Employees at small-to midsized (SMB) organizations often do not receive any form of cybersecurity awareness training, according to a new survey.
Some 33% of SMBs surveyed by security firm ESET don't get training for security. The stakes are high for SMBs because the impact from a security breach can be far more detrimental to the survival of a smaller company than a larger one. "A large enterprise has a number of backstops and usually has a response ready when it happens. But a small organization … the initial infection can probably lead to something more serious and greater," says Stephen Cobb, ESET senior security researcher, noting that a security breach potentially could put an SMB out of business.
Large enterprises with a dedicated security team also have reason to care about the security profile of SMBs. SMBs can be supply-chain vendors or service providers to large firms. For example, the massive and high-profile security breach at retail giant Target is believed to have orginated from its HVAC contractor getting compromised.
Cobb says he was surprised that 49% of the roughly 600 US respondents of the ESET Cybersecurity Training in the Workplace survey noted they would be willing to take a cybersecurity training course at their workplace, even if it was optional. He added that in the past it would like "pulling teeth" to get employees to take cybersecurity training, but now employees want to not only learn how to secure their work-related IT, but also their home devices and email.
Large v. Small
SMBs are increasingly catching the attention of cybercriminals undertaking a spear-phishing attack, but those types of attacks are also converging on fewer organizations, according to the 2016 Symantec Internet Security Threat Report.
"SMBs are a sweet spot for attackers. While large companies have more to steal, they are better defended. While consumers are less well-defended, they have less to steal. This puts SMB in the bullseye," says Kevin Haley, director of Symantec Security Response. But he also noted that the overall risk for SMBs is usually lower than large companies because there are so many more SMB companies than large ones to target.
Regardless of the lower risk for SMBs, large companies are pushing the issue for small vendors and service providers to ensure their employees undergo cybersecurity training.
Over the last two years, Christopher Hadnagy, chief human hacker at Social-Engineer LLC, has seen this mandate. Social-Engineer, a security firm of 11 employees, is required by some of its clients to provide cybersecurity training to its own workers at least once every year, says Hadnagy, whose firm already as a policy does so several times a year.
Most security awareness programs today are fairly rudimentary. "The way security training is currently done at companies is crappy. They show you a 20-minute video and test you afterwards. If you were being trained in martial arts or boxing, do you think watching a 20-minute video will prepare you to immediately step into the ring? That is what we are asking employees to do with the way cybersecurity training is handled," Hadnagy says.
A better approach is to provide regular, mock-phishing training, he notes. Once a month, he sends a mock-phishing email to his employees. The monthly training provides consistency and repetition, he notes.
One of his clients that has 300,000 employees carried out a similar regiment with its employees and after three years reduced the malware incidents on its networks by 89%, Hadnagy notes. SMBs would likely benefit by taking similar measures, according to Hadnagy.
A recent update of the National Small Business Association survey found that 42% of its 845 survey respondents acknowledged they were a victim of a cybersecurity attack in 2015.
Of those 2015 survey respondents:
Despite these figures, SMBs clearly are not yet at the point of jumping on the bandwagon to get their employees cybersecurity training. According to an NSBA spokesperson, the lack of training is likely due to the cost and logistics involved. It's also unclear whether SMB owners would expect their cybersecurity to vastly improve if their employees received training, the spokesperson says.
Free SMB Cybersecurity Training
Meanwhile, ESET today also rolled out free online employee training modules including phishing, social engineering, and mobile security.
Other free SMB training and information is available from the US Small Business Administration's Cybersecurity for Small Businesses and the Federal Communications Commission's 10 Cybersecurity Tips for Small Businesses
In addition to addressing the knowledge gaps SMB employees said they were lacking in the ESET survey, Symantec's Haley also advises training on best practices for cloud computing and password management.