Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

Cybersecurity Training Nonexistent at One-Third of SMBs

But nearly half of US SMBs in a new survey would be willing to participate in security awareness training at their workplace - even if it was optional.

Employees at small-to midsized (SMB) organizations often do not receive any form of cybersecurity awareness training, according to a new survey.

Some 33% of SMBs surveyed by security firm ESET don't get training for security. The stakes are high for SMBs because the impact from a security breach can be far more detrimental to the survival of a smaller company than a larger one. "A large enterprise has a number of backstops and usually has a response ready when it happens. But a small organization … the initial infection can probably lead to something more serious and greater," says Stephen Cobb, ESET senior security researcher, noting that a security breach potentially could put an SMB out of business.

Large enterprises with a dedicated security team also have reason to care about the security profile of SMBs. SMBs can be supply-chain vendors or service providers to large firms. For example, the massive and high-profile security breach at retail giant Target is believed to have orginated from its HVAC contractor getting compromised.

Cobb says he was surprised that 49% of the roughly 600 US respondents of the ESET Cybersecurity Training in the Workplace survey noted they would be willing to take a cybersecurity training course at their workplace, even if it was optional. He added that in the past it would like "pulling teeth" to get employees to take cybersecurity training, but now employees want to not only learn how to secure their work-related IT, but also their home devices and email.

Large v. Small

SMBs are increasingly catching the attention of cybercriminals undertaking a spear-phishing attack, but those types of attacks are also converging on fewer organizations, according to the 2016 Symantec Internet Security Threat Report.  

"SMBs are a sweet spot for attackers. While large companies have more to steal, they are better defended. While consumers are less well-defended, they have less to steal. This puts SMB in the bullseye," says Kevin Haley, director of Symantec Security Response. But he also noted that the overall risk for SMBs is usually lower than large companies because there are so many more SMB companies than large ones to target.

Regardless of the lower risk for SMBs, large companies are pushing the issue for small vendors and service providers to ensure their employees undergo cybersecurity training.

Over the last two years, Christopher Hadnagy, chief human hacker at Social-Engineer LLC, has seen this mandate. Social-Engineer, a security firm of 11 employees, is required by some of its clients to provide cybersecurity training to its own workers at least once every year, says Hadnagy, whose firm already as a policy does so several times a year.

Most security awareness programs today are fairly rudimentary. "The way security training is currently done at companies is crappy. They show you a 20-minute video and test you afterwards. If you were being trained in martial arts or boxing, do you think watching a 20-minute video will prepare you to immediately step into the ring? That is what we are asking employees to do with the way cybersecurity training is handled," Hadnagy says.

A better approach is to provide regular, mock-phishing training, he notes. Once a month, he sends a mock-phishing email to his employees. The monthly training provides consistency and repetition, he notes.

One of his clients that has 300,000 employees carried out a similar regiment with its employees and after three years reduced the malware incidents on its networks by 89%, Hadnagy notes. SMBs would likely benefit by taking similar measures, according to Hadnagy.

A recent update of the National Small Business Association survey found that 42% of its 845 survey respondents acknowledged they were a victim of a cybersecurity attack in 2015.

Of those 2015 survey respondents:

  • 63% were hit with a cyberattack within the past 12 months
  • 58% needed up to three days to resolve the cyberattack
  • 48% stated their service was interrupted due to the attack (respondents could select more than one issue)
  • 25% suffered a down website because of the attack (respondents could select more than one issue)
  • 22% found false information was sent from the company's domain. (respondents could select more than one issue)
  • $7,115.26 was the average estimated business cost because of the attack

Despite these figures, SMBs clearly are not yet at the point of jumping on the bandwagon to get their employees cybersecurity training. According to an NSBA spokesperson, the lack of training is likely due to the cost and logistics involved. It's also unclear whether SMB owners would expect their cybersecurity to vastly improve if their employees received training, the spokesperson says.

Free SMB Cybersecurity Training 

Meanwhile, ESET today also rolled out free online employee training modules including phishing, social engineering, and mobile security.

Other free SMB training and information is available from the US Small Business Administration's Cybersecurity for Small Businesses and the Federal Communications Commission's 10 Cybersecurity Tips for Small Businesses

In addition to addressing the knowledge gaps SMB employees said they were lacking in the ESET survey, Symantec's Haley also advises training on best practices for cloud computing and password management.

Related Content:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15037
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Reports-Devices.php page st[] parameter.
CVE-2019-4323
PUBLISHED: 2020-07-07
"HCL AppScan Enterprise advisory API documentation is susceptible to clickjacking, which could allow an attacker to embed the contents of untrusted web pages in a frame."
CVE-2019-4324
PUBLISHED: 2020-07-07
"HCL AppScan Enterprise is susceptible to Cross-Site Scripting while importing a specially crafted test policy."
CVE-2020-15036
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Linked.php dv parameter.
CVE-2020-15577
PUBLISHED: 2020-07-07
An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. Cameralyzer allows attackers to write files to the SD card. The Samsung ID is SVE-2020-16830 (July 2020).