ProtonBlog(new window)

The key to small business cyber security is a culture of security awareness

Share this page

Small business cybersecurity is often overlooked, either due to a lack of expertise or funding. This is a mistake. Cyberattacks are costly to mitigate but potentially more costly to recover from after they occur.

There are two things cybercriminals want to steal from your employees: your organization’s data and its money. To get either of those things, usually all they have to do is invent a sufficiently persuasive con.

As a manager, your challenge is to increase the likelihood that, when confronted with, say, a phishing attempt(new window) or a fraud email, your employees will be able to recognize the attack and report it. The cost of data breaches and cybercrime is growing(new window), and data protection regulations—from the GDPR(new window) to its possible US counterpart(new window)—now have more teeth(new window).

Fortunately, there are simple ways to stay ahead of the cybercriminals. As a data security company, we are uniquely predisposed to having a culture of cybersecurity. Even so, we have instituted policies, conducted cybersecurity awareness training sessions, and implemented systems to reinforce this culture.

In this guide, we’ll share some of our tricks and best practices that we hope can help your organization as well.

Empower a cybersecurity officer and make a plan

As with most projects in any organization, the first step is to designate someone responsible for making sure the job gets done. This person could be from your IT staff, but which department they are from matters less than their willingness to learn about cybersecurity and hold team members accountable for completing training sessions and implementing digital safety practices. The first thing your cybersecurity officer should do is conduct a threat and risk assessment. It should include a detailed overview of:

Assets —  Employee data, client credit cards, trade secrets, money, etc. List the things of value your company holds, where and how they’re stored, and who has access to them currently.

Threats — Hackers, disgruntled employees, competitors, cybercriminals, governments, etc. Be as inclusive and imaginative as possible. You’ll rank these threats later when assessing risks.

Vulnerabilities — Human error, unsecured communications, poor network security, unencrypted service providers, etc. Your past experiences, knowledge of your own systems, and existing research about data breaches can help you here.

Risk — Which teams are more susceptible to threats? Which assets are most valuable? This analysis will help you decide where to focus the most energy.

Countermeasures — Cybersecurity awareness training, end-to-end encryption, access controls, data minimization, etc. Based on the information you’ve already compiled above, you can determine how to mitigate risk.

Armed with a better understanding of the assets, threats, and vulnerabilities within your organization, you can begin implementing countermeasures.

Create a cybersecurity policy and use it regularly

Your small business’s cybersecurity policy should include basic guidelines that all employees must follow. We will go into more detail about cybersecurity policies in future articles, but this should include everything from recommendations about using secure web browsers, email safety tips, VPN requirements, anti-phishing best practices, password recommendations, and more.

As part of your employee onboarding process, everyone on your team should receive a copy. However, to maintain a culture of cybersecurity awareness, cybersecurity officers should regularly refer to this document and issue periodic reminders of its contents. Managers should talk about the cybersecurity policy, too, to emphasize its importance. Your cybersecurity policy isn’t just another boilerplate HR document. Understanding it and following it is part of everyone’s job.

Related article: A cyber security guide for small businesses(new window)

Hold regular cybersecurity awareness training sessions

These training sessions should happen soon after a new employee starts and then be updated periodically. The training should emphasize the most important aspects of the cybersecurity policy while also giving employees an understanding of the specific threats your management team has identified. These should be specific to your organization and to your industry. For example, if there are known threats targeting companies similar to yours through certain attack vectors, these training sessions are an excellent opportunity to educate your staff about preventing such attacks.

There are also third-party cybersecurity firms that can help you here. For instance, Sophos offers anti-phishing training simulations(new window). Your cybersecurity officer should be tasked with researching and proposing a cost-benefit analysis for contracting outside security vendors.

Some teams or individuals may be more vulnerable to attack than others based on their specialty or level of access. Network administrators, managers, and anyone handling payroll or customer data may need additional training and attention.

3 major cybersecurity best practices

There are a handful of cybersecurity practices that are so important and basic that they should be mandatory in your organization.

Use two-factor authentication (2FA)

— Turning on 2FA for every account that offers it (whether it’s your company Slack or your employee’s Proton Mail account) can help prevent account takeover, which is a major problem for companies and a common source of data exposure.

Be alert for phishing

Phishing attacks(new window) use social engineering to entice users to click links, download attachments, or divulge login credentials in efforts to compromise their device or your network. Your employees should be trained to recognize common phishing strategies, to report suspicious emails to your small business’s cybersecurity team, and to always verify emails before clicking a link or responding.

Use strong passwords

— It’s important to use strong passwords that are less likely to be decrypted by hackers in a data breach. We have published information about how to choose a strong password(new window) for more details.

Conclusions

The most important thing to remember is that creating a workplace culture of cybersecurity awareness requires buy-in from employees at every level. If management doesn’t view cybersecurity as a priority, then lower-level employees won’t either.

Entry-level employees are often an easy target for hackers and cybercriminals because they have less training and deal with less sensitive information. Yet the information they have in their accounts can be used to devise more damaging social engineering attacks. Junior employees with access to funds can also be more easily tricked into wiring money on behalf of a fake boss(new window) or paying bogus invoices.

The primary way to confront these threats is to ensure your employees are always on guard. If you demonstrate that cybersecurity is a priority in your organization, they will be.

Best Regards,
The Proton Mail Team

Sign up and get a free secure email account from Proton Mail.

We also provide a free VPN service(new window) to protect your privacy.

Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support.

Protect your privacy with Proton
Create a free account

Share this page

Ben Wolford(new window)

Ben Wolford is a writer and editor whose work has appeared in major newspapers and magazines around the world. Ben joined Proton in 2018 to help to explain technical concepts in privacy and make Proton products easy to use.

Related articles

What is 3-2-1 backup
Data backup is vital for businesses and individuals alike: In case something happens to your primary computer, you always have a copy of your data to fall back on.  How should you approach backup, though? The 3-2-1 rule can act as a guide when decid
What was your first pet’s name? In what city were you born?  We’ve all had to answer these questions to reset a long-forgotten password, but consider how that works. Much of this information is easy to find for others (or easily forgotten by you), m
In the early days when Proton started, we often received a question along the lines of “I love the product and what Proton stands for, but how do I know you will still be around to protect my data 10 years from now?”  Ten years and 100 million accou
Credential stuffing is a popular type of cyberattack where attackers take login credentials and use them on thousands of websites, hoping to fraudulently gain access to people’s accounts. It’s an effective attack, but fortunately, one that’s easy to
With Skiff abruptly shutting down operations, many people are on the lookout for alternatives that don’t compromise on privacy — and won’t suddenly disappear. People were attracted to Skiff because it promised privacy, no ads, end-to-end encryption,
Skiff is dead. On Feb. 9, the email company Skiff announced it was being bought by Notion. Many Skiff customers have been shocked by this news, as their inboxes have been sold out from under them. Skiff gave people six months to export their data be