There’s a common misconception that SMEs aren’t aware of cybersecurity threats. However, in reality, it’s not that SMEs aren’t aware of threats, more that they’re unsure what to do about them. The best way to counter this is through training. Training can help SME owners and their staff better recognise and understand the threats they face. And, more importantly, learn how to counter them.
But what does effective training look like? In this article, we’ll explain security training and lay out a few best practices for improving SMEs’ approach to cybersecurity.
What is security awareness?
‘Awareness’ is best defined as ‘people’s knowledge and understanding of cybersecurity risks, why these risks matter to the organisation and themselves, and the security behaviours required to reduce those risks’. It’s important to note that raising security awareness is the goal. Security communication, culture and training are different types of methods that can be used to help SMEs get there.
Understanding a SME’s prior awareness about cybersecurity
Security training should involve measuring and understanding initial attitudes and behaviours within an SME. Or, in simple terms, how people feel and think about cybersecurity. This includes what they do (or don’t do) to stay secure and what they know and understand about cybersecurity.
Avoid a ‘one size fits all’ approach
Providing security advice that is too generic is unlikely to be effective. No one enjoys lessons that feel irrelevant. With this in mind, most SMEs would benefit from advice about specific threats and vulnerabilities to their industry or organisation.
To address an SME’s needs, training should include answers to FAQs and tackle any existing knowledge gaps that have cropped up during the assessment process.
Avoid fear appeals by focusing on self-efficacy
Fear is often used in cybersecurity communication. It’s not hard to see why; as humans we’re naturally risk-averse so in many situations fear is a powerful motivator. However, there is strong evidence that fear appeals in cybersecurity communication can be counterproductive and ineffective in changing long-term behaviour.
Instead, appeals to self-efficacy, that is a person’s confidence in their ability to successfully practice secure behaviours, are more influential than fear appeals and more likely to lead to long-term change.
Create an ongoing and non-intrusive training programme
Learning about cybersecurity for the first time can feel overwhelming. And when it comes to awareness training, there’s such a thing as too much information.
To avoid overloading employees with information they’re unlikely to remember, training should be divided into small, manageable chunks. Training shouldn’t be a one-off exercise but a regular activity to help maintain employees’ level of awareness. Any content provided should be bite-sized. Think short, sharp exercises that can be completed at lunch or between meetings so as not to interrupt their core work or create security fatigue. Employees must also have the ability to manage their own training time or preferred method of learning, for example, text or videos.
Measuring effectiveness of the training
Employees’ attitudes and behaviours also need to be assessed once training is complete. This will allow comparisons with initial assessments to measure the training’s effectiveness. This could include self-assessments, such as quizzes, or behaviour observation and compliance monitoring.
The goal of any security awareness training is to empower employees to behave more securely, reducing the number of security incidents as a result. However, awareness training only works alongside a strong security culture and practical approaches and tools that every employee is able to put into practice. Without all of these things working in tandem, an SME risks security fatigue, confusion and, ultimately, weaker defences against any threat.