SMBs: The Power of Cybersecurity Conversations

img blog smbs power cybersecurity conversations
logo adaptive

In an increasingly digital world, the realm of cybersecurity is evolving at an unprecedented pace. While large corporations often dominate the headlines when it comes to cyberattacks, it’s the small and medium-sized businesses (SMBs) that are frequently the most vulnerable and yet, surprisingly, the least prepared. As cyber threats continue to grow in sophistication and frequency, the need for SMBs to prioritize cybersecurity has never been more critical.

From the smallest startups to well-established local enterprises, every SMB faces a unique set of challenges and risks in the digital landscape. Ignoring these threats is no longer an option, as the consequences of a data breach or cyberattack can be financially and reputationally catastrophic.

We’ll explore the reasons behind the reluctance of many SMBs to address cybersecurity issues head-on. We’ll also uncover the common misconceptions that often hinder progress and discuss the tangible benefits of adopting a proactive approach to cybersecurity. Moreover, we will provide practical tips and strategies to help SMBs initiate these crucial conversations and lay the foundation for a robust cybersecurity framework.

In a world where cybersecurity breaches can spell doom for businesses of any size, it’s high time for SMBs to realize that they are not exempt from the threats lurking in cyberspace. By starting a cybersecurity conversation today, these businesses can fortify their defenses, safeguard their sensitive data, and secure their future in an increasingly interconnected digital ecosystem.

The Anatomy of Conversations with Employees

In excerpts from an article by Security Magazine, they wrote, “Cybersecurity isn’t the most appealing topic for employee communications. In fact, it’s fair to say that most employees’ eyes glaze over when they see or hear “security.” But organizations that get it right — and get employees engaged — can create the change that’s needed to protect their systems and data.

What does it take? It takes a little creativity and a lot of consistency to move the needle towards a win-win result.

Ban the buzzwords

Communicating effectively is always important, but when communicating about cybersecurity, it’s especially important. Security is everyone’s responsibility, and the majority of successful cyberattacks are the direct result of human-related causes.

To reach people outside the world of IT and cybersecurity who don’t understand tech jargon, it’s necessary to ban the buzzwords. Not only do tech terms have the undesirable effect of making people feel excluded, but some perceive their use as trying too hard to impress, according to a poll of 1,500 workers conducted by Enreach. While every industry has its own jargon, technical terms and industry slang are likely to be misunderstood by people outside the IT/security space.

Understand the stages of competence

When people learn something that is designed to change their behavior, they go through a series of stages called the “stages of competence.” These stages apply whether one is learning a new language, starting a new job, or identifying a suspicious link in an email.

Here’s how these stages work:

  • Stage One: Unconscious incompetence — At this stage, people are simply oblivious. As applied to cybersecurity, this would be an employee who has no idea that clicking on links in suspicious emails or texts could lead to a serious security breach.
  • Stage Two: Conscious incompetence — At this stage, the subject doesn’t know the material, but wants to learn. Continuing the above example, the employee recognizes the danger of a cybersecurity hack or phishing scam and wants to learn how to avoid them, but isn’t sure what steps to take.
  • Stage Three: Conscious competence — Here, the individual knows what needs to be done, but it requires effort or direction. As it applies to cybersecurity, the individual knows more about suspicious links and how to identify one and may refer to a checklist to double-check or consult with someone who knows more.
  • Stage Four: Unconscious competence — At this stage, the person has the skills and automatically knows what to do. It has become second nature. The employee can spot the suspicious link without referencing a checklist and knows what to do — report and delete it, whether it’s a simulation or a real suspicious email or link.
  • Stage Five: Mastery — Here, the employee is an expert at the skill or task and can help others. At this stage, the individual can spot suspicious links competently and can train others to move through the stages.

It takes time, repetition, and focus to ensure that employees embed the knowledge they need and move from unconscious incompetence to, at a minimum, conscious competence. This is where true behavior change occurs. This is where security culture can be created and supported.

How to get employees there

To move employees from unconscious incompetence toward mastery, it’s important to speak in a language and terms that they will understand, using approachable, descriptive, and inclusive language.

When starting, assume the group knows nothing so that no one falls through the cracks of assumed knowledge. Not everyone will raise their hand and ask a question if they don’t understand something. Keep in mind that disengagement occurs the moment something is not understood.

But meeting employees where they are in terms of understanding and knowledge, without judgment or condescension, can help them get to where they need to be. Once the importance of security is understood, it is likely employees will see the value in their personal role and responsibility to cybersecurity.

There are a lot of elements required to communicate when it comes to cybersecurity. Knowing how to do so effectively increases success. When communication is well done, engagement will occur. Understanding how people move from learning to behavior change will improve the security culture as people will embed the knowledge and act upon it, even when no one is watching.”

Communicating Your Cybersecurity Message

So Employees Will Listen

In an article by Staples, they wrote, “Sometimes it’s not just what you say — it’s how you say it. Here are some tips for effectively getting your cybersecurity message out.

Anyone on an IT team knows it can be difficult to get cybersecurity messages across to non-IT staff. Your coworkers are nonexperts whose focus is on their own responsibilities — it’s just too easy to tune out security warnings. Even if they do pay attention to your alerts, they may not fully comprehend your instructions.

But to keep the company secure, everyone needs to have a working knowledge of cybersecurity protections and stay vigilant. It’s an uphill challenge: Seven in 10 employees lack the awareness to stop preventable cyber attacks, according to cybersecurity training company MediaPro.

Use these tips to break through to your co-workers and keep everyone informed and alert.

Identify the Obstacles

To get your message across, it helps to understand what keeps people from taking cybersecurity seriously. Perhaps people in non-technical roles assume that security is IT’s responsibility rather than something in which everyone has a role. Even when employees are aware that their actions directly impact security, they may see accepting software updates or regularly changing passwords as an inconvenience.

Talk with your coworkers to understand their attitudes toward cybersecurity and their awareness of best practices. Circulating a short, informal survey might be an effective way to get this information. Once you understand the roadblocks, you can craft your messages to remove them.

Make Internet Security Information Relatable

Explain cyber threats in terms that your coworkers can easily grasp. That means, of course, dropping the jargon and highly technical language that you might use with your IT colleagues. It also means connecting threats to your colleagues’ specific roles. For example, if you’re talking with the human resources team about phishing scams, explain that these attacks can target employees’ Social Security numbers and other sensitive information held in HR’s systems. If you’re talking with accounts payable, highlight schemes that target companies’ bank account numbers to divert funds. When employees understand the direct consequences that security lapses can have, they may be more inclined to follow best practices.

Keep Cybersecurity Training Simple

When you’re preparing training for the company, aim to make it straightforward and engaging. Avoid using presentations with dense copy and complex directives; instead, try videos and interactive tools that people can engage with. Ask someone outside of the IT department to review the materials and tools you develop to be sure the information is easy to grasp.

Incorporating statistics and real-world examples into training can work well. Strive for data and examples related to companies like yours. Also, include data points that underscore employees’ contributions to security to emphasize the role each and every person plays in tight company security.

Repeat and Refresh Your Messages

To be effective, cybersecurity awareness needs to be an ongoing effort. Refresh your training yearly to keep pace with evolving threats. Supplement the training with reminders, such as cybersecurity-focused posters placed in breakrooms and meeting areas. Send occasional emails, perhaps with short quizzes that reinforce what employees have learned. Encourage your colleagues to reach out with any questions or concerns they have.

Changing up your messaging can keep employees from tuning it out. Over time, your efforts can help to create and reinforce a culture of cybersecurity awareness. When employees recognize that they are instrumental in keeping your workplace protected, they will also set an example for others.”

The Top 10 Cyber Security Topics to Discuss with Employees

In excerpts from an article by Infosec, they wrote, “More than 74% of breaches involve the human element, and the advancement of AI is bringing even more convincing attempts to trick employees. Sophisticated phishing attacks, automated hacking tools, AI-powered social engineering techniques, and deepfake threats mean security awareness training, and a culture of awareness are more critical for organizations than ever.

The good news is that organizations can shift that human risk and have their employees contribute to a cyber-secure environment — with the right training. Practical and engaging security awareness training for employees can provide staff with the knowledge to identify and defend against cyber threats.

As the world of work evolves and AI technology grows, so are security threats. When designing your best security awareness training program, covering the cyber threats your organization will most likely face is essential. These are the 10 most important security awareness topics to include in security awareness training for employees.

1. Email scams

Phishing attacks are the most common method that cybercriminals use to gain access to an organization’s network. So it’s no surprise that they lead our security awareness topics list. They take advantage of human nature to trick their target into falling for the scam by offering some incentive (free stuff, a business opportunity, and so on) or creating a sense of urgency. With AI, fraudsters can quickly refine their messaging to make the most enticing phishing email possible.

Phishing awareness should be a component of any organization’s security awareness training. This should include examples of common and relevant phishing emails, such as emails that mimic shipping notifications, tax-related phishing scams, bank alerts, and internal corporate communications.

Tips for identifying and avoiding phishing emails include:

  • Do not trust unsolicited emails
  • Be wary of any email that creates a sense of urgency, secrecy and authority (e.g., leadership asking to send a large payment by the end of the day and to keep it secret as it’s not yet public).
  • Confirm requests for sensitive data or funds via another medium (such as phone or in person) before responding.
  • Be wary of unsolicited email attachments. Verify any unsolicited attachments with the alleged sender via another medium before opening them.

Remember that these types of attacks can occur across any communication platform (including email, text messages, messaging apps, enterprise collaboration platforms, and so on)

In addition, ensure your organization is filtering spam, has its email client and firewall configured correctly, and uses up-to-date antivirus.

2. Malware

Malware is malicious software that cybercriminals use to steal sensitive data (user credentials, financial information, and so on) or cause damage to an organization’s systems (e.g., ransomware and wiper malware). Organizations can become infected with malware in several ways, including phishing emails, drive-by downloads (e.g., visiting a malicious site with an out-of-date browser that gets exploited), exploiting application vulnerabilities, and malicious removable media.

Employee security awareness training on malware should cover common delivery methods, threats, and impacts to the organization. Important tips include:

  • Be suspicious of files you download in emails, websites, and other mediums
  • Don’t install unauthorized software
  • Keep antivirus running and up to date
  • Contact IT/security team immediately if you may have a malware infection

3. Password Security

Passwords are the most common and easiest-to-use authentication system in existence. Most employees have dozens of online accounts accessible via a username (often their email address) and a password.

Poor password security is one of the biggest threats to modern enterprise security. And a solid password security protocol is a crucial security awareness topic. Some important password security tips to include in training content:

  • Always use a unique password for each online account
  • Follow company password practices, such as long passphrases or randomly generated characters
  • Use a password manager to generate and store strong passwords for each account
  • Use multi-factor authentication (MFA) when available to reduce the impact of a compromised password

4. Removable media

Removable media (such as USBs or external hard drives) are a useful tool for cybercriminals since they enable malware to bypass an organization’s network-based security defenses. Malware can be installed on the media and configured to execute automatically with Autorun — or have an enticing filename to trick employees into clicking. Malicious removable media can steal data, install ransomware, or even destroy the computer when connected.

A popular example is dropping a USB stick in a parking lot and common areas (bonus for including an enticing label like “Employee compensation”) or handing them out at conferences and other public events. Employees should be trained to properly manage untrusted removable media:

  • Never plug untrusted removable media into a computer
  • Bring all untrusted removable media to IT/security for scanning
  • Disable autorun on all computers

In addition, some organizations may not allow employees to connect any removable media to company machines.

5. Safe internet habits

For most organizations, nearly every employee has access to the internet — and more teams becoming remote has led to a surge in online collaboration. For this reason, building secure online habits across employees is paramount for companies.

Security awareness training for employees should incorporate safe internet habits that prevent attackers from penetrating your corporate network. Some important content to include in training:

  • The ability to recognize suspicious and spoofed domains (like instead of
  • The differences between HTTP and HTTPS and how to identify an insecure connection
  • The dangers of downloading untrusted or suspicious software off the internet
  • The risks of entering credentials or login information into untrusted or risky websites (including spoofed and phishing pages)
  • Watering hole attacks, drive-by downloads, and other threats of browsing suspicious sites

6. Social networking dangers

Social networking is a powerful tool for enterprises to build brand awareness and generate sales, and each of your employees likely belongs to multiple social networking sites. Unfortunately, cybercriminals use social media in various ways to potentially damage your organization or gain unauthorized access — from harvesting data for a future social engineering campaign to phishing attacks that steal credentials to sharing malicious links that could lead to incidents like ransomware.

To prevent the loss of critical data, your enterprise must have a viable social networking training program that should limit the use of social networking and inform employees of the threats of social media:

  • Phishing attacks can occur on social media as well as over email
  • Cybercriminals impersonating trusted brands can steal data or push malware
  • Social engineers are exceedingly good at taking small pieces of information published on social media to craft convincing spearphishing emails

7. Physical security and environmental controls

Security awareness isn’t just about what resides in your company’s computers or handheld devices. Employees should be aware of potential security risks in the physical aspects of the workplace.

Examples of physical security topics include:

  • Visitors or new hires watch as employees type in passwords (known as “shoulder surfing”)
  • Letting in visitors claiming to be inspectors, exterminators, or other uncommon guests who might be looking to get into the system (called “impersonation”)
  • Allowing someone to follow you through a door into a restricted area (called “tailgating”)
  • Leaving passwords on pieces of paper on one’s desk
  • Leaving one’s computer on and not password-protected when leaving work for the night
  • Leaving an office-issued phone or device out in plain sight
  • Physical security controls (doors, locks, and so on) malfunctioning

8. Clean desk policy

A clean desk policy is a sometimes overlooked security awareness topic that ties back to physical security. Sensitive information on a desk, such as sticky notes, papers and printouts, can easily be taken by thieving hands and seen by prying eyes.

A clean desk policy should state that information visible on a desk should be limited to what is currently necessary. Before leaving the workspace for any reason, employees should securely store all sensitive and confidential information.

9. Data management and privacy

Most organizations collect, store, and process a great deal of sensitive information. This includes customer data, employee records, business strategies, and other data important to the proper operation of the business. Suppose this data is publicly exposed or accessible to a competitor or cybercriminal. In that case, your organization may face significant regulatory penalties, damage to consumer relationships, and a loss of competitive advantage.

Employees within an organization need to be trained on how to properly manage the businesses’ sensitive data to protect data security and customer privacy. Important training content includes:

  • The business’s data classification strategy and how to identify and protect data at each level
  • Regulatory requirements that could impact an employee’s day-to-day operations
  • Approved storage locations for sensitive data on the enterprise network
  • The use of a strong password and MFA for accounts with access to sensitive data

10. Bring-your-own-device (BYOD) policy

BYOD policies enable employees to use their personal devices in the workplace. While this can improve efficiency by enabling employees to use the devices that they are most comfortable with, it also creates potential security risks.

  • Security awareness training for employees should include the following:
  • Secure workplace devices with a strong password to protect against theft
  • Use a VPN on devices when working from untrusted Wi-Fi
  • Follow company policies around additional protection, such as a company-approved antivirus
  • Only download applications from major app stores or directly from the manufacturer’s website

In addition, the organization may require that full-disk encryption is enabled for BYOD devices and use tools to restrict what can be accessed or shared on the company portion of the device.

Security awareness training for employees plays a crucial role in running a modern business. An untrained and uninformed workforce can put your enterprise in danger of data breaches or other cyber threats. Organizations should adopt a viable security training program encompassing top security awareness topics to help build an educated and cyber-aware workforce.

That may include an ongoing security awareness program with a layered approach to education, frequent security reminders, training all new personnel on new policies as they arrive, and implementing creative incentives to reward employees for being proactive in building a security culture.”


In an age where digital threats loom large, the conclusion is clear: small and medium-sized businesses (SMBs) must recognize the imperative of cybersecurity conversations. Despite often being overshadowed by larger corporations in news headlines, SMBs are frequently the most vulnerable and unprepared. As cyber threats continue to grow in complexity and frequency, the need for SMBs to prioritize cybersecurity has never been more critical.

From startups to well-established local enterprises, every SMB faces its own unique set of digital challenges and risks. Ignoring these threats is simply not an option, as the repercussions of a data breach or cyberattack can be financially and reputationally catastrophic.

This article has explored the reasons behind the hesitation of many SMBs to confront cybersecurity issues head-on. It has shed light on common misconceptions that hinder progress and emphasized the tangible benefits of adopting a proactive approach to cybersecurity. Moreover, practical tips and strategies have been provided to help SMBs initiate these crucial conversations and lay the foundation for a robust cybersecurity framework.

In a world where cybersecurity breaches can spell doom for businesses of any size, it’s high time for SMBs to realize that they are not exempt from the threats lurking in cyberspace. By starting a cybersecurity conversation today, these businesses can fortify their defenses, safeguard their sensitive data, and secure their future in an increasingly interconnected digital ecosystem. The power of these conversations cannot be underestimated, as they hold the key to protecting SMBs from the ever-evolving digital threat landscape.

At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By making an investment in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.

Every device connecting to the internet poses a cyber security threat, including that innocent-looking smartwatch you’re wearing. Adaptive’s wide range of experience and certifications fills the gaps in your business’s IT infrastructure and dramatically increases the effectiveness of your cybersecurity posture.

Using our proactive cybersecurity management, cutting-edge network security tools, and comprehensive business IT solutions, you can lower your costs through systems that are running at their prime, creating greater efficiency and preventing data loss and costly downtime. With Adaptive Office Solutions by your side, we’ll help you navigate the complexities of cybersecurity so you can achieve business success without worrying about online threats.

To schedule a Cyber Security Risk Review, call the Adaptive Office Solutions’ hotline at 506-624-9480 or email us at