SMBs

Is GDPR a Win for Cybercriminals?

GDPR represents a massive paradigm shift for global businesses. Every organization that handles data belonging to European residents must now follow strict security guidelines and businesses are now subject to hefty fines if data breaches are not disclosed....

American Cybercrime: The Riskiest States in 2018

Nearly 50 percent of Americans don’t use antivirus software That’s right; something as basic as installing internet security software (which we all know we’re supposed to use) is completely ignored by about half the US. You’d be amazed how common this and other risky...

Bad Apps: Protect Your Smartphone from Mobile Malware

Smartphone apps make life easier, more productive, and more entertaining. But can you trust every app you come across? Malicious mobile apps create easy access to your devices for Android and iOS malware to wreak havoc. And there are many untrusted and potentially...

Security Awareness Training: How to Get Started

Reading Time: ~3 min.

In the past, security awareness training for user education—i.e. empowering users to make more savvy IT decisions in their daily routines—was considered a “nice to have,” not a necessity. The decision to adopt user education was typically passed over because of budget, lack of in-house expertise, and the general lack of availability of high-quality, low-cost, computer-based training. In particular, small- to medium-sized businesses (SMBs) have suffered from these types of constraints, compared to larger, more resource rich organizations.

Today, it’s clear that end user education isn’t just “nice to have,” and SMBs know it. As recently as August of 2017, a Better Business Bureau study on the State of Cybersecurity revealed that almost half of SMBs with 50 employees and under regard security awareness training among their top 3 security expenditures, alongside firewalls and endpoint protection.

The increase in interest and budget allocation for end user education is understandable. On average, SMBs face $80,000 in annual losses following a ransomware or data loss breach. Users are on the front lines of your business, and even the most advanced security can’t stop them from willingly, if unwittingly, handing over sensitive access credentials. If you’re not educating your users, then you are putting your organization at an unnecessary and costly risk.

Here are a few tips for managed service providers (MSPs) and SMBs on getting started with end user education:

Introduce to Stakeholders

Like any new program, building a foundation for success begins when you engage your stakeholders and management teams. Send an email explaining the value of security awareness to management, share details and reports around your first phishing and training campaigns, and loop in IT. Not sure how to craft that first email? Check out

Start out with a Phishing Campaign

Consider starting your security awareness program with a simulated phishing campaign. The results of the simulation can also be used to demonstrate value to any more skeptical or reluctant IT decision-makers. Use the first phishing campaign as your baseline to gauge the level of awareness your end users already have. Webroot Security Awareness Training comes with a variety of template options to help you get started. We recommend using a template that mimics an internal communication from HR or the IT department to get the most eyes on the email. For early campaigns, it’s also a good idea to use Webroot’s “404 Page Note Found” template so users who fall for the phishing lure are unaware. This will help keep water cooler talk at a minimum, giving you a more accurate baseline. After that, be sure to link your phishing campaigns to training pages and courses to maximize the training opportunity.

Share results with End Users

Use feedback to inspire smarter habits. A key objective for security awareness training is to engage end users and raise the level of cyber awareness throughout the organization. For instance, sharing results of a simulated phishing campaign can help employees understand the impact of poor online habits and motivate them to practice better behaviors.

Webroot Security Awareness Training lets admins see who clicked what in a phishing simulation. Bear in mind: the point of sharing results is not to shame the unwitting marks who fell for the scam. Instead, try capitalizing on everyone’s engagement by sharing an overall statistical report, so users can recognize whether they clicked or avoided the phishing lure, without fear of embarrassment. More importantly, such a report would show the statistics around the organization as a whole, opening the door for further training programs to fill security gaps and provide a continuous learning experience.

Continuous Training: Set up your phishing and training program

Once end users are engaged and understand the value, the next step is setting up a training program. There is no one-size-fits-all program, but we recommend running at least one to two phishing campaigns per month and a minimum of one to two training courses per quarter. Depending on the needs of each organization, you may want to increase the frequency and adjust intervals throughout the year. Webroot Security Awareness Training includes numerous pre-built phishing templates you can use, including real-world phishing scenarios (defanged from the wild.) It also offers professionally developed and engaging topical training courses, which you can be proud to share with your company. Courses range from cybersecurity best practices and 5-minute micro-learning courses to in-depth compliance courses on PCI, HIPAA, GDPR, SEC/FINRA, and more.

When you start seeing the significant impact that relevant, high-quality, and proven security awareness education has on your employees, you’ll wonder how your business ever managed without it.

Top 3 Questions SMBs Should Ask Potential Service Providers

Reading Time: ~< 1 min.

It can be daunting to step into the often unfamiliar world of security, where you can at times be inundated with technical jargon (and where you face real consequences for making the wrong decision). Employing `

In a study performed by Ponemon Institute, 34% of respondents reported using a managed service provider (MSP) or managed security service provider (MSSP) to handle their cybersecurity, citing their lack of personnel, budget, and confidence with security technologies as driving factors. But how do you find a trustworthy partner to manage your IT matters?

Here are the top 3 questions any business should ask a potential security provider before signing a contract:

 

 

 

 

 

While these are not all of the questions you should consider asking a potential service provider, they can help get the conversation started and ensure you only work with service providers who meet your unique needsservice providers who meet your unique nee.

  1. Ponemon Institute. (2016, June). Retrieved from Ponemon Research: https://signup.keepersecurity.com/state-of-smb-cybersecurity-report/
  2. Ponemon Institute Cost of Data Breach Study: (2017 June) https://www.ibm.com/security/data-breach

Webroot’s 2015 SMB Threat Report: An Analysis

Reading Time: ~3 min.

Recently, Webroot published 2015 SMB Threat Report: Are organizations completely ready to stop cyberattacks?, which included the results from a survey of 700 SMB decision makers worldwide about their IT security, their readiness for security response, and use of MSP recourses in their environment.

Many SMBs are outsourcing cybersecurity to managed services providers (MSPs) to make up for the lack of time and in-house expertise. According to the report, 81% of respondents agreed such outsourcing would improve their bandwidth for addressing other tasks. With the majority of SMBs surveyed planning to increase their cybersecurity budget in 2016, VARs across a broad variety of industries are beginning to embrace this service-centric relationship with their clients. For customers, choosing to work with an MSP means they avoid installation and maintenance headaches. They also avoid diverting resources towards laborious IT security support tasks or ad hoc break/fix reseller charges.

smb1

Although SMBs appear more aware of cybersecurity-related risks to their organizations, many are still unsure or under-informed about their own readiness to handle such risks even with heavy investments of time into protecting the environments. Incredibly, even with 56% of respondents reporting over 17 hours spent on cybersecurity, 44% are still feeling they have less time to stay up-to-date on threats.

smb2

smb3

Just 37% of IT decision makers surveyed in the US, the UK, and Australia believe their organizations are completely ready to manage IT security and protect against threats. While I am not entirely surprised given the considerable cybersecurity challenges SMBs face, but it’s still an alarmingly low number.

On the flip side, when asked how confident IT decision makers would be that someone on their staff could deal with a cyberattack, a surprising 84% responded confidently. Given the other responses to this survey, this was unexpected and indicates a discrepancy and possible misperception of IT resources, knowledge, and capability to thoroughly address a cyberattack.

smb4

Webroot’s SMB Threat Report makes it clear that the future of security is in need of some change with IT decision makers are stretched thin. In the near future, we should expect a continued movement towards “outsourced IT,” particularly on the cybersecurity front. According to the survey, 81% of respondents believe outsourcing IT solutions would increase their bandwidth to address other areas of their business. In order to reap the full array of benefits, though, IT decision makers must be proactive about identifying MSPs that offer “intelligent cybersecurity” solutions.

Our definition of intelligent? Solutions that are easy to install, can be managed remotely, and provide real-time protection against modern threats. While these are all important qualifications, we expect SMBs to place an increased premium on the “real-time” component.