How Small Businesses Should Build Their Cybersecurity Training in 2023

In today’s digital landscape, the only constant is change. With cybersecurity becoming a growing concentration for small businesses, it’s essential that companies modernize every aspect of their IT stack. That modernization should also apply to cybersecurity training programs. The days of cheaply disguised phishing tests and check-the-box compliance videos are long past satisfactory. 

We spoke with Erich Kron, Security Awareness Advocate at KnowBe4, a leading cybersecurity training provider. Kron explains how small businesses can adapt their cybersecurity training to meet the threats organizations face in 2023, and how employee training factors into a holistic and robust cybersecurity program.

Make a Positive Connection 

Effective cybersecurity training resonates more when the learning process is enjoyable and engaging. Kron says it’s important to understand what will resonate with your employees so they are invested in protecting the organization’s sensitive data and preventing cyberattacks. KnowBe4 offers a wide range of training materials, including games, animations, and live-action videos, to engage employees and make the learning process enjoyable.

Kron says the messaging around your training program can be as important as the training material itself. It cannot be conducted for compliance’s sake; showing employees how cybersecurity issues can affect the entire organization can help generate buy-in across the entire staff. 

Kron also said that making the messaging thoughtful and positive is paramount, especially if an organization opts to do simulated phishing attacks. Those responsible for the simulations should take the full scope of the organization’s circumstances before crafting something that could come across as callous or uncalled for. For example, running a phishing simulation that promises a bonus to employees shortly after a wave of layoffs can potentially lead to employee frustration and failure to grasp the overall security lesson.   

One of the best ways to approach security training is through open communication with employees. Sending a note about the program before conducting the first phishing test email can foster a better response. It can also serve as a convenient way to remind all employees about safe IT security practices, such as what phishing is, how to recognize it, and what could happen if they click on a malicious link. 

Additionally, the training content should be crafted to fit the organization. For example, an effective training program for a 100-year-old law firm will differ from an effective training program for a tech startup. 

“You need to train and educate people on relevant topics that they care about so that individual behaviors transfer over into the workplace,” Kron says. 

He suggests molding the training around seasonal events that may lend themselves to scams, such as holiday warnings about gift card scams or tax season warnings about stolen Social Security numbers. 

Establish Buy-In From the Top 

Setting the mindset of the organization when it comes to cybersecurity training requires coordination with leadership. By involving leadership in the decision-making process, organizations can align their training programs with their specific risks and priorities.

“You have to understand where the risks are, and leadership can provide guidance on that,” Kron says. “They can offer directions like, ‘Our shareholders are worried about ransomware. Let’s focus on that,’ or ‘We’re in finance, we’re worried about people targeting that department and getting them to accidentally send money to fraudsters.’”

Get Non-Technical Personnel Involved

Involving non-technical personnel, such as HR professionals, in the rollout of cybersecurity training can be beneficial. These individuals can bring a fresh perspective and effectively communicate with employees who may not have a technical background. Cybersecurity is a behavior-driven issue, and non-technical personnel can help change employee behavior and create a more secure environment.

“A lot of people in cybersecurity and IT are there because they love technology,” but they don’t necessarily have the skills to effectively communicate the motives for their work, Kron says. 

When non-technical personnel explain the thought process behind the training to other non-technical roles like marketing, accounting, or sales, organizations can better change the behaviors of those who are most likely to be targeted. 

Repeat, Repeat, Repeat 

Consistency is key in changing behaviors and habits. Training programs should not be limited to annual compliance requirements. Instead, they should be consistent and frequent to reinforce good cybersecurity practices. Monthly training sessions that cover different issues can help keep security top of mind for employees and ensure continuous improvement.

“Compliance means you can train people once a year, check the box, and ignore it until next year,” Kron says. “Well, six weeks from now, how many people forget that information and go back to their day-to-day jobs? Anything less than once a month, you’re going to see a drop-off because people forget.”

Kron stresses that even something as small as a 10-minute monthly check-in can make a big difference. This discipline, sometimes referred to as “nudge theory, ” has been shown to increase knowledge retention among employees. 

KnowBe4’s own data proves this out. The company analyzed records from over 60,000 organizations that run its phishing simulations and found that groups doing weekly training were 2.74X more effective in reducing risk than groups that trained less than once a quarter. 

Be Smart, Be Secure

Organizations that offer innovative, engaging training materials and approaches are likely to see employees practicing better cyber hygiene. By tailoring training programs to the organization’s culture, involving non-technical personnel, and emphasizing consistency and communication, small businesses can create a holistic cybersecurity training program that mitigates risks and enhances overall security.

For more information on how KnowBe4 can help At-Bay policyholders design effective cybersecurity training programs, visit our Security Partner Network page.