Security Awareness – A Tale of Two Small Businesses

Advice from DC The Computer Guy


Providing IT support to small businesses has allowed me an intimate look into how they operate. Over the years I’ve noticed that most of these started because the owner was good at a trade and not necessarily because they were good at business. Most, including myself, do not have any formal business education, rather they learned how to operate their business as it grew.

Always having been a student of people, over the years I’ve paid attention to how my clients managed their businesses. Sure, I liked to see what they were doing right and took note of their successes, but I paid particular attention when things went wrong. I feel strongly that there are many more lessons to be learned from mistakes and challenges than from when everything is running smoothly.

And that brings us to this blog, which is about security awareness. My normal routine is to spend more time contemplating what I’m going to write than actually writing. I like to work out the full story in my head before I sit down to write the first word. When thinking about this blog, two clients kept coming to the forefront of my mind. The first client, whom we’ll refer to as Client A, places an emphasis on ensuring that their employees are aware of the security threats around them, while the other, Client B, does not see the value in it.

It was a Lesson Learned, It was a Lesson Lost

Approximately 10 years ago, Client A had an employee that clicked on a link when they shouldn’t have. This resulted in their entire file system being encrypted. Luckily, as our client we had everything in place to help them to recover from this threat. A long weekend of restoring backups and rebuilding the infected computer was all it took to get them back up and running, but the scare of losing all that information taught this client a valuable lesson. Since then, she has placed an emphasis on ensuring all employees are aware of security threats, know how to spot them, and understand the process for dealing with them.

Learning from that incident, Client A has maintained their security awareness and by doing so has kept the environment secure and has had zero security incidents, zero malware infections, and zero viruses.

Client B, on the other hand, calls CLARK routinely with issues like slow computers, slow network performance, malware, and viruses. And yet, no matter how often one of the employees, or himself, clicks on a link and infects their computer, this client refuses to learn this same lesson. Where Client A is preaching awareness, Client B is in a vicious loop of break and fixso each time their employees break something, CLARK goes in and fixes it.

It is Security, It was Uncertainty

Security experts will tell you that most security incidents – nearly 90 percent – are due to human error. If you know this, then it makes sense to take the time to educate your employees on how to recognize and avoid these threats so that you have fewer incidents, such as a computer being infected with a virus.

I’ve pointed this out to many clients over the years, and the ones that have listened call us less while the ones that don’t call us often.

If you are in this cycle of break and fix, what should you do?

Well, there are two basic approaches. Either hire a company like CLARK to provide security awareness training or take it upon yourself to be educated in the threats your industry faces and provide security awareness through group forums, such as staff meetings, and forwarding cybersecurity news articles. When it comes down to it, employee awareness is the key to mitigating these threats – your role is to decide how to go about bringing that awareness.

It is Training, It is Awareness

At CLARK, we provide security awareness training through multiple formats, but our primary channel is a weekly staff meeting. It covers a range of topics – but one of the most important, if not the most important – is security awareness. By the way, if you don’t conduct routine staff meetings, I advise starting one this week! And if you don’t know what to cover, here’s our agenda template.

As the owner of CLARK, I feel it is extremely important that I stay on top of the security threats and that I set the standard for all employees to follow.

In our staff meetings and email updates we cover many topics, some which are specific to our industry, but I advise clients to start with these topics:


How to Avoid Phishing and Social Engineering Attacks.

Phishing and social engineering are the biggest threats we see facing our clients today. I routinely look for news articles covering both topics and will pass them along to all of our employees, both for their knowledge and so they can pass the information on to their customers. In our staff meetings we cover not only what to look for in order to avoid falling victim, but I discuss new techniques that the cyber criminals are using. Doing this ensures that our employees are aware of what to look for, and this goes a long way in protecting information. In fact, clients that keep their employees aware of existing and emerging threats rarely call us for something like viruses, malware or encrypted files.

If you need some help with the topic, check out our Phishing and Security Awareness blogs.


The importance of managing passwords.

Password management is a key component to network security. Ensuring that employees are following best practices not only strengthens your security, but provides them with the information they need to keep their personal information safe. Knowledge of the fundamentals, such as how to make strong passwords, the importance of not sharing passwords, and how cyber-criminals use social engineering and phishing attempts to steal your passwords will go a long way towards ensuring your business information is safe.

For some information on these best practices, check out our Strong Password and 2FA blogs.


Ensuring devices are secure.

CLARK has a highly mobile workforce so it is extremely important that we cover device security. Laptops can be stolen from cars, smartphones are easy to misplace, and there are a slew of other physical threats. Covering topics like hard drive encryption, the importance of passwords on every device, and why devices should have a timeout period where they auto lock helps ensure information is protected even if a device is lost or stolen.

Covering physical security gives an added layer of security which helps me sleep at night!

[/toggle]

What to do when the worst happens.

That’s right, it’s important to explain to your employees what to do if they fall victim to a cyber-threat. No matter how prepared we are, it can happen, and it has been proven that those who react quickly to mitigate the threat will significantly reduce the impact of the cyber-crime.

If you need help with this one, we’ve got you covered with our blog You’ve been Hacked, Now What?


In today’s world, threats exist all around us. We are constantly being targeted through phone calls, emails, and infected websites. Teaching yourself and your employees what to look for, ways to protect information, and what to do in case of a breach is a proven way to reduce the risk of a successful cyber-attack. It takes everyone on your team to protect your businesses information from cyber-criminals. One weak link can spell disaster for a small business!