This document discusses cybersecurity training for employees. It emphasizes the importance of raising employee awareness about cybersecurity policies and risks through regular trainings. Effective training programs should be mandatory, interactive, and provide updates on new threats and policy changes. The document also discusses ensuring data protection when employees work remotely through measures like multi-factor authentication, encryption, VPNs, and data backups. Common cyber threats to businesses like phishing, malware, and ransomware are described along with tools that managers can use to test security awareness and identify vulnerabilities. Outsourcing cybersecurity to specialists and using AI tools are presented as options for businesses, each with advantages and disadvantages.
3. post
pandemic
empowerment
programme
In order to secure sensitive data from numerous risks in the workplace of today, cybersecurity is
becoming more and more crucial.
Depending on how they work on-site or virtually, it is essential to train staff on cybersecurity. Leaders
can make sure that their employees are well-equipped to identify and prevent risk threats that can
jeopardise everyone's safety. What is crucial is to effectively safeguard processes to protect against
such risks, as well as to give staff the appropriate training on how to recognise and report suspicious
activity or possible security concerns.
Assuring the long-term survival and profitability of any firm requires fostering a culture of
cybersecurity knowledge and accountability inside the workplace.
Introduction
7. post
pandemic
empowerment
programme
One of the most important concepts to grasp with cybersecurity is
that maintenance is a constant job. New attacks develop monthly, if
not daily, and your approach to guarding against them can’t be
limited to annual training.
You need to ensure that your employees are aware of the company’s
cybersecurity policy and feel comfortable enough with their rights
and responsibilities as an employee. Employees must know that if
they witness or find something suspicious, they must report it
immediately.
1. Raising Employee Awareness
Employee Training
8. post
pandemic
empowerment
programme
When it comes to staff training ensuring that they are aware of their role in maintaining the security of
company data is believed to be the first priority. Having the appropriate security software and tools on
their computers, understanding how it operates, and making any necessary efforts are crucial.
Company owners must establish their official policies and distribute them to every employee.
Nevertheless, just disseminating the materials and counting on staff members to read them cover to
cover and take in all of their information is insufficient. It's a good idea to talk with employees about the
policies both throughout the training process and while they are still employed.
1. Raising Employee Awareness
Employee Training
9. post
pandemic
empowerment
programme
● Create a training program: Provide a training curriculum that includes corporate rules, requirements
of compliance, and best practices for cybersecurity. The training program should be customised to
meet the unique demands of the business and its personnel.
● Make training compulsory: Cybersecurity training has to be mandatory for all employees. To make
sure that staff members are knowledgeable on the most recent dangers and regulations, this may be
done both during onboarding and continuously.
● Use interactive training techniques: Engage staff in participatory training techniques including role-
playing games, simulations, and quizzes to underline important ideas.
● Provide regular updates: Provide regular updates on changes to company policies and cybersecurity
threats to ensure that employees are aware of any changes that may affect their work.
● Monitor training efficiency: Using evaluations, polls, or other forms of feedback, track and evaluate
the training program's efficacy. This can assist pinpoint problem areas and guarantee that workers are
remembering the material.
● Utilise real-life examples: To highlight the significance of cybersecurity and regulation compliance,
use actual-world instances. Employees may be inspired to practice safe and legal conduct by learning
the effects of their activities on the company.
1. Training employees on existing policies
Internal Training Policies
10. post
pandemic
empowerment
programme
● The General Data Protection Regulation (GDPR) requires SMEs to protect user data against theft,
unauthorised access, and other security threats.
● The Network and Information Security Directive (NIS Directive) requires Businesses to maintain their
data networks’ safety and to report any significant concerns to the relevant agencies.
● The Cybersecurity Act creates a framework for certifying ICT processes, services, and goods to make
sure they adhere to predetermined cybersecurity criteria.
● Programmes such as the Horizon Europe and the European Cyber Security Organization, the EU
provides financing and support for SMEs to enhance their cybersecurity posture (ECSO).
● The EU provides guidance and tools to help SMEs develop their cybersecurity practices through
initiatives such as the European Union Agency for Cybersecurity (ENISA) as well as the European Cyber
Security Month.
● Penalties and consequences to SMEs’ reputations might occur from non-compliance with these
requirements.
1. Training employees on existing policies
European Policies
12. post
pandemic
empowerment
programme
Employees need to understand that the data they create and/or deal with belongs to the company and
that this data needs to be kept safe. If relevant, make sure employees know how to back up data using
methods described in your policies.
Company issuing computers or other electronic devices should only be used by employees who are
authorised to use those specific devices. Also, stress the importance of obtaining authorisation to use
any devices.
When employees are working remotely, data security and IT professionals have less control over and
capacity to monitor data storage and movement. Remote employees can be utilising a compromised
internet connection, outdated software, or malfunctioning gear. As remote employees are responsible
for maintaining their equipment, it is up to them to carry out upgrades, install security software, and
follow best practices while accessing data without on-site assistance from IT.
2. Storing data, accounts and passwords, VPN, personal data
protection
Data protection
13. post
pandemic
empowerment
programme
Fortunately, there are fairly easy solutions that can be employed to secure and safeguard data for
employees who work remotely. Some of these solutions involve seeking guidance or services from IT
or data protection specialists, while others can be implemented by the remote workers themselves.
What could be of value for companies is that they could share a comprehensive list of measures
involving both their management team and remote staff, regardless of whether they work full-time
or part-time from a remote location.
This would help in informing all employees about the steps that can be taken to ensure the security of
company data and work collaboratively to implement them.
2. Storing data, accounts and passwords, VPN, personal data
protection
14. post
pandemic
empowerment
programme
2. Storing data, accounts and passwords, VPN, personal data
protection
Securing data protection
● Two-factor authentication (2FA): By requiring a second form of verification in addition to a
password, such as a code texted to a smartphone or biometric authentication, 2FA provides an
extra layer of protection to login details. (Microsoft)
● Endpoint protection software: This software protects distant devices from malware and virus
attacks by identifying and stopping them. (Trellix, McAfee)
● Data backup and recovery processes: In the case of a disaster or breach, having frequent
backups of firm data guarantees that crucial information is not lost. (Acronis, Google Drive)
● Firewalls and intrusion detection systems (IDS): These instruments keep tabs on unwanted
access to business networks and data and prevent it. (CISCO, SonicWall)
● Regular software and operating system updates: The danger of hacks and data breaches is
decreased by updating operating systems and software to address and fix any security flaws.
15. post
pandemic
empowerment
programme
Cybersecurity is a necessity, especially if managers recruit staff who work from home, giving them
unavoidable access via a VPN or encryption service to ensure that no vital information about the
company is obtained.
The most popular authentication method for confirming a user's identity and granting access to digital
resources including computers and online accounts is a password.
A weak password or one that's frequently used on several business accounts might make it simple for
hackers to access confidential material, strong passwords can help prevent unwanted access to these
resources.
To offer an extra degree of protection, passwords may also be used in association with other authentication
techniques like biometrics or multi-factor authentication.
2. Storing data, accounts and passwords, VPN, personal data
protection
Passwords
16. post
pandemic
empowerment
programme
2. Storing data, accounts and passwords, VPN, personal data
protection
•
It’s long
enough
•
It uses
multiple
character
sets
•
It doesn’t
use
complete
words
•
It’s changed
regularly
•
It’s not
shared
across
accounts
A strong password has these traits:
17. post
pandemic
empowerment
programme
Keeping an employee safe and secure is not enough. The whole company needs to be secured. Before you set
up a VPN or encryption solution at work, you must determine the cyber-resilience of the entire workforce.
You must have a firm security policy, which includes training and ensuring employees are aware of the
importance of their cyber-security.
Even though the advantages of hybrid working include the ability of flexibility, this comes with security risks.
Companies need to use effective and efficient tools to protect their networks against cyber threats by using
a multi-layer security solution that offers multi-pronged protection.
2. Storing data, accounts and passwords, VPN, personal data
protection
VPN & Encryption
18. post
pandemic
empowerment
programme
2. Storing data, accounts and passwords, VPN, personal data
protection
Users can access a private network remotely thanks to a Virtual Private Network (VPN), a software that establishes a
safe and stable connection between devices over the internet.
VPNs are useful for:
1) Protecting personal and financial data, by encrypting communication between the user and the company.
2) Providing secure, uninterrupted access to remote employees, so they can connect to the business network as if
they were in the office.
3) Hiding the device's IP address and location, to get around internet regulation and geographical restrictions
4) Safeguarding digital content and providing secure interaction between staff members and the business network.
It's crucial to take into account aspects like encryption strength, logging practices, and server locations while selecting
a VPN provider.
VPNs may be set up to limit access to particular apps or resources, adding another degree of protection.
By encrypting information during transmission, VPNs can help avoid third-party attacks and surveillance.
19. post
pandemic
empowerment
programme
2. Storing data, accounts and passwords, VPN, personal data
protection
Transmitted data is encrypted by converting it into a coded message to prevent unauthorised access.
To ensure that only individuals with the appropriate decryption keys may access the data, it is encoded
and translated using algorithms and credentials. It is used in a wide range of technologies such as secure
email, VPNs, encrypted storage devices, and secure chatting programs.
It may be used to protect private communications between individuals or groups of people along with
commercial, financial and personal data.
Encryption comes in two main types: symmetric and asymmetric. Whilst symmetric utilises a single key for
both encryption and decryption, asymmetric encryption requires a pair of public and private keys.
End-to-end encryption (E2EE) is a type of cryptography used in telecommunications. Only the recipient
and the sender have access to the decrypted material.
21. post
pandemic
empowerment
programme
The most common cyber threats to SMEs include:
● Phishing: Suspicious messages that lure employees into giving away sensitive information or
downloading malware. SMEs should provide multi-factor authentication and use email filtering.
● Ransomware: Software intended to harm or provide unauthorised access to a system via downloads,
malicious websites, and attachments. SMEs should back up data and implement endpoint protection.
● Malware: Software designed to damage or gain unauthorised access to computer systems through
attachments, downloads and malicious websites. SMEs should use endpoint protection software,
update their software and implement email and filtering tools.
(continues on the next slide)
3. Avoiding cyber threats
Typical threats
22. post
pandemic
empowerment
programme
● Insider threats: Liability presented by current or former employees, independent contractors, or
suppliers who have access to systems and data with permission. SMEs should implement access
controls, background checks on employees and monitor user activity.
● Third-party breaches: An attack that compromises sensitive data against a partner company or
vendor. SMEs should monitor vendor activity, develop data sharing agreements and security
measures, and do due diligence on suppliers.
3. Avoiding Cyber threats
23. post
pandemic
empowerment
programme
● Simulated phishing tools: They allow managers to create mock phishing attacks to test their
employees' awareness and response to phishing attempts. This can help identify areas where
additional training is needed. (PhishMe, KnowBe4, GoPhish, IronScales, Barracuda)
● Vulnerability scanning tools: They can be used to scan a network or system for vulnerabilities, which
can help managers identify potential security weaknesses and take corrective action. (Nessus, Qualys,
OpenVAS, Rapid7 Nexpose, Acunetix)
● Security awareness training platforms: These platforms offer interactive and engaging training
modules that focus on specific areas of cybersecurity, such as phishing, password security, and social
engineering. (KnowBe4, SANS Security Awareness, Infosec IQ, Wombat Security, PhishMe)
● Security policy templates: These templates provide a framework for creating comprehensive security
policies that cover various areas of digital security, including access control, data protection, and
incident response. (SANS Institute, NIST)
● Incident response planning tools: These tools can help managers develop and implement a
comprehensive incident response plan, which outlines the steps to be taken in the event of a security
breach or other incident.
3. Avoiding cyber threats
Tools for managers
24. post
pandemic
empowerment
programme
Advantages
1) Identification of dangerous behaviour;
2) Real-time network traffic detection;
3) Recognition of probable frauds, social
engineering assaults, and phishing attacks;
4) Filtering and detection of spam messages;
5) Automation of procedures.
3. Avoiding cyber threats
Disadvantages
1) Development of powerful AI-generated
techniques;
2) Ineffectiveness of compatible means of
detection;
3) Communication challenges in the form of
deceiving and fake alarms.
The ever-increasing use of AI Tools has demonstrated the need to ensure business security.
AI Tools
25. post
pandemic
empowerment
programme
3. Avoiding cyber threats
Key Measures for SMEs
1) Development of intrusion detection systems
such as firewalls and antivirus software;
2) Adequate staff training;
3) Establishment of security tactics with the
assistance of cybersecurity professionals;
4) Regular updates of software.
26. post
pandemic
empowerment
programme
Advantages
1) Availability of expertise: Threat detection and
response are handled by specialists
2) Cost savings: Businesses can avoid investing in
new workers and equipment;
3) Escalation: Services may be adjustable
depending on the demands of the business;
4) Constant monitoring: Provision of continuous
security;
5) Reduced Risk: Expertise resources are
outsourced.
3. Avoiding cyber threats
Disadvantages
1) Loss of control: The company is dependent on
the provider;
2) Communication challenges: Misunderstandings
regarding processes;
3) Dependence: Potential risk might arise in the
event of a security compromise;
4) Integration Challenges: Third parties and
existing teams need coordination;
5) Compliance Risks: Misunderstandings of
compliance standards may result in dangers.
Outsourcing requires hiring an external cybersecurity company to administer the security needs of the
business. It provides unlimited access to expertise and high technologies. However, it may pose risks
that have to do with data privacy and management of suppliers.
Outsourcing
27. post
pandemic
empowerment
programme
Troubleshooting the system
Troubleshooting is a systematic approach to
problem-solving that is often used to find and
correct issues with complex machines,
electronics, computers and software systems.
Troubleshooting methodologies usually try to
isolate a problem so that it can be examined.
Example
When a laptop won't boot up, an obvious first step
is to check whether the power cable is working.
Once common issues are ruled out,
troubleshooters must run through a checklist of
components to identify where the failure is
happening.
Good Practices & Examples
Troubleshooting Steps
1) Gather information;
2) Describe the problem;
3) Determine the most
probable cause;
4) Create a plan of action
and test a solution;
5) Implement the solution;
6) Analyse the results;
7) Document the process.
28. post
pandemic
empowerment
programme
● Phishing attacks were the most common type of incident experienced by SMEs, followed by
malware infections and ransomware attacks (ENISA,2021).
● 60% of small businesses in the European Union experienced at least one cyber incident in 2020
(ENISA,2021).
● 26% of UK SMEs have no cybersecurity measures in place, and only 16% have a cybersecurity
incident management plan (UK's National Cyber Security Centre,2020).
● 43% of European SMEs have experienced a cyber incident in the past year, and 67% of these
incidents resulted in a material impact on the business (EY,2021).
● 49% of European SMEs believe that cybersecurity is a priority, but only 37% have an incident
response plan in place (EY, 2021)
Facts & Figures
29. post
pandemic
empowerment
programme
● Conduct risk assessments?
● Implement cybersecurity policies?
● Use secure passwords and multi-factor authentication?
● Regularly update software and security patches?
● Provide regular cybersecurity training?
● Use encryption?
● Regularly back up data?
● Implement access controls?
● Monitor systems and networks?
By adopting these good practices, SMEs can significantly improve their cybersecurity posture and
reduce the risk of cyber-attacks.
Checklist: In your SME do you..?
30. post
pandemic
empowerment
programme
Cybersecurity is the new world order for
businesses which has great importance
for remote employees today. Employers
need to ensure that employees are
aware of and trained on the company’s
cybersecurity policy. Important aspects
of these policies should be storing data,
accounts and passwords, VPN and
personal data protection. Employers and
employees should be able to avoid the
most common cyber threats.
SUMMARY OF UNIT 5
31. post
pandemic
empowerment
programme
We offer you a short questionnaire
for self-assessment of the extent to
which you have understood the
content.
The goal is to check and reinforce
what you have learned.
You can take the quiz as many times
as you want. Remember, the quiz is
just part of the process of learning
new things!
SELF-ASSESSMENT
QUESTIONNAIRE
32. post
pandemic
empowerment
programme
Question 1:
SMEs are not at risk of
cyberattacks as they are not
attractive targets for hackers.
Answers:
True
False
Question 2:
Which of the following is the best
way to protect data stored on a
computer or mobile device?
Answers:
● Keep devices in a locked
cabinet
● Encrypt data with a secure
encryption algorithm
● Regularly backup important
data to a public cloud service
33. post
pandemic
empowerment
programme
Question 3:
Which of the following is a
characteristic of a strong
password?
Answers:
• It’s long and consists of multiple
character sets
• It consists of only lowercase
letters
• it’s the same password used for
multiple accounts
Question 4:
What does the GDPR require
SMEs to do?
Answers:
● Ensure the security of their
network and information
systems
● Protect personal data against
unauthorised access, theft,
and other security breaches
● Establish a framework for the
certification of ICT products,
services and processes
34. post
pandemic
empowerment
programme
Question 5:
1. Which of the following is a
common cybersecurity threat
for SMEs?
● Posting personal information
on Social Media platforms
● Running antivirus software on
devices
● Phishing attacks
Question 6:
Which of the following is a
potential cybersecurity risk
associated with outsourcing?
Answers:
● Increased productivity and
efficiency
● Loss of control over sensitive
data
● Improved customer
satisfaction
35. post
pandemic
empowerment
programme
References
Cybersecurity training best practices for Employees, 2018
https://www.nationwide.com/business/solutions-
center/cybersecurity/train-employees
The Importance of Cybersecurity For Remote Employees, 2022
https://www.linkedin.com/pulse/importance-cybersecurity-remote-
employees-ark-solvers/
8 Tips and Best Practices on How to Train Employees for Cyber
Security
https://www.coxblue.com/8-tips-and-best-practices-on-how-to-train-
employees-for-cyber-security/
36. post
pandemic
empowerment
programme
References
Cybersecurity in the Workplace
https://my.pennhighlands.edu/ICS/IT_Services/Cyber_Security_Awaren
ess_Materials.jnz?portlet=Free-form_Content_2017-10-06T15-24-11-
858
Why Cybersecurity In The Workplace Is Everyone's Responsibility, 2022
https://www.stickmancyber.com/cybersecurity-blog/why-
cybersecurity-in-the-workplace-is-everyones-responsibility
SME Troubleshooting https://shorturl.at/lISX7
The NCSC Annual Review, 2020
https://www.ncsc.gov.uk/news/annual-review-2020
37. post
pandemic
empowerment
programme
Federal Trade Commission, Cybersecurity for Small Business,
https://www.ftc.gov/tips-advice/business-center/small-
businesses/cybersecurity
ENISA ,2021, Cybersecurity for SMEs
https://www.enisa.europa.eu/publications/enisa-report-cybersecurity-
for-smes
SBA, Strengthen your cybersecurity https://www.sba.gov/business-
guide/manage-your-business/strengthen-your-cybersecurity#section-
header-6
The 2021 Security Outcomes Study – Small and Midsize Business
Edition, Cisco https://shorturl.at/mzNT4
References
39. post
pandemic
empowerment
programme
Raising employee awareness and
complying with EU policies is
crucial in terms of cybersecurity.
Employers must educate their
employees on how to recognize
and avoid cyber threats. By
providing training, organizations
mitigate the risks of data
breaches, which result in financial
and reputational damage.
Employee training is essential in
maintaining a strong
cybersecurity posture.
Summary of the Unit
40. post
pandemic
empowerment
programme
Thank you for learning with us!
www.prosper-project.eu
You can find us:
● https://prosper-project.eu/
● https://www.facebook.com/Workplace.SMEs.EU
● https://www.linkedin.com/company/workplace-smes/