Building Blocks of Cybersecure Culture for SMBs: Part 3 – Your Employees Are Your Biggest Risks – And Assets


Employee Cybersecurity TrainingA recent study by the University of Phoenix reveals that, despite the rising tide of cyber attacks across businesses and industries around the world, more than 20% of US adults never have heard of popular cybersecurity jobs. Only in one in 10 survey respondents were familiar with cybersecurity job titles, while two of every 10 had never heard of them. Per a report covering the research in TechRepublic, U.S. adults were most unfamiliar with penetration testers (52%), white hat ethical hackers, and computer security incident responders (46%).

“This unawareness and lack of knowledge on cybersecurity leaves Americans even more vulnerable to attack,” wrote TechRepublic reporter Macy Bayern.

So, if employees know little to nothing about who helps them protect their company from cybercrime, then as the CompTIA Cybersecurity Advisory Board puts the issue in its recent executive brief, “Building a Culture of Cybersecurity,” employees become the biggest cybersecurity risks your business faces in today’s heavily digitized environment.

But there’s a paradox here. While employees are your biggest risks in cybersecurity terms, they also are your greatest asset when establishing cybersecure culture within your firm. In a true sense, you cannot do it without them. That’s why we advocate so heavily for cybersecurity awareness and education – and advise senior executives of small to mid-size businesses (SMBs) to lead the way.

Part 3 – Your Employees Are Your Biggest Risks – And Assets

We gleaned three points from CompTIA’s white paper to help you take initiative in cybersecurity training:

  • Work from the Top Down – Upper management (like you) has outsized access to data but often receives less training. Training in everyday cybersecurity measures can help you and your top-level managers evaluate risks and behaviors more effectively – in yourselves and your staff. When we wrote “lead the way,” we were being literal.
  • Keep It Crisp, Keep It Going – Make training for all employees short, frequent and grounded in real-world scenarios regardless of level of authority and work responsibility. Conduct sessions in small, digestible units. And then, seek feedback. Which cyber-threats are employees seeing out there? How have they changed their approach to these threats? Are they reporting issues to the IT team? Your follow-up questions should reinforce the cybersecure values you built into your company structure.
  • Control What You Can – No organization of any size in any industry can eliminate human error completely from business operations of any type. So, your company always will have some level of cybersecurity risk. But you can mitigate and minimize this risk by restricting access to data. Gather accurate data from across your organization on how many users have access to what levels of data—especially your “crown jewels.”

Finally, no need to go it alone. Your IT Managed Services Provider (MSP) can support and help with your cybersecurity awareness and education programs.