Cybersecurity training is moving up the priority list for small businesses as they realise the risk of attack and the damage that even one breach can cause.
Microsoft saw a 300 per cent rise in cyberattacks between 2020 and 2021, with 50 per cent of those hitting small businesses. What’s more, the average cost of a cyber breach for a small business in 2019 was £11,000, according to Hiscox.
Hiscox also says that one small business in the UK is successfully hacked every 19 seconds. Government research highlights that phishing attempts were the most common type of attack (83 per cent) in the 12 months to March 2022, while one in five businesses report a more sophisticated type of attack such as denial of service, malware or ransomware.
Here, we’ll be exploring why you need cybersecurity for your home-working employees and what kind of training you should be providing.
Why should I provide cybersecurity training for my home workers?
First off, cyber threats are growing. In fact, the World Economic Forum has said cyber risks will be one of the biggest challenges to businesses over the next five years.
Small businesses can run the risk of believing that, because they are so small, they’re not at risk of being breached. In some cases that means that the business is unprepared and thus vulnerable. To slap on more damage, you could be landed with a fine from the Information Commissioner’s Office (ICO) off the back of a data breach.
What’s perhaps most damaging to businesses is a loss in customer trust. A third (33 per cent) of organisations say they’ve lost customers after a data breach, according to RedSeal. Further studies show that 29 per cent lose revenue as a result of a data security breach. If your website doesn’t work, for example, customers might go to competitors or give you a negative review.
Sometimes employees don’t realise how at-risk they are from a cybersecurity compromise, especially when they’re at home on their own WiFi network. They may not realise that devices on their home network can make business data more vulnerable too.
No small business is an island, either. Andy Robertson, head of Fujitsu Cyber Security at Fujitsu UK&I, told Small Business: “One other reason why SMEs are so attractive is they are commonly a gateway to target larger organisations as a supply chain link. These large businesses are often key partners, suppliers or customers – but good security practices will ensure no relationship is damaged.”
In-person or online training?
Though this may seem like an odd question for an article about home workers, it’s worth giving some thought. The nature, size and sector of your business will likely be deciding factors in how you carry out your training. Smaller staff bases might just want to do in-person training where a tech team at an eCommerce company would need something more specialised.
At a glance, here are the pros and cons of in-person vs online training:
- Employees can ask questions
- Works well for small groups
- More expensive
- More difficult to arrange regular training
- More flexible for employees
- Access to a wider range of providers
- Easier to track employee progress
- Possibly less engagement with employees
- May not be able to get assistance out-of-hours
Whichever method you decide to go for, mix it up. Jason Stirland, CTO at DeltaNet International, believes that variety in training is crucial.“Businesses can implement a blend of microlearning (short five-minute courses) to gamified and interactive, scenario-led learning to engage employees,” he told Small Business.
What should be covered in cybersecurity training?
There should be basic training for everyone, with lessons that are easy to understand and delivered in smaller sections so that employees retain more information. Tailor any training beyond that so that it’s appropriate to the team being trained and how tech-savvy they are.
You have the option of carrying out the training yourself or hiring a third-party. Of course, it’ll be cheaper to do if you have the expertise in-house and you can communicate with staff in a way that fits your business’ culture. That said, a third party would have professional training and experience, meaning them less likely to have blind spots.
If you go for a third-party, some courses are National Cyber Security Centre Training-certified, delivered by experienced training providers. The content taught in these training courses must match up with ‘knowledge areas’ of the Cyber Security Body of Knowledge. A list of training providers at each level can be found at the NCSC website.
When looking for a training provider, make sure they cover:
- How to create a strong password
- What common attacks look like
- Signs that a device might be affected by suspicious activity
- What multi-factor authentication is and why it’s important
- Securing at-home internet and devices
Training providers should also mention basic guiding principles such as locking screens whenever they’re away, keeping devices somewhere safe when not in use and frequently updating strong passwords.
Make sure staff know how to report a cyberattack and that they can do so with reprimand – fear of punishment may put them off reporting it at all.
Training should even go beyond employee actions. Javvad Malik, lead security awareness advocate at KnowBe4, said: “For home workers, employers should look to provide training not just for employees but give practical advice and awareness that can extend to all family members.” This could be keeping hardware safe from young children or teaching family members what a suspicious site or phishing attack looks like on their own devices. “Ultimately the goal isn’t to ensure people have undergone several hours of training, or that they are cybersecurity experts, but that they are equipped with the skills that allow them to make better risk decisions,” Malik said.
An interesting way of making sure lessons stick is to do frequent simulation exercises where you send out, say, a phishing email. Monitor how many people respond to it and/or click the links.
John Blackburn, operations director at Central Networks and Technologies, is an advocate for this. He said:“It’s possible to simulate a scam email and send this out to the workforce – enabling employers to see how vulnerable the organisation would have been in the event of a real attack. This should be carried out regularly, as it will help to inform whether any further training is needed, and if any specific subject areas need targeting.”
It’s not just a case of sending out an email and bam, there you go. Nick Ross, cybersecurity consultant at Trend Micro, advises that you think about who the training is for – consider different campaigns targeted at different departments – as well as what training you are going to run off the back of a phishing campaign, how frequently you are going to run the campaign and how you’re going to record the results and track progress.
“Once you’ve got going, you might want to move things up a notch,” Ross said. “Avoid easily detectable patterns such as launching your campaigns on the first of each month or using the same template in consecutive quarters. Keeping your users guessing will ensure realistic assessments.”
Being aware of trends will help you here. “Also remember that you are emulating the bad guys,” said Ross. “Attackers will often piggyback on seasonal trends. February, March and April are a great time for a tax-themed simulation. Likewise, November and December are great for e-commerce themed attacks. Think about the timing of your simulations to maximise effectiveness.”
It’ll help to have some ever-present resources available that your employees can refer to at any time. Provide written guide(s) for employees to use that are easy for them to access after they do the training modules. The NCSC recommends ‘How do I?’ guides such as ‘How do I create a strong password?’
A business continuity plan – a document that outlines how a business will operate should it experience some disruption, such as a cyberattack or employees suddenly working from home again – is also essential. Lee Wrall, co-founder and director of Everything Tech, said: “These plans should outline disaster recovery procedures as well detailed strategies on how the business will operate in the short and long term.”
If you want any more guidance on cybersecurity training for your remote workforce, check out the link below.