A primer to cyber security training for SMBs

There are some foundational aspects that every employee should be aware of today. These form the backbone of good security practices and are not complicated to follow.

Passive learning may not be sufficient for the average employee to be able to take action during an actual cyber security incident in real life. This is where hands-on, interactive training sessions can help to reinforce their understanding and application of cyber security principles.

To provide interactive learning sessions, test your employees with situations that mimic real-life cyber threats. For example, you could simulate situations where employees must identify and respond to potential security risks, while in the midst of a major seasonal event that brings in a lot of traffic, such as Black Friday.

Interactive workshops can also help in this regard, where case studies, group discussions, and practical exercises can be used to deepen employees' understanding of cyber security concepts. To conduct these workshops, you could either invite a cyber security expert or engage an external agency to organise sessions on a recurring basis. Singtel’s Cyber-Readiness and Training Services, offers life-like drills to prepare IT teams for today’s cyber security threats and defence techniques. The services also equip management and board-level executives with the knowledge necessary for sound decision-making during crises. 

With the rise in phishing-based attacks today, it is important to ensure that your team is able to spot these types of threats early. This is where simulated exercises can be helpful, offering immediate feedback and valuable learning opportunities.

For example, you could assign an employee to craft phishing emails that resemble common business communications, such as invoices, collaboration requests, or HR updates. This mirrors the tactics cybercriminals use, making the training more relevant. Monitor if any employees fall for these fake emails, and provide immediate feedback and explain how the phishing email could be identified and avoided in the future.

Here is a basic checklist you can follow when training employees to defend against phishing emails:

2. Verify the sender: Double check the email sender's address to ensure it matches official company communication standards.
4. Examine links: Hover over any links (but avoid clicking them!) to preview the URL and ensure it directs to a legitimate website.
6. Inspect content: Analyse the email content for irregularities, such as unusual language, requests for sensitive information, or unexpected attachments.
8. Confirm with sender: If in doubt, contact the supposed sender through a separate, known communication channel to verify the legitimacy of the email.
10. Report to IT: If an email seems suspicious, report it to the IT department immediately to prevent potential security breaches.

Such simulations need not be a one-time thing either. Only by regularly conducting simulated exercises can you track improvements and identify areas that may require additional focus. Use the data gathered to enhance the effectiveness of future training sessions. You can start simple but slowly increase the complexity of simulated phishing exercises by making the phishing emails harder to detect.

Singtel offers various e-learning courses through the Security Awareness Education and Phishing Service to help employees raise their security consciousness. These courses include phishing simulations which mimic social engineering attacks to targeted users to heighten cyber awareness. Singtel also has a phishing game called "Catch the Phish", which can be played on mobile and desktop devices. The goal of the game is to test whether one is able to differentiate a phishing attempt from a legitimate scenario.

In the unfortunate event of a security breach, having a well-defined incident reporting procedure is critical for a swift and coordinated response. To start with, encourage employees to report security incidents in real time, especially when they encounter a suspicious email. It could be a simple step such as forwarding suspicious emails to a dedicated IT email address. 

It's vital to designate a competent team responsible for responding to reported incidents. Ideally, this should involve a cyber security expert. If you don’t have a dedicated resource, it can be a group of employees with some IT experience, along with an external vendor with expertise. This team should consist of at least one member who understands cyber threat response procedures or who has had some training, and is capable of assessing the severity of the situation and implementing countermeasures.

To inform relevant stakeholders about the security incident, you also need clear communication protocols in place. Identify the channels that you will use for communication in the event of an incident and ensure that pertinent information reaches the right individuals promptly. For example, you may want to create a separate channel in Microsoft Teams or a new group in WhatsApp if an incident response is in progress, with relevant team members added.  

When it comes to defending against cyber attacks, one has to take a long-term view. As the type of threats evolve and become more sophisticated, your employees also need to constantly upskill their cyber security education. To help them be ahead of the curve, encourage participation in training courses and programmes.

There are numerous courses available in Singapore that SMBs can access. Most recently, the Cyber Security Agency of Singapore launched SG Cyber Associates, a new programme  that will provide training for non-cybersecurity professionals. Singtel also offers the Singtel Cyber Elevate Programme that offers mentorship and training for SMBs, including cyber risk audits of the business, workshops on the best cyber security practices and legal and forensics support. There is also a 90 percent subsidy that eligible SMBs can apply for when selecting this programme.