3 Tips to Educate SMB Employees on Cybersecurity



  • Hackers don’t only target huge corporations, making it the responsibility of all employees to practice good “security hygiene” regardless of company size or industry
  • There are a number resources available at a variety of price points and commitment levels that make incorporating a cybersecurity education program easy and necessary

HPE security expert Andrzej Kawalec discusses the value of cybersecurity education for SMBsand everyone

Cyber criminals have sophisticated capabilities to target any enterprise, big or small. Businesses can install firewalls and encrypt data, but if your employees aren’t aware of unsafe cybersecurity behaviors, your company is still at risk. Click through this infographic to learn more about the value of cybersecurity education.

Robert McKee, a Texas-based consultant, assists small and medium businesses (SMBs) in setting up their cybersecurity systems. But there is one particular problem that he comes across that isn’t so easy to fix: Small business owners don’t think that cybersecurity issues affect them. And if the owner isn’t willing to get on board with good security practices, McKee said, employees won’t bother with it either.

“Everyone’s excuse is that they don’t have any information people would want to steal,” McKee added. “But the truth is that hackers walk the digital halls of every company looking for the weak link. Then they do what is called privilege escalation, where they use a weak link in the system to access other areas to find a weak link in the system above it.”

The weak link in almost any security system is the employee who doesn’t understand or see the need for basic security practices. These are the people who open attachments from unknown senders, ignore software update requests, or write their password on a sticky note attached to their monitors. Every company has these types, yet SMBs seem to lag behind large companies when it comes to providing cybersecurity education and training for their employees.

“The main reason for the lag in cybersecurity awareness with SMB employees is that SMBs simply don’t have the same training resources available that larger corporations do,” explained Dr. Lynne Y. Williams, a professor with Kaplan University’s School of Business and Information Technology. On the contrary, there are a number of resources out there. Williams suggested employers look into free online training classes (like those offered by Cybrary) and require employees to complete them by a certain date. “Most free online courses have a certificate of completion that can be presented as proof that the employee has done the training.”

Knowing the opportunities for free or inexpensive training is one step toward encouraging cybersecurity education, but Andrzej Kawalec, CTO of HPE Security Services and head of HPE Security Research, said the best way to make cybersecurity education effective is to emphasize that good security practices shouldn’t just be a work-only effort. 

“We live in a world of smart homes, smart cities and smart cars. Most of the transaction services we consume are through digital channels,” Kawalec explained. “An education awareness program that focuses on the personal, and not just on the organization, can be much more effective. The moment you talk about security in the personal sense, employees become more emotionally charged and the need for better security becomes more relevant.”

The cybersecurity actions that small and medium-sized businesses need to take are small but make a considerable difference. It can be as simple as clicking the “update” button on software alerts instead of putting it off for later, or avoiding the classic pitfall of using the same password for all devices in a company, says Kawalec. And business owners need to apply these security practices to all devices, not just PCs, especially when employees work remotely and use mobile devices containing business critical information.

Kawalec shared a three-step process for SMBs to build a cybersecurity education program:

  1. Identify the most critical data assets, such as personally identifiable information (PII) of employees and customers, including financial information, medical records or intellectual property, which are held within the company. “Once business leaders identify those assets, you understand where the risk is and then you can begin engaging employees,” said Kawalec.
  2. Create awareness about basic “security hygiene” practices. This includes items such as recognizing the difference between strong and weak passwords, good password management, learning how to recognize a phishing email, understanding social engineering tactics and how cyber criminals try to scam users and recognizing tricks used to get users to download ransomware.

Good security hygiene is an area that is easy to apply to employees’ personal and professional lives, and by doing so, Kawalec pointed out, you improve the chances that employees will actually use it.

3. Once you build the awareness and allow people to ask questions and take part in security issues, employees will recognize that no company is too small to be the target of a cyber attack. The maturity level of overall cybersecurity in the company will start to change.

“The primary way attackers get into an organization is through social engineering and through people,” said Kawalec. “By better educating employees, you can completely change your security posture.”