Creating a cybersecurity training curriculum for SMBs and MSPs

A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
(Image credit: Shutterstock)

Cybercrime is at heart a game of cat and mouse. As cyberattacks grow in sophistication and scale, security solutions likewise must innovate and develop. One misstep can give the bad guys the advantage and, too frequently, it isn’t the technology but employees that give them the edge.

Human-related error continues to be the primary cause of successful cloud breaches, according to a 2023 Global Cloud Security Study. A separate Data Breach Investigation Report cites 74% of all breaches involve a human element.

Every business, regardless of size, is a target. In fact, the same Data Breach Investigation Report claims small businesses face more frequent incidents than far larger organizations. The good news is that businesses are improving their security posture by investing in their people, by way of their business security awareness training (SAT) program. In fact, small and mid-size businesses (SMBs) are conducting training at nearly the same pace as enterprises. According to a 2023 Global Ransomware Survey, 83% of SMBs and 96% of enterprises require employees to take SAT.

While the value of training is well known, the way we work – and the cybersecurity threats that follow us – have evolved into a fluid, always-on modality that creates a new level of cognitive challenges for us as we go about our personal and professional lives. These new mental challenges are not effectively addressed through the cumbersome, time-intensive training sessions perfunctorily performed on a quarterly or even annual basis. New threat variants continue to emerge, new vulnerabilities are exploited, while employees juggle more tasks than ever before. And the cycle continues. Cybersecurity awareness training sessions must be shorter, more relevant, and more frequent to have any chance at improving cybersecurity behavior.

And don’t forget about administrators. Due to limited resources and constrained budgets, managed service providers (MSPs) often task their admins with SAT tasks which they are often not suited for. Essential SAT tasks such as content curation and campaign reporting are specialized and not typical admin responsibilities. Therefore, these tasks become time-intensive and challenging for most admins to maintain especially when assigned on top of their other responsibilities. Keeping this administrative overhead to a minimum is an essential aspect of a sustainable SAT program.

To create and maintain an effective training program, consider these five tips.

Guy Greenbaum

Senior Product Manager at OpenText Cybersecurity.

1. Use phishing simulations and microlearning together

Phishing remains the most common type of social engineering attack – and the level of sophistication continues to surprise. Phishing messages increasingly draw on local current events or publicly available information about a company or employee. And these scams aren’t limited to email; threat actors are advancing their skills and creating fake voicemails using AI voice generators.

By using short, course-based learning and phishing simulations, learners will gain the knowledge they need along with the opportunity to practice responding to attacks. Choose course content that presents topics ideally requiring no longer than 10 minutes. Pair the course with a phishing simulation that presents a relevant scenario to what is covered in the course. The goal is to keep relevant security topics top of mind and encourage employees to stop and think before they click including verifying any sensitive requests, and to report all suspicious incidents.

2. Make password management easier

Have an effective password policy in place that employees know and understand. Most employees are likely familiar with the theory behind creating strong passwords: avoid simple and guessable words and numbers, and have a unique, complex phrase for every site that is accessed. However, the challenge of creating and then remembering multiple intricate passwords often prompts end users to take risky shortcuts – from reusing an identical password to keeping a physical list of credentials next to a workstation.

Organizations vary and no one solution is always best. Awareness training should go beyond warnings and offer best practice solutions that are a fit for their particular culture. For example, a quick refresher course on creating strong, memorable passwords with minimal time and effort might include creating passwords with common elements but customised to specific settings (such as ABT2_uz_sAg! for ‘about to use Sage’) or using the keyboard as a canvas to create shapes, rather than type words. Include fun exercises that prompt employees’ creativity, increases engagement and makes strong passwords less daunting.

Some organizations specify the use of password managers to securely store credentials for multiple sites. Regardless of specific tools or tactics, it’s wise to reinforce the importance of password hygiene and the role employees play as a company’s first line of defense against threat actors.

3. Reinforce remote working best practices

In today’s hybrid work environment, it’s vital that employees understand how to keep their devices and information safe when working outside the office. Remote devices are often the first target for cybercriminals. While endpoint protection solutions, multifactor authentication and virtual private networks (VPNs) all help mitigate remote access risks, they are not failproof; especially when best practices are not followed. After all, when away from the workplace, it is easy for employees to become lax.

Remote working risks and best practices should be a regular part of all SAT programs. Beyond mandating the use of a VPN for accessing sensitive company data, audits should be performed to confirm (and encourage) compliance. Continuous education on the dangers of accessing company data via unsecure networks like public-Wi-Fi can help security stay top of mind.

4. Don’t forget about physical security

In today’s digital age it’s easy to forget the basics of physical security—never leave laptops and desktops unattended. All devices should have a screensaver that locks automatically when left unattended and requires a password to prevent unauthorized access.

Likewise, awareness of physical surroundings, particularly when out of the office, can prevent the theft of information or credentials. For example, shoulder surfing, a form of data theft where criminals simply watch nearby screens to steal credentials, is a very real threat to organizations.

And again, it’s important that employees consider the potential risk of public Wi-Fi hotspots. These are high risk “convivences” and often unsecure. Using a VPN is a simple way to stay safe.

5. Increase the frequency of training

Decades of experience with digital training tools and techniques have proven that short, continuous learning sessions are effective in changing security behaviors. And data shows that with ongoing sessions, the click-through rate on phishing simulations drop from 37% to 13% in only six months – a 65% reduction. Though each organization should determine what works best for their goals and culture, increasingly the observed standard for effective SAT programs is to deploy SAT sessions on a monthly basis.

By covering security essentials on a continual basis, it’s possible to better protect the company and help ensure employees are a security asset rather than a security risk.

We've featured the best business VPN.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Guy Greenbaum is a Senior Product Manager at OpenText Cybersecurity. He also leads the company’s Security Awareness Training product.