The SMB’s Complete Guide to Modern Cybersecurity Training

If your employees aren’t prepared to protect your business against cyberthreats, you have one of the biggest possible vulnerabilities to deal with. There are so many ways that any one of your team members could compromise your business through the simplest of mistakes. I don’t mean to scare you by sharing this; I just want to make clear how critical it is for everyone in your organization to take ownership of cybersecurity.

This will require ongoing training on an organizational level. What follows are the topics that this training absolutely must cover.

Key Training Points for Every Modern Business’ Staff

Phishing/Social Engineering

Cybercriminals will frequently target you and your employees as the most vulnerable points in the business.

Instead of hacking into your infrastructure, social engineering and phishing attacks rely on hacking into you and your employees. To do so, an attacker will pose as a trusted figure or authority and convince the targeted team member to share information or access via email, text, or voice calls. This makes it critical that everyone involved can spot suspicious activity and knows how to report it.

Excessive Urgency
If an email pushes you towards acting immediately, particularly to avoid negative consequences or similar threats, that’s a sign of a likely scam. 

Links and Attachments
If there’s no reason to expect an email to have a link or attachment included, be especially careful. Instead of clicking through, hover over any links to display their destination.

Grammar Errors and Malapropisms
If a message contains spelling errors, grammatical issues, and oddly phrased sentences, it may indicate that a non-native speaker or an automated source is responsible for its content.

Spoofed Sender Information
If an email comes in that appears to be from a colleague or superior in your business, but the address is slightly misspelled, stop and contact IT, because you’re being targeted. If you aren’t completely sure, reach out to them via an alternative method of communication.

These warning signs are your opportunity to alert your IT team to a potential phishing attempt so they can investigate. As such, you need a concrete process for your team to follow (something we can help you formulate).

User Authentication

Passwords: they’re a pain in the neck to keep track of, but lax practices concerning them open the door wide open for attackers to leverage. This is what makes it exceptionally important to reinforce a few practices amongst your team:

The More Complex, the Better
Make sure your employees know how to create a more secure access credential—ensuring they are sufficiently long and (critically) unique. By mixing uppercase and lowercase letters, numbers, and various symbols, and avoiding any personally relevant information or common patterns, you can minimize the likelihood that your passwords will be deduced.

Passphrases > Passwords
Instead of using predictable passwords, many experts recommend using passphrases with alphanumeric switching. Pick up the closest book to you and flip through it. Randomly point at the pages. The words you select are your new passphrase, once you’ve added some symbols and alphanumeric switching. These are both easier to commit to memory and more difficult than what you would otherwise come up with. 

Which would you be more able to keep track of, fAE9j??jo)a#^ggjiJ36, or <p3rf0rm<claustr0ph0b!c<fl!ght<?

One and Done
Critically, you should have exactly one password for each platform or account you are securing. Your Facebook should be protected with a unique code, as should your work email, your CRM account, and your personal banking accounts. It is especially important that your passwords are unique between personal and work accounts.

Leverage Multi-Factor Authentication
MFA is—in essence—a means of layering your protections in a way that makes it exponentially more difficult for someone to access your accounts without authorization. Let’s say that one of the services you depend on suffered a data breach, and your access credentials were part of the compromised data. Not good.

However, with multi-factor authentication in place, your account is still somewhat protected, as the attacker still won’t have the secondary proof they would need… whether that’s a PIN, a fingerprint scan, or a hardware token.

Use a Password Manager
Let’s address the elephant in the room: nowadays, people have dozens of accounts across their personal and professional lives. Expecting your employees to memorize sufficiently secure passwords or even phrases for each one is unrealistic at best. Enter the password manager, a secure, encrypted vault that lets you store and reference your various access credentials. Since the manager saves them for you, your passwords can be configured far more securely than they otherwise could be.

Endpoint Security

It should come as little surprise that attackers often target the devices your employees actively use as potential entry points into your network. As such, it is critical that these devices are properly maintained.

Updates and Patches
It is critical that you keep up with all your patches and updates, installing them as quickly as possible to close as many vulnerabilities as possible.

Lock Up
Build the habit among your team to always lock their screens whenever they step away from their workstations. Shortcuts make this simple—Win+L on Windows, Cmd+Ctrl+Q on Mac.

Antimalware and Antivirus
Educate your employees about the function of these critical protections and emphasize the importance of not disabling them.

BYOD
If operating under a Bring Your Own Device policy, make sure that the security requirements—such as mandatory encryption and remote wipe capabilities—are clearly defined and communicated to your team.

Data Handling and Classification

It is critical that each and every one of your employees is aware of the data entrusted to them—what falls under their responsibility, where it is to be stored, and how sensitive it is.

Data Classification
In short, everyone needs to be able to look at a piece of data and understand where it should be stored… and, even more crucially, whether they should have access to it based on their role within the business. Someone working in sales, for instance, has no reason to access internal employee records and therefore should not have that ability.

Storage and Sharing
On a related note, there needs to be organizational awareness about how data should be securely stored and shared as appropriate, exclusively using approved methods.

Removable Media and Drives
You need strict policies that prohibit the use of unknown or found USB drives to prevent malware infections.

Clean Desk Policies
All physical documents should be safely stowed away and secured to protect the information they contain.

Remote Work Security

As remote work requires your employees to use networks outside your control, certain preventive safeguards must be implemented.

Public Wi-Fi Dangers
The long and the short of things is that public Wi-Fi is intended to be convenient, an amenity that publicly-facing places like casual eateries and airports will offer to make their patrons’ lives easier. Unfortunately, this convenience also extends to cybercriminals, who will monitor these open networks for targets. As such, it is critical that your team has the protections in place to mitigate these threats and uses them.

Use of a Virtual Private Network
Anyone using a public network for work purposes (or really, any network other than your business’) should be using a company-owned VPN. Make sure that you reinforce how to do so correctly.

Securing the Home Network, Too
Strongly encourage your employees to emulate professional standards in their home networks as well—using strong passwords as we covered above and encrypting their Internet connection.

Incident Response and Reporting

Sometimes, things will go wrong. Your team needs to know how to conduct themselves when they do, and there is the risk of a breach.

Immediate Action
Document the steps to quickly contact your IT team for assistance, whether in-house or with JensenIT. Emphasize that they should do so even if they only suspect an issue.

Contact Simplicity
Make sure your team has multiple ways to reach out for support so your IT or security team can be brought in swiftly.

Keeping Hands Off
Apart from reporting a suspected issue, your team members need to know they should not attempt to fix the situation themselves, as their efforts could easily complicate matters or destroy critical evidence.

How to Make Your Training as Effective as Possible

There are four critical elements of effective cybersecurity training:

1. Mandatory Training, Complete with Tracking
   Everyone—employees of all seniority, vendors, and contractors alike—must receive some level of training, with their progress tracked to ensure completion.
   
   
2. Regular Refreshers
   With how threats develop and change, all training should be ongoing, with regular, brief updates happening throughout the year. Annual seminars simply aren’t enough.
   
   
3. Simulated Attacks
   Test your preparedness by executing simulated attacks against your employees. This allows you to safely gauge how prepared they actually are and direct further training more accurately.
   
   
4. Focus on Relevance
   The one benefit of modern cybercrime is that it provides no shortage of practical examples to reference. Use brief, real-world scenarios to contextualize your training.

Don’t Be Another Business’ Training Reference

Too many businesses have failed because they underestimated their cybersecurity needs. Don’t add your name to the list. Give JensenIT a call at (847) 803-0044 for assistance in preparing your business for everything we discussed here and protect its future.