giant Target is believed to have orginated from its HVAC contractor getting compromised.

Cobb says he was surprised that 49% of the roughly 600 US respondents of the ESET Cybersecurity Training in the Workplace survey noted they would be willing to take a cybersecurity training course at their workplace, even if it was optional. He added that in the past it would like "pulling teeth" to get employees to take cybersecurity training, but now employees want to not only learn how to secure their work-related IT, but also their home devices and email.

Large v. Small

SMBs are increasingly catching the attention of cybercriminals undertaking a spear-phishing attack, but those types of attacks are also converging on fewer organizations, according to the 2016 Symantec Internet Security Threat Report.  

"SMBs are a sweet spot for attackers. While large companies have more to steal, they are better defended. While consumers are less well-defended, they have less to steal. This puts SMB in the bullseye," says Kevin Haley, director of Symantec Security Response. But he also noted that the overall risk for SMBs is usually lower than large companies because there are so many more SMB companies than large ones to target.

Regardless of the lower risk for SMBs, large companies are pushing the issue for small vendors and service providers to ensure their employees undergo cybersecurity training.

Over the last two years, Christopher Hadnagy, chief human hacker at Social-Engineer LLC, has seen this mandate. Social-Engineer, a security firm of 11 employees, is required by some of its clients to provide cybersecurity training to its own workers at least once every year, says Hadnagy, whose firm already as a policy does so several times a year.

Most security awareness programs today are fairly rudimentary. "The way security training is currently done at companies is crappy. They show you a 20-minute video and test you afterwards. If you were being trained in martial arts or boxing, do you think watching a 20-minute video will prepare you to immediately step into the ring? That is what we are asking employees to do with the way cybersecurity training is handled," Hadnagy says.

A better approach is to provide regular, mock-phishing training, he notes. Once a month, he sends a mock-phishing email to his employees. The monthly training provides consistency and repetition, he notes.

One of his clients that has 300,000 employees carried out a similar regiment with its employees and after three years reduced the malware incidents on its networks by 89%, Hadnagy notes. SMBs would likely benefit by taking similar measures, according to Hadnagy.

A recent update of the National Small Business Association survey found that 42% of its 845 survey respondents acknowledged they were a victim of a cybersecurity attack in 2015.

Of those 2015 survey respondents:

  • 63% were hit with a cyberattack within the past 12 months
  • 58% needed up to three days to resolve the cyberattack
  • 48% stated their service was interrupted due to the attack (respondents could select more than one issue)
  • 25% suffered a down website because of the attack (respondents could select more than one issue)
  • 22% found false information was sent from the company's domain. (respondents could select more than one issue)
  • $7,115.26 was the average estimated business cost because of the attack

Despite these figures, SMBs clearly are not yet at the point of jumping on the bandwagon to get their employees cybersecurity training. According to an NSBA spokesperson, the lack of training is likely due to the cost and logistics involved. It's also unclear whether SMB owners would expect their cybersecurity to vastly improve if their employees received training, the spokesperson says.

Free SMB Cybersecurity Training 

Meanwhile, ESET today also rolled out free online employee training modules including phishing, social engineering, and mobile security.

Other free SMB training and information is available from the US Small Business Administration's Cybersecurity for Small Businesses and the Federal Communications Commission's 10 Cybersecurity Tips for Small Businesses

In addition to addressing the knowledge gaps SMB employees said they were lacking in the ESET survey, Symantec's Haley also advises training on best practices for cloud computing and password management.

Related Content:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25747
PUBLISHED: 2020-09-25
The Telnet service of Rubetek RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339) can allow a remote attacker to gain access to RTSP and ONFIV services without authentication. Thus, the attacker can watch live streams from the camera, rotate the camera, change some settings (brightn...
CVE-2020-25748
PUBLISHED: 2020-09-25
A Cleartext Transmission issue was discovered on Rubetek RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339). Someone in the middle can intercept and modify the video data from the camera, which is transmitted in an unencrypted form. One can also modify responses from NTP and RTSP s...
CVE-2020-25749
PUBLISHED: 2020-09-25
The Telnet service of Rubetek cameras RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339) could allow an remote attacker to take full control of the device with a high-privileged account. The vulnerability exists because a system account has a default and static password. The Telnet...
CVE-2020-24592
PUBLISHED: 2020-09-25
Mitel MiCloud Management Portal before 6.1 SP5 could allow an attacker, by sending a crafted request, to view system information due to insufficient output sanitization.
CVE-2020-24593
PUBLISHED: 2020-09-25
Mitel MiCloud Management Portal before 6.1 SP5 could allow a remote attacker to conduct a SQL Injection attack and access user credentials due to improper input validation.