Cyber Risk Insurance 101Read more
Your small business needs a cybersecurity strategy, but beyond that, it also needs security awareness training. These two areas are not one and the same. There are important, distinct differences.
First, let’s talk about cybersecurity in general. By now you likely understand the importance of cybersecurity for your small business. If not, here’s a brief overview. Joe Galvin, chief research officer for Vistage, writes over at Inc. on some of his firm’s recent research. 62% of small and medium firms admit to having an out-of-date, inactive, or nonexistent cybersecurity strategy.
This is highly problematic, he says, because small and medium businesses are huge targets for cybercriminals. These companies tend to have weaker security and less skilled security personnel (if they have any security personnel) than larger companies do. Yet they often store huge treasure troves of valuable data, like credit card numbers and other personally identifiable information.
Cybercriminals see this as a win-win. Security is lower and easier to beat, and the data available is often just as valuable as what they could get going after a bigger company.
Further, the stakes are so much higher than just a momentary loss of productivity. Many firms that undergo a cyber attack never recover and are out of business within a year.
Clearly, cybersecurity is of utmost importance for small businesses like yours.
Cybersecurity is important, yes. However, the best, most robust, most secure cybersecurity plan won’t protect you from your most dangerous threat: your own employees. That’s a blunt and surprising statement, but bear with us.
You need to be protected against traditional, “movie style” hacking, where bad actors infiltrate your systems from some faraway location. That is a real thing, certainly (though we can’t say it looks anything like it does on TV). It’s just not as common (or as easy to do) as the movies suggest.
In the real world, most of the cyber threats you’ll encounter don’t look like the movies. Instead, they look more like phishing and social engineering. That’s where security awareness training comes in.
We’re arguing that both a cybersecurity strategy and security awareness training are essential for your small business. In case it’s not clear yet quite what the difference is between the two, we’ll restate it this way. Security awareness training handles the human component, while your cybersecurity strategy covers the digital component. Both are important, but they follow very different processes.
Security awareness training can take a few different forms. Some security awareness training is done online. Your employees read materials or watch static videos, then they take assessments to gauge what they have learned.
The convenience factor with this method is nice: employees can work at their own pace and at any time of the workday. There are some trade-offs with this method, too. The training can be a bit stuffy, and it’s not interactive. If employees need help or clarification, it’s hard to get it. Hands-on learners may struggle with this method, too.
Some companies also offer a hybrid approach, where static courses are combined with live webinar-style classes. Some employees will benefit from the immediacy of a live teacher, but the trade-off there is that all employees must be present at the same time.
Some companies also offer live, on-site instruction, either as a standalone or as a premium add-on to their basic package. This can be a great option for single-location organizations.
A firm that specializes in security awareness training won’t take a one-size-fits-all approach. As your organization grows in complexity, varying business areas may need differing instruction. Certainly, some fields have specific, unique needs, too. Organizations that work in the health care orbit will have HIPAA rules to contend with, while those in education or finance will have their own.
Some firms offer 50 or more different courses as a part of their security awareness training protocols. Make sure that the providers you consider have courses that fit the needs of your business and industry.
The cost of security awareness training varies based on many factors. The number of users receiving training is often the starting point. $1000 per year for an organization with 50 employees is a common starting point, but understand that program customizations and add-ons can increase this figure.
Other factors influencing costs include industry requirements, languages needed, and whether certification is desired. The number of courses each user takes may also affect cost.
Ask the providers that you are considering for a custom quote that breaks down the costs you can expect to see and which services those costs are associated with.
Having a cyber security plan and providing security awareness training are two vital components to your business’s digital security strategy. If you’re ready to explore what security awareness training should look like in your business, contact us today.