One in five small businesses fall victim to a cyber attack and of those, 60% go out of business in 6 months. While most business owners would agree that these numbers are sobering, many are not intentional about preventing a breach, and many are relying on luck to safeguard their business.

Some business owners may balk at that last statement because they know exactly how much money they spent this year on that new firewall and the endpoint protection software for all their computers. That's being intentional, right? Yes and no. The technology is important but it is certainly not the only, or even the most important, component of cybersecurity.

The highest castle walls are easily breached when the keys are turned over to the enemy.

People have always been the weakest link when it comes to cybersecurity. Attackers know this and they are always trying new techniques to trick people into giving up the keys to the kingdom.

The Small Business Administration's best practices for preventing cyber attacks start with "Train your employees".

The Federal Communications Commission's top 10 cyber security tips for small business start with "Train employees in security principles".

Employees are required to be trained for all aspects of their job, but so often, cyber security awareness training is overlooked. Yet, this area of training is one of the most important because one failure that leads to a breach could put the company out of business, cost the owner millions, and potentially put other people or businesses at risk depending on the nature of the breach.

The SANS Institute has identified five levels of maturity in an organization's security awareness efforts.

Non-existent

There is no security awareness program in any capacity. Employees have no idea that they are a target or that their actions have a direct impact on the security of the organization, do not know or follow organization policies, and easily fall victim to attacks.

Compliance Focused

The program is designed primarily to meet specific compliance or audit requirements. Training is limited to being provided on an annual or ad hoc basis. Security awareness professionals are disconnected from and do not work with the security team. Employees are unsure of organizational policies and/or their role in protecting their organization’s information assets.

Promoting Awareness and Behavioral Change

The security awareness team is part of and actively works with the security team. The program identifies the target groups and training topics that have the greatest impact on managing human risk and ultimately supporting the organization’s mission. The program goes beyond just annual training and includes continual reinforcement throughout the year. Content is communicated in an engaging and positive manner that encourages behavioral change. As a result, people understand and follow organization policies and actively recognize, prevent, and report incidents.

Long-Term Sustainment and Culture Change

The program has the processes, resources, and leadership support in place for a long-term life cycle, including (at a minimum) an annual program review and update. As a result, the program is an established part of the organization’s culture and is current and engaging. The program has gone beyond changing behavior and is changing people’s beliefs, attitudes, and perceptions of cybersecurity.

Metrics Framework

The program has a robust metrics framework aligned with the organization’s mission and leadership priorities to track and measure impact. As a result, the program is continuously improving and able to demonstrate return on investment. Metrics are an important part of every level of the maturity model; this level simply reinforces that to truly have a mature program, you must go beyond change and have a framework that demonstrates value to leadership.

So, are you relying on luck to safeguard your business? Or are you intentionally maturing your company's cyber security awareness program?

At Valenture, we help our customers understand where they are, where they want to be, and how to get there. Security awareness training is not a difficult thing to implement. Many people are surprised at how easy it can be. With our solutions, businesses can automate months of awareness training at a time and gather useful metrics along the way of which employees represent the most risk for the company.