A cyber thief once tricked an employee into transferring millions of dollars from the employer’s account into their account. How? By mimicking the employee’s CEO’s distinctive writing style. This wasn’t an attack on the company’s IT network. It was something far darker. And it could have been prevented if the employee had cybersecurity awareness training.
Kip Boyle is the author of “Fire Doesn’t Innovate: The Executive’s Guide to Thriving in the Face of Evolving Cyber Risks.” According to Kip, this darkness is because “it was an attack on people’s emotions.”
In this situation, the company’s firewall didn’t fail. The attack didn’t require sophisticated technology. It was carried out with just a simple email scheme that has succeeded for many years. But why do these attacks keep working despite improving cybersecurity technology?
Because companies don’t give employees effective cybersecurity awareness training. If at all.
And this training is just as critical for small to medium-sized organizations to offer this training. Because they’re more likely than a big company to fold from a single cyber attack. So, the vicious attacks on human emotions continue.
In this article, we’re going to focus on training in small businesses, including:
- Why they lack the cybersecurity training they need.
- Five ways to promote cybersecurity awareness.
Let’s dive in!
Why Many SMBs Lack Effective Cybersecurity Awareness
Kip owns Cyber Risk Opportunities in Seattle. He works with corporations of various sizes on assessing their cybersecurity risks and creating cyber risk management game plans.
According to Kip, these are five common reasons SMBs drop the ball with cybersecurity training.
1. They believe cybercrime is strictly a technology issue.
Kip describes the CEO-mimicking scam in his book. It used to be called the fake president email scam. Now, it’s an example of a broader category called business email compromise.
“[…] none of the company’s technological defenses or controls were compromised. It was an attack on a person – and a process, not technology,” Kip says.
The company could have avoided this tragic loss. Starting by teaching employees to recognize this type of scam, and then establishing a dual-authorization process for large transfers.
2. They mistake regulatory compliance for cybersecurity.
“Compliance does not equal security,” Kip says. He explains that if you look at cybercrime loss history, most victims are usually compliant. And that includes large organizations like Equifax, Target, The Home Depot, or even government organizations. So, why did they fail?
Because compliance doesn’t equal security.
For example, tools like cybersecurity checklists are created but aren’t updated often enough. Compliance teams tend to be more reactive than proactive. IT security pros can’t afford that mindset.
Compliance with cybersecurity regulations is, of course, critical. Financial services firms know this well. Some cybersecurity checklists from regulators can be effective when used correctly.
But checklists can become outdated quickly, Kip points out. Your cybersecurity game plan must be built to adapt to new threats.
3. Their “training” is a once-per-year snorefest.
Marching your employees through a mandatory annual online cybersecurity training program usually does next to nothing to protect your company’s data. Nor does bringing in an expert speaker once in a long while.
You need to gain your employees’ ongoing buy-in, engagement, and accountability. (We’ll talk more about that below.)
4. They don’t think they’re a target.
Many companies seek cybersecurity training only after being hit by ransomware, fraudulent funds transfer, etc. Until that moment, they probably believed their current cybersecurity protections were working just fine.
Or maybe they simply thought they weren’t a juicy enough target for cybercriminals.
Kip says it’s dangerous to think your IT assets have nothing of value.
Cybercriminals breaking into your network may find a dormant PayPal account they can use to launder stolen money, for example. Or they’ll find your insurance policy information and file fraudulent claims. And so on.
Every company is a target for today’s cybercriminals. Especially with the increase of the organized crime model run by hacker networks based in Russia and elsewhere, Kip says.
5. They can’t afford cybersecurity training.
When I’ve recommended training programs for Teal clients, they’re often surprised at how affordable it is. Including the phishing awareness program through KnowBe4.
The cost of outside expertise is only one side of the expense equation, of course. The other side is the potentially catastrophic cost of not investing in your staff’s cybersecurity awareness.
Not all cybersecurity training requires outside expertise, however. Kip’s book lays out a game plan designed for non-IT experts to follow.
Here are some key elements from the book and our discussion with Kip that relate to SMBs Especially those in financial services.
5 Ways to Promote Cybersecurity Awareness in the Workplace
1. Make cybersecurity part of every employee’s job description
Cybersecurity can’t be solely the responsibility of an IT staff or vendor. Every employee is a potential gateway for cyber thieves. So, every employee must be aware of cybersecurity risks and how to address them.
Kip recommends business owners set up a continuous program of cybersecurity education, measurement, and improvement.
A key part of that process is engaging employees through questionnaires and/or interviews about your company’s exposure to cyber risks, and scoring the result to establish a baseline.
For a sample questionnaire, see Phase 1 Step 4 of this workbook Kip created as a companion to his book. For further guidance, watch Kip’s video tutorial.
Kip describes one client that improved scores after simply adding a line to all employees’ job descriptions:
Must follow company procedures to identify and report potential breaches to sensitive customer data.
“It was a seemingly small change, but it was enough to increase their score, improve their Identify function, and enhance their practice of reasonable cybersecurity,” Kip says.
2. Provide phishing training that includes ongoing simulated phishing tests
Verizon’s 2023 Data Breach Investigation Report identifies phishing as one of the three primary ways cybercriminals access an organization. You and your employees can read about how phishing works. But until you actually see phishing emails directed at you, you won’t know what to look for.
Kip suggests this phishing quiz from OpenDNS as an introduction. He also recommends a training program that includes simulated phishing emails sent to employees about once per month.
KnowBe4 quantifies the effect of this combination training/simulated phishing program. In its annual Phishing by Industry Benchmarking Report, it measures “phish-prone percentage (PPP). This is the percentage of employees in a given industry who fall for a simulated phishing attack.
According to KnowBe4, if an organization scores a 33%, then “one out of three employees was likely to on a suspicious link or email or comply with a fraudulent request.” Across all industries and sizes, the average PPP was 33.2% – roughly the same as last year.
Here’s a sample of the 2023 benchmarks:
You can see the vast improvement through training and testing, but Kip cautions that even a 1% to 2% click rate by employees leaves your business vulnerable.
You’ll probably never eliminate the risk. What you’re looking for is “reasonable cybersecurity.”
3. Teach a standard procedure for electronic funds transfers
“Business email compromise” is the new term for “fake CEO” in part because this type of electronic funds transfer scam has spread. It’s expanded to many other employees at all levels of a company, Kip says.
“Nobody should be able to move money without a second person saying, ‘Yes I agree this is a legit request,’” he says.
“But most small and medium-sized companies don’t have these dual controls in place, and that’s why scammers are getting so much money out of us.”
Financial services firms, especially, should train clients and vendors as well as employees on safe funds transfer procedures.
Example
Tell your clients and vendors you’ll NEVER simply email them with instructions for wiring money to a different account. You’ll always call them or tell them personally first. The opposite should also be true. If a client or vendor emails you with new funds transfer instructions, follow up personally.
4. Make training frequent and specific to your company
There’s a reason Kip’s cybersecurity training process starts by getting employee input. This feedback can help you design training specific to your company operations.
Training for a mortgage escrow service should be different than training for a financial advisor firm. You may require expert guidance to create your cybersecurity awareness training program, but don’t settle for a one-size-fits-all approach.
I recommend to Teal clients that brief monthly training keeps employees aware of cybersecurity threats and best practices.
5. Choose an IT managed service provider that specializes in cybersecurity
Kips notes that most middle-sized businesses he works with use what the IT industry calls a managed services provider (MSP) or a managed security services provider (MSSP).
These firms, including Teal, essentially act as your business’s IT department. These MSPs can be a gateway to a big pool of SMBs for cybercriminals. So, choose your IT vendor wisely, Kip says.
He urges SMBs to choose MSPs that specialize in cybersecurity. Not simply one that does IT installations, repairs, and/or help desk functions.
Pro Tip: One way to see if an MSP runs a cyber-secure operation is to look for the international information security certification called ISO 27001 or the CompTIA Trustmark+ certification.
Cybersecurity Awareness is a Leadership Issue
Kip explained the importance of leadership in security awareness training the best:
The goal of cybersecurity awareness is to create a culture of skepticism. Especially around emails. And a culture of continuous improvement. Because you can be sure that cyber criminals are committed to continuous improvement.