Part of the 30-Day SME Cyber Security Series

You can have:

* MFA enabled
* Strong passwords
* Secure devices
* Reliable backups

…and still get breached.

Why?

👉 Because cyber attacks don’t start with systems.

They start with **people**.

—

## The Reality: Most Attacks Target Humans

Attackers don’t need to break in.

They just need someone to:

* Click a link
* Open an attachment
* Trust the wrong email

—

## What This Looks Like in the Real World

—

### 📧 Example: The “Urgent Payment” Email

An employee receives:

> “Hi — can you urgently process this payment today?”

It looks like it came from the director.

Same tone. Same signature.

They act quickly.

👉 $25,000 is transferred to a fraudulent account.

—

### 🔗 Example: The Fake Login Page

An employee clicks:

> “Your Microsoft 365 session has expired — log in again”

They enter:

* Email
* Password

Now the attacker has access.

—

### 📎 Example: The Malicious Attachment

> “Invoice attached”

They open it.

Malware installs.

👉 Access spreads silently.

—

## The Hard Truth

> Your employees are not the problem.
> **They are the target.**

—

## The Fix: Awareness + Simple Behaviours

You don’t need:

* Formal certifications
* Long training sessions

You need:
👉 **Practical awareness and simple habits**

—

## The 5 Things Every Employee Should Know

—

### 🧠 1. Stop and Think

If something feels:

* Urgent
* Unusual
* Too important

👉 Pause.

—

### 🔍 2. Check the Sender

* Look closely at email addresses
* Watch for slight variations

—

### 🔗 3. Don’t Click First

Hover over links.

If unsure:
👉 Don’t click — verify first

—

### 💬 4. Verify Requests

Payment requests?

👉 Call or confirm via another channel

—

### 🚫 5. It’s OK to Say “No”

Staff should feel confident to:

* Question requests
* Delay actions
* Escalate concerns

—

## Step-by-Step Setup (Simple and Effective)

—

### 🔹 Step 1: Run a 10-Minute Briefing

Explain:

* Common scams
* Real examples
* What to do

—

### 🔹 Step 2: Set Clear Rules

Simple policies:

* No payment changes via email only
* Always verify financial requests
* Report suspicious emails

—

### 🔹 Step 3: Create a Reporting Culture

Make it easy to say:

> “This looks suspicious”

👉 No blame. No embarrassment.

—

### 🔹 Step 4: Reinforce Regularly

* Monthly reminder
* Share examples
* Keep it short

—

### 🔹 Step 5: Lead by Example

If leadership:

* Verifies requests
* Follows process

👉 Staff will too

—

## ⚠️ What Most Businesses Get Wrong

—

### ❌ 1. “We sent one training email”

That’s not training.

👉 **Fix:** Keep it ongoing and practical

—

### ❌ 2. Blaming staff

Creates:

* Fear
* Silence

👉 **Fix:** Encourage reporting, not punishment

—

### ❌ 3. Overcomplicating it

Too many rules → ignored

👉 **Fix:** Keep it simple

—

### ❌ 4. Ignoring near misses

Almost got scammed?

👉 That’s a learning opportunity

—

### ❌ 5. No process for financial requests

This is where most losses happen

👉 **Fix:** Define verification steps

—

## 🧠 Simple Rule for Your Business

> If your staff feel safe to question something — you’re more secure.

—

## What You Should Do This Week

### Day 1:

* Run a short awareness session

### Day 2:

* Set simple rules

### Day 3:

* Communicate reporting process

### Day 4–5:

* Share real examples

### Day 6–7:

* Reinforce behaviours

—

## The Outcome

After just one week:

* Phishing risk → **reduced significantly**
* Fraud risk → **controlled**
* Staff confidence → **increased**

—

## Final Thought

Cybersecurity isn’t just technology.

It’s:

👉 **People making better decisions, every day**

—

## Bringing It All Together

Over the past 30 days, you’ve implemented:

* MFA
* Password management
* Backups
* Device security
* Staff awareness

👉 That’s a **real, practical cybersecurity baseline**

Link to previous post Week 4: Your Laptop Is the Weakest Link — Here’s How to Fix It

**Want help rolling this out across your business?**
IQ People works with SMEs to implement simple, effective cybersecurity — without enterprise complexity.