I have been on a mission for a while now, looking for ways to push cybersecurity knowledge out to smaller organizations. Heck, I even led a roundtable at the last TAG conference on this topic. How can we get organizations to be CyberSmart (™ Microsoft, I suppose)?
The Need to be CyberSmart is Real
Why is the need to be CyberSmart even important? Here are two reasons.
- Cyber criminals understand the concept of expected value. Put simply, expected value is the product of the value of an action and the probability that action will occur. These criminals understand that the monetary value of hacking a small organization may not be large. However, they also know that the probability of successfully hacking such an organization is high. Low times high equals a reasonable outcome. Repeating this at scale only improves a hacker’s return on investment.
- Small and midsized businesses (SMBs) and small nonprofits tend not to invest in cybersecurity. Resources are stretched, and cybersecurity seems more like a luxury than a necessity. Small organizations don’t know what they don’t know, and that is a problem. Some organizations think that they would not be the subject of a hacking attack because of their size. Other organizations know they are at risk. They just don’t know where to go to become CyberSmart.
Here is an example. Just yesterday, a small customer forwarded an e-mail to me with a subject line about employee benefits. The display name of the sender was the same as the person who forwarded the e-mail to me. Of course, the actual e-mail address was not correct.
Some scammer understood that an e-mail supposedly about employee benefits, one that came with an attachment to be opened, could generate higher than usual clicks. It is the beginning of a new year, and many companies are going through benefits enrollment now. Hence, users might not be surprised to receive an e-mail about employee benefits.
What Do Smaller Organizations Need to Know?
Here are some topics that deserve to be covered in any CyberSmart campaign.
- Phishing and how to recognize the signs of a phishing e-mail.
- How to construct a strong password (or avoid passwords altogether).
- Ways to be safe when browsing websites.
Microsoft Has Some Free CyberSmart Materials
CGNET is a member of a Microsoft group called Tech for Social Impact. This group is devoted to the nonprofit market, big and small. Tech for Social Impact has just released some educational materials to help smaller organizations be CyberSmart.
Yes, these materials were produced by Microsoft. That means there are helpful links that will take you to some of Microsoft’s security offerings. However, Microsoft has applied only a light sales touch to these materials. They are less sales oriented than free materials I have seen from other security providers.
There are infographics covering passwords, device security, online scams, and phishing. There is an infographic covering basic cybersecurity concepts. Another PDF links to short videos on how to be CyberSmart. One of the videos covers how to be CyberSmart while working from home. This is a relevant topic for our time. Finally, there is an e-mail template that IT people can use to share these materials with users.
You can click here and receive a downloaded zip file with all these CyberSmart materials. If you would prefer, you can also just let me know and I will send you the materials directly.
If you have a cybersecurity training program in place, these CyberSmart materials might be a little elementary for your users. That said, the graphics are nice, as you would expect from something produced by Microsoft.
If you work with smaller organizations and have been looking for a way to educate them on cybersecurity, these CyberSmart materials might be worth sharing. Be sure to check them out!