Improving Cybersecurity Behavior Among SME Employees

Improving cybersecurity behavior among SME employees has become a critical priority as digital transformation accelerates across Malaysian SMEs. While digital technologies drive efficiency and growth, they also expose SMEs to rising cyber threats such as phishing, malware, ransomware, and data breaches—attacks that often exploit employees as the first and most vulnerable line of defense. In Malaysia, where SMEs make up more than 97% of registered businesses, limited cybersecurity budgets, lack of specialized expertise, and low employee awareness mean that cybersecurity behavior, rather than technology alone, plays a decisive role in strengthening organizational cyber resilience.

Understanding Cybersecurity Behavior in SMEs

Cybersecurity behavior describes how employees interact with digital systems, comply with security policies, and respond to cyber threats in their daily work. In the context of SMEs, this behavior is not driven solely by written rules or technical safeguards, but heavily influenced by human elements such as awareness, beliefs, attitudes, and organizational culture. The journal “Information Security Behavior Among Malaysian SMEs: Phishing, Cybersecurity Incident, Human Factors and Risk Mitigation” by Arifin et al. (2024) highlights that human behavior is a central factor behind cybersecurity incidents in Malaysian SMEs, particularly in relation to phishing and social engineering attacks.

Unlike large enterprises with dedicated cybersecurity teams, SME employees often handle multiple responsibilities at once—operational, administrative, and technical. This multitasking environment increases cognitive load and reduces attention to security-related decisions. As a result, employees may unintentionally ignore security procedures, reuse weak passwords, or act hastily when responding to emails. Similar findings are echoed in Bada & Nurse (2019), which shows that time pressure, convenience, and low perceived risk frequently lead SME employees to bypass security controls, even when policies are formally in place.

Because of these realities, improving cybersecurity behavior in SMEs cannot rely on technical controls alone. Firewalls, antivirus software, and policies are necessary but insufficient if employee behavior remains unchanged. Effective improvement requires understanding how SME employees perceive risk, make decisions under pressure, and adapt security practices within real working conditions. Research by Herath & Rao (2009) and Siponen & Vance (2010) emphasizes that security awareness, social norms, and organizational support are critical to shaping consistent and secure behavior, making human-centered cybersecurity strategies essential for SMEs.

Read: Reducing Human Error Through a Cybersecurity Awareness Platform

Why SME Employees Are Prime Targets for Cyber Attacks

Cybercriminals frequently target SME employees because they offer a high-impact yet low-effort entry point into organizations. Compared to large enterprises, SMEs often operate with limited security resources, making individual employees a more effective target than complex technical systems. 

Daily business activities such as responding to emails, sharing files, or approving requests—create frequent opportunities for attackers to exploit human trust and routine behavior, especially when security awareness is not deeply embedded in everyday workflows. Several characteristics commonly make SME employees more vulnerable to cyber attacks:

• Limited exposure to structured cybersecurity training
• High reliance on email and messaging platforms for daily operations
• Trust-based internal communication cultures
• Minimal separation of duties across roles
• Infrequent or reactive security monitoring

Phishing attacks take advantage of these conditions by targeting human psychology rather than technical weaknesses. Employees may be deceived into clicking malicious links, opening infected attachments, or sharing login credentials without realizing they are being attacked. Once a single employee is compromised, attackers can move laterally within the organization, access sensitive data, disrupt operations, or deploy ransomware—often with devastating consequences for SMEs.

Phishing and Its Impact on Malaysian SMEs

Phishing remains one of the most damaging cyber threats facing Malaysian SMEs because it directly targets employees rather than systems. These attacks use deceptive emails, fake websites, or impersonated messages to manipulate trust and prompt quick action, such as clicking links or sharing credentials. The journal by Arifin et al. (2024) highlights phishing as a primary driver of cybersecurity incidents in Malaysian SMEs, emphasizing how human behavior plays a decisive role in attack success. The impact of successful phishing attacks extends far beyond immediate technical disruption. 

Financial losses may result from fraudulent transactions, business email compromise, or ransomware deployment, while indirect costs include operational downtime and recovery efforts. More critically, phishing incidents often damage reputation and erode customer trust—an issue that is particularly harmful for SMEs that depend on long-term relationships and word-of-mouth credibility. Similar risks are discussed in “Why Phishing Still Works: User Strategies for Combating Phishing Attacks” by Alsharnouby, Alaca, and Chiasson (2015), which explains how human decision-making errors are repeatedly exploited in phishing campaigns.

From a regulatory and governance perspective, phishing incidents can also expose Malaysian SMEs to legal and compliance risks, especially under the Personal Data Protection Act (PDPA). Failure to safeguard personal data due to weak cybersecurity behavior may lead to regulatory penalties and legal liability. Research consistently shows that phishing succeeds not because employees are careless, but because attackers exploit psychological triggers such as trust, urgency, and perceived authority. This insight, reinforced by Back & Guerette (2021) in “Cyber Place Management and Crime Prevention: The Effectiveness of Cybersecurity Awareness Training Against Phishing Attacks”, underscores why improving cybersecurity behavior must focus on awareness, judgment, and decision-making—rather than blaming employees.

Cybersecurity Incidents and Their Business Impact

Beyond phishing, Malaysian SMEs are increasingly exposed to a wide range of cybersecurity incidents that can disrupt daily operations and threaten business continuity. Common incidents include malware infections, ransomware attacks, unauthorized system access, and data breaches. Arifin et al. (2024) highlights that these incidents are closely linked to weaknesses in human behavior, limited awareness, and insufficient risk mitigation practices within SMEs. Malware infections often originate from seemingly harmless actions such as opening email attachments or visiting compromised websites, while ransomware attacks can lock access to critical systems and data. 

When this happens, SMEs may be forced to halt operations or consider paying ransoms to restore access. Data breaches further amplify the damage by exposing customer, financial, or operational data, leading to reputational harm and loss of competitive advantage. Similar impacts are discussed in “Enterprise Data Breach: Causes, Challenges, Prevention, and Future Directions” by Cheng, Liu, and Yao (2017), which emphasizes how cyber incidents extend beyond technical damage into financial and reputational consequences. For SMEs with limited financial reserves and recovery capabilities, even a single cybersecurity incident can be existential. 

Costs associated with incident response, system recovery, legal obligations, and business downtime can quickly exceed what the organization can absorb. Research by Alahmari & Duncan (2020) in “Cybersecurity Risk Management in Small and Medium-Sized Enterprises” reinforces that proactive cybersecurity behavior among employees—such as recognizing threats early and responding correctly—is a strategic business necessity, not merely a technical concern.

Human Factors Shaping Cybersecurity Behavior

Arifin et al. (2024) emphasizes that human factors play a central role in shaping cybersecurity outcomes within organizations, particularly in SMEs where employees interact directly with digital systems every day. Even the most advanced technical controls can be weakened or strengthened by how employees think, decide, and act when faced with potential cyber threats.

Awareness and Knowledge

Employees who understand common cyber threats such as phishing, malware, and social engineering are far more likely to recognize suspicious activity and respond correctly. When awareness is low, employees may unknowingly click malicious links or share sensitive information, significantly increasing the likelihood of security incidents. Continuous, practical education helps employees translate knowledge into safer daily behavior.

Attitudes Toward Security

Employee attitudes strongly influence whether security practices are followed or ignored. When security controls are perceived as inconvenient, unnecessary, or disruptive to productivity, employees are more likely to bypass them. In contrast, positive attitudes toward cybersecurity—where employees understand the purpose and value of controls are closely associated with higher compliance and more secure behavior.

Organizational Culture

Organizational culture shapes how seriously cybersecurity is taken across the workplace. A culture that prioritizes speed and output over security can discourage employees from acting cautiously or reporting mistakes. Conversely, a security-conscious culture empowers employees to act responsibly, ask questions, and report incidents without fear of blame, reinforcing collective accountability for cybersecurity.

Cognitive Biases

Cognitive biases such as overconfidence, optimism bias, and familiarity bias often lead employees to underestimate cyber risks or trust suspicious messages too easily. Attackers deliberately exploit these mental shortcuts through social engineering tactics that create urgency or impersonate authority. Addressing these biases requires helping employees recognize how psychological factors influence their decisions, not just teaching technical rules.

Addressing human factors therefore requires behavioral interventions that go beyond traditional awareness campaigns. By combining education, cultural reinforcement, and an understanding of human psychology, organizations can foster cybersecurity behavior that actively reduces risk rather than unintentionally enabling it.

Trust, Belief, and Social Norms in SME Environments

Trust and belief play a decisive role in shaping cybersecurity behavior among SME employees, particularly in environments where close working relationships and informal processes are common. Employees who trust organizational systems and leadership are more likely to comply with security policies, share concerns, and report suspicious activities without hesitation. Arifin et al. (2024) emphasizes that trust in management and security practices strengthens employees’ willingness to engage in secure behavior, especially in Malaysian SME settings where personal relationships strongly influence workplace conduct.

Beliefs about the effectiveness of cybersecurity measures further determine whether employees take security seriously or view it as mere compliance. When security controls are perceived as meaningful and protective—rather than symbolic—employees are more motivated to follow them consistently. Social norms then amplify this effect: if peers and managers visibly practice secure behavior, it quickly becomes the accepted standard within the organization.

This dynamic is supported by Ajzen (1991) in “The Theory of Planned Behavior” and reinforced by Warkentin, Johnston, and Shropshire (2011) in “The Influence of the Informal Social Learning Environment on Information Privacy Policy Compliance,” both of which highlight how shared beliefs and social reinforcement strongly influence security-related decisions. Improving cybersecurity behavior in SMEs therefore requires shaping collective expectations and norms, not just individual knowledge.

Strategies for Improving Cybersecurity Behavior Among SME Employees

Improving cybersecurity behavior among SME employees requires a holistic, people-centric approach that treats human behavior as a core component of cyber risk. Rather than relying solely on technology or compliance-driven policies, SMEs need strategies that reflect how employees actually work, think, and make decisions in daily operations.

Behavior-Focused Security Awareness Training

Security awareness training should prioritize real-world scenarios, decision-making, and practical responses to common threats such as phishing and social engineering, rather than simple policy memorization. Short, frequent, and scenario-based training helps employees build intuition and confidence, making secure behavior a habit rather than a one-time lesson.

Phishing Simulation and Feedback

Phishing simulations allow employees to experience realistic attack scenarios in a safe environment without fear of punishment. Immediate and constructive feedback reinforces learning, highlights decision points, and helps employees recognize attack patterns more effectively over time, reducing the likelihood of real-world compromise.

Clear and Usable Security Policies

Security policies should be simple, actionable, and aligned with everyday workflows. When policies are overly complex or disconnected from real tasks, employees are more likely to ignore or bypass them. Clear guidance that explains why a rule exists helps employees make better security decisions independently.

Leadership Role Modeling

Leadership behavior strongly influences employee behavior. When SME leaders visibly follow security practices such as verifying requests, reporting suspicious emails, and respecting security controls—it signals that cybersecurity is a shared responsibility, not just an IT concern. This sets a powerful tone for organizational norms.

Positive Reinforcement

Recognizing and rewarding secure behavior encourages active participation and accountability. Simple actions, such as acknowledging employees who report phishing attempts, help reinforce the message that cybersecurity is valued and that proactive behavior is appreciated, not overlooked.

Psychological Safety

Employees must feel safe to report mistakes, near misses, or suspicious activity without fear of blame or punishment. A blame-free environment supports early detection, faster response, and continuous learning—critical factors in reducing long-term cyber risk.

These strategies align closely with the Human Risk Management approach adopted by SiberMate, which focuses on shaping everyday security behavior rather than relying solely on technical defenses. By combining behavior-focused training, phishing simulations, clear guidance, and positive reinforcement, SiberMate helps SMEs reduce human-driven cyber risk and build a sustainable cybersecurity culture where employees act as the first line of defense.

Read: How SiberMate Supports Long-Term Cybersecurity Awareness Programs

Conclusion

Improving cybersecurity behavior among SME employees is one of the most effective ways to reduce cyber risk in Malaysian SMEs, as human behavior ultimately determines whether security controls succeed or fail. With phishing, malware, and data breaches continuing to exploit human vulnerabilities, SMEs must move beyond compliance-driven security toward behavior-driven risk management. Through a Human Risk Management approach, SiberMate helps SMEs build awareness, trust, and positive security habits—enabling employees to become the first line of defense and supporting sustainable growth in an increasingly digital economy.