Author: Vasilis Pergioudakis, Obrela
The heartbeat of Europe’s economy – the SMEs and their workers – speak out their concerns about the constantly increasing threats in cybersecurity.
The facts:
- Across Europe, 40% of organizations experienced a cybersecurity incident in the last 12 months (2024), with 84% reporting an increase in attack frequency during the same period.[1]
- A significant portion of SMEs lack formal cybersecurity policies, with only 53% having measures to manage third-party cybersecurity risks, compared to 85% of large enterprises.[2]
- 41% of European SME workers reported receiving no security training from their employers in the last two years, highlighting a gap in cybersecurity awareness and education.[3]
The popular mantra of the 90s and 00s ‘to keep honest people honest’ is not that efficient anymore. The complexity of attacks require for more sophisticated approaches, leveraging on the technological progress, while at the same time keeping things efficiently simple for the non-digitally adept.
While outsourcing of security specifics is a common solution, recent studies shown that it is not enough… No matter what, a change of ethos and culture should prevail…
Nurturing a change of culture
You cannot teach an old dog new tricks insist the critical faultfinders. But is this true? Some countermeasures fostering change are listed below:
Inspired leadership:
Executive and managers alike should commit to secure behaviour and share proof of their changed attitude. If leadership uses weak passwords or ignores critical updates, others will also follow. Strategic decisions should reflect security implementation rather than been confined in technology checklists.
Making things personal:
Learning by personal examples is an all-time favourite of educationalists across the globe. People learn faster if they relate to the topic and care dearly about it. Showing how security affects one’s identity and family and not only company data impacts mentality and push forward for informed changes. Real world stories becoming more and more available creating excellent training paradigms.
Keep things simple especially when educating:
Security awareness stems from behaviour rather than exact technical knowledge. Likewise the focus of education or training should be in behavioural aspects rather than technology jargon, so easy to present through its abundance in the internet. Keeping things simple ranges from short but frequent tips and micro learning[4] all the way to gamification, quizzes, or fake-phish tests to boost engagement.
Praise and honour for the participants:
Being positive fosters good results when a change is in the make. Small victories such as phishing reports, update of passwords or spotting potential risks should be celebrated and rewarded even at financial level. Team challenges and competitions can help bonding while at the same time promoting a security aware mentality.
Psychology First:
Mistakes are so often and common at all learning levels regardless of the topic. However they should not hinder the learning process but help to redefine it and adjust it accordingly to the individual needs. Employees should not feel ashamed when mistakes happen. On the contrary, their faults should be treated as an opportunity to improve content and strategy.
Make it Measurable and Visible:
Simple KPIs such as reporting rates, quiz results, etc should be identified, tracked and shared inside the team. All kinds of tools could help visibility such as posters, screensavers with positive slogans, letterheads and mottos etc. Last but not least a small community, such as is usually the case for SMEs, should feel as part of the broader world so alignment with European initiatives is one of the best tools for fostering a mentality change.
[1] https://www.cloudflare.com/en-gb/press-releases/2024/european-businesses-anticipate-more-cybersecurity-attacks-but-feel
[2] https://www.linkedin.com/pulse/secur-eu-revolutionizing-cybersecurity-european-smes-mihaela-curca-rjjff/
[3] https://www.sharp.eu/news-and-events/news/european-smes-at-risk-of-cyber-hacks-as-workers-reveal-ai-concerns-and-lack-of
[4] https://www.techtarget.com/whatis/definition/microlearning