Raising employee awareness in SMEs

Although technical and organisational protection measures are important, they won’t be sufficient to provide a holistic approach to information security. Employees should handle all technological facilities properly and behave securely in day-to-day-business. This is why training and awareness-raising measures (collectively termed “awareness”) for employees play such an important role, too, and should not be neglected.

Why is raising awareness in SMEs so important?

A look at the statistics of successful cyber-attacks shows that the human factor is one of the most frequently used points of entry. In the process, for instance social engineering or phishing are used to trick people into disclosing sensitive data or perform an unwanted action. Experience reports from various companies demonstrate it is not enough to simply impose security measures. If employees don’t understand importance and purpose of such measures, they are not likely to be sufficiently implemented or to be taken at all.

To raise security awareness amongst your employees and to underline the priority information security takes in a company, holistic, company-wide awareness activities should be undertaken. There are various strategies for establishing and shaping a security culture. For long-term success, continuous recurring communication adapted to your target group is essential.

How can you ensure you successfully raise employee awareness in SMEs?

For the sake of clarity, it is recommended to establish an awareness concept so to minimise costs and ensure maximum success. This doesn’t have to be a large and extensive concept, but it is meant to align and efficiently design all awareness activities. In this context, it is very important for management to support all awareness activities and lead by example.

Some ways of ensuring more awareness in a business are as follows:

• Training and workshops: Regular training on relevant topics will help employees to keep up-to-date with the latest developments.
• Internal communication: A regular exchange of news, changes or important information promotes employee awareness and appreciation.
• A point of contact and a culture of feedback: It is important to offer employees a point of contact/platform where they can report irregularities and violations, but also raise concerns, ask questions or submit proposals.
• External expert knowledge: Sometimes it can be helpful to invite external experts to impart deeper knowledge on specific subjects.
• Awareness platform: As a business, you can also establish an awareness platform to support raising awareness in your company.
• Integration into the company culture: Raising awareness mustn’t consist of just one single campaign but has to be integrated into everyday workflows and the company culture itself.

In conclusion, raising employee awareness can be said to constitute an investment into your company’s future. Not only does it protect against legal risks and loss of your reputation in case of a potential cyber incident, but it also supports a positive working atmosphere and increases productivity. In an increasingly digitized environment, a good security culture in your business constitutes a decisive competitive advantage.

Further information

The information security manual for practical use offers some good instructions and templates, amongst others all around the subject of raising employee awareness (If you take our courses for SMEs, you will be able to order this book at a 30% rebate, for just CHF 68.00 (plus shipping).)

“eBanking – but secure!” also offers an online course for SMEs to highlight important technical and organisational measures for SMEs.