Empowering employees to help prevent cyberattacks

Even the most advanced technologies and significant investments in cybersecurity can’t fully protect businesses from a major cyber risk: their own employees.

In the 2024 Voice of the CISO report by cybersecurity firm Proofpoint, 74% of survey respondents said human error is their most significant risk when it comes to cyberattacks. This finding is echoed in a 2023 study by Verizon, which found that human error is indeed a factor in 74% of total breaches, despite ongoing efforts by enterprises to strengthen their defences and increase training in cybersecurity.^1,2

Employee training can fall short for several reasons: distractions in the workplace, a lack of awareness about the critical role employees play as the first line of defence, and the challenge of staying on top of the evolving threat landscape, to name a few.³

Small- and medium-sized businesses (SMBs) face an even bigger challenge: They might not have the resources to conduct employee training in the first place, relying instead on third parties to support their security measures. This can be a costly mistake.

Despite the perception that cybercriminals only target large corporations, certain types of attacks, such as social engineering, are more frequently aimed at small businesses. These companies are typically not financially prepared for an attack, and it could even put them out of business. According to IBM’s 2023 Cost of a Data Breach Report, the average cost of a data breach on organizations with fewer than 500 employees is US$3.31 million.^4,5

Simple steps for employee training in SMBs

While it may not be feasible for SMBs to regularly conduct extensive employee training sessions, mitigation strategies don’t have to be complex. There are simple and cost-effective measures that can be easily understood and adopted, making it possible for SMBs to strengthen their cybersecurity efforts.

Make employees aware of the critical role they play: First and foremost, employees must understand the “why.” According to a 2023 survey by the Insurance Bureau of Canada, many employees underestimate the role they play in being cyber safe at work and the impact of potential cyberattacks on their employer. Nearly half (47%) believe technology plays more of a role in protecting their workplace from cyber threats than they do; 30% believe their employer is solely responsible for protecting the organization from cyber threats; and 31% do not believe cyber criminals would target them.⁶

Whether it’s in the form of interactive workshops or channels like emails and posters, employers should regularly communicate security awareness to staff. When they are aware of the importance of cybersecurity and their role in safeguarding their company, employees are more likely to take this issue seriously and report suspicious activities.^7,8

Educate employees about common and evolving threats: Educating staff about different types of cyberattack, how to spot them, and how to respond to them is crucial for protecting against breaches. Recognizing phishing tactics, for example, includes identifying suspicious emails, unusual requests, and fake websites. Staff should also be clear on who to contact if they encounter a suspicious message. In a social engineering attack, cybercriminals may mimic the writing style of a CEO to trick an employee into sending money. In this case, businesses should have dual controls in place, meaning a second person should verify the request.^9,10

As part of awareness training, SMBs can take advantage of free online resources, such as webinars, toolkits, articles and e-learning courses from cybersecurity organizations like the Canadian Centre for Cyber Security and the Canadian Institute for Cybersecurity, the Government of Canada’s Get Cyber Safe platform, as well as cybersecurity firms.

Other ways to keep employees informed are through newsletters with tips, news about recent threats and best practices; informal lunch-and-learn lessons where employees can share news and insights; and a database or guidebook where employees can stay up to date on the latest threats and find answers to their cybersecurity questions.^11,12,13

Nurture a cybersecurity culture: A strong culture of cybersecurity – meaning it’s entrenched in the company’s values – is essential. SMBs should lead by example, showing the company is committed to cybersecurity at all levels. This makes employees more likely to follow suit. Since employee engagement is a key element of building a cybersecurity culture, business leaders should also recognize and reward employees who demonstrate good practices.¹⁴

Another way to build a strong cybersecurity culture is to speak employees’ language. Experts advise communicating in plain language, avoiding technical jargon and focusing on practical advice employees can use daily. For example, rather than using the term “multi-factor authentication,” they can explain there is an extra layer of security when logging in.¹⁵

Additionally, fostering open communication and a “no-blame culture” is essential. Employees should feel comfortable asking questions, reporting suspicious emails and voicing concerns without fear of reprisal.¹⁶

While SMBs may face resource constraints, the cost of not investing in cybersecurity – even in the simplest of ways – is far greater. By prioritizing employee awareness and creating a strong cybersecurity culture, businesses can turn their weakest link into their strongest line of defence.

 

 

Sources

¹ Proofpoint, “Proofpoint’s 2024 Voice of the CISO Report Reveals that Three-Quarters of CISOs Identify Human Error as Leading Cybersecurity Risk,” May 21, 2024

² Verizon, “2023 Data Breach Investigations Report: frequency and cost of social engineering attacks skyrocket,” June 6, 2023

³ Skillsoft, “Why Security Training Fails And How To Fix It,” June 3, 2022

⁴  StrongDM, “35 Alarming Small Business Cybersecurity Statistics for 2024,” Feb. 1, 2024

⁵ Business.com, “The Cost of Cybersecurity and How to Budget for It,” Aug. 13, 2024

⁶  Insurance Bureau of Canada, “Are you cyber savvy? IBC’s research suggests business owners and employees could be putting their organizations at risk,” Nov. 6, 2023

⁷ LinkedIn, “You need to communicate security awareness to your employees. What are some effective ways?”

⁸ FasterCapital, “Train your employees on cybersecurity,” June. 4, 2024

⁹ Pure IT, “Five Ways Small Businesses Can Stop A Cyber Breach From Ever Happening”

¹⁰ Teal, “5 Ways to Promote Employee Cybersecurity Awareness Training,” July 25, 2024

¹¹ Mitnick Security, “Remote Security: 5 Cyber Security Tips for Employees and Businesses,” Feb. 22, 2024

¹² The AME Group, “Engage Employees To Increase Cyber Safety”

¹³  Compyl, “Getting Started With Cyber Security Awareness Training for Small Business,” Sept. 5, 2024

¹⁴ Babylon Solutions, “Cybersecurity Guide for Small Businesses: How to Protect Your Company,” Oct. 7, 2024

¹⁵ SMB Solutions: “10 Easy Steps to Building a Culture of Cybersecurity Awareness,” Aug. 23, 2024

¹⁶ Tripwire, “Cultivating a Cybersecurity Culture,” Jan. 23, 2024