Ninety-five percent of successful cyberattacks involve human error. Not a missed software patch, not a zero-day exploit — a person clicking the wrong link, reusing a password, or wiring money to a spoofed email address. For small businesses in New Jersey and New York City, that statistic is not just a talking point; it is the single most actionable number in cybersecurity. Technology alone will not save you. Your employees either are your strongest security control or your largest vulnerability, and the difference comes down to training.
This guide walks NJ and NYC small business owners through building a security awareness training program from scratch — without a dedicated IT department and without a large budget. We cover what to train on, how to run phishing simulations, which tools are worth paying for, what the NJ SHIELD Act requires, and how to build a culture where security is everyone's job.
Why Human Error Is Your Biggest Risk
Phishing attacks account for more than 80% of reported security incidents, and business email compromise (BEC) — where an attacker impersonates an executive or vendor to redirect payments — cost U.S. businesses over $2.9 billion in losses in 2023 alone according to FBI IC3 data. Small businesses are not exempt; they are often specifically targeted because attackers assume they have weaker controls than enterprise companies.
The good news is that human error is the most trainable risk you have. Unlike a software vulnerability that requires a vendor patch, a well-trained employee can learn to pause, verify, and report suspicious activity — and that behavior, reinforced repeatedly over time, measurably reduces your breach risk.
What to Train Employees On
A complete security awareness curriculum for a small business should cover six core topics:
- Phishing and email recognition.Teach employees to inspect the sender's full email address (not just the display name), hover over links before clicking, be skeptical of urgency or fear tactics ("Your account will be suspended in 24 hours"), and verify unexpected requests by phone before acting.
- Password hygiene. Every employee should use a password manager (Bitwarden is free; 1Password and Dashlane are strong paid options). Passwords should be unique per account and at least 16 characters. Multi-factor authentication (MFA) should be mandatory on email, banking, and any system that holds customer data.
- Social engineering awareness.Attackers do not always come through email. Train employees to recognize pretexting calls ("I'm from IT, I need your password to fix your account"), tailgating into secure areas, and shoulder surfing in public. A healthy skepticism of unsolicited requests is the goal.
- Safe browsing. Employees should avoid public Wi-Fi for work without a VPN, not install unauthorized browser extensions or software, and know how to verify a site uses HTTPS before entering any credentials.
- Secure file sharing. Personal email, USB drives, and consumer file apps are not acceptable for business data. Establish an approved list of tools (Google Drive, SharePoint, Dropbox Business) and make sure employees understand why the rule exists — not just that it is a rule.
- Incident reporting. Every employee must know exactly who to contact and what steps to take the moment something looks wrong — a suspicious email, an accidental click, a missing laptop. Speed matters enormously in breach containment, and fear of punishment is the most common reason employees delay reporting. Make it safe to speak up immediately.
How to Run Tabletop Phishing Simulations
A phishing simulation is a controlled test where you send fake phishing emails to your own employees and track who clicks, who submits credentials, and who reports the email. Done well, simulations are the single highest-ROI security activity a small business can run.
Here is a simple process to get started:
- Choose a platform. KnowBe4 and Proofpoint Security Awareness Training are the two dominant paid platforms and include large template libraries, automated scheduling, and reporting dashboards. For a very small team on a tight budget, GoPhish is an open-source self-hosted option. CISA also provides free phishing simulation guidance through its free cybersecurity services catalog.
- Design a realistic scenario. Start with a moderately difficult email (not an obvious misspelling from a Nigerian prince). A fake invoice from a known vendor name, a fake IT password reset, or a fake package delivery notification are all realistic starting points.
- Set a reporting mechanism.Employees should have a one-click "Report Phishing" button in their email client. Outlook and Gmail both support add-ins for this.
- Deliver immediate, non-punitive feedback. When an employee clicks a simulated phishing link, redirect them instantly to a short (2–3 minute) training moment — not a reprimand. Document who clicked and who reported.
- Track metrics over time. Record your click rate, report rate, and repeat-clicker rate each month. These are the numbers that demonstrate program effectiveness to management, auditors, and cyber insurers.
Free and Paid Training Resources
You do not need a large budget to start. Here is a breakdown of the available options:
Free resources
- CISA (Cybersecurity and Infrastructure Security Agency) — Offers free phishing guidance, training videos, and the Stop. Think. Connect. campaign materials. Fully free and updated regularly.
- NIST Cybersecurity Framework resources — Free frameworks and assessment tools that map directly to what NJ regulators expect under the SHIELD Act.
- Google's Phishing Quiz — A quick interactive test that shows employees real-world phishing examples. Useful as a warm-up exercise.
- Have I Been Pwned — Let employees check if their email addresses have appeared in known data breaches. A powerful motivator for better password practices.
Paid platforms
- KnowBe4 — The market leader. Includes thousands of phishing templates, an extensive content library, automated training assignments, and compliance reporting. Pricing starts around $15–$25 per user per year. Offers a free trial.
- Proofpoint Security Awareness Training — Strong in regulated industries. Includes behavioral conditioning tools that adapt training to individual risk profiles. Pricing is similar to KnowBe4.
- Curricula (now part of Huntress) — A good mid-market option with a lighter, story-driven training format that employees tend to find less dry than traditional compliance videos.
For most NJ small businesses with 5–50 employees, KnowBe4's entry tier or a mix of CISA free materials plus a basic GoPhish setup is sufficient to meet SHIELD Act administrative safeguard expectations and satisfy a cyber insurance questionnaire.
Training Frequency, Format, and Tracking Completion
The format and cadence of training matters as much as the content. A single annual 30-minute video that employees click through while checking their phones is not a training program — it is a liability checkbox. Research consistently shows that short, frequent training outperforms long, infrequent training.
Recommended cadence:
- Monthly phishing simulations — Automated via your platform of choice. No additional employee time required; the simulation runs in the background.
- Quarterly micro-training — 5–10 minute focused modules on a single topic (one quarter: passwords; next quarter: social engineering; etc.). Short modules have dramatically higher completion and retention rates.
- Annual comprehensive review — A 30–45 minute full curriculum refresh covering all six core topics. This is your formal SHIELD Act compliance training event and should be documented.
- Role-based training as needed — Finance staff who handle wire transfers should receive BEC-specific training. IT staff and executives should receive targeted deep-dive sessions.
Track completion in writing. Whether you use a platform like KnowBe4 or a simple spreadsheet, record who completed which training on which date. This documentation is what you present to a cyber insurer, a client auditor, or a state regulator after an incident. Undocumented training is, for practical purposes, training that did not happen.
NJ SHIELD Act Compliance and What It Means for Small Businesses
New Jersey's SHIELD Act (P.L. 2019, c. 382), effective March 2020, significantly expanded the state's data breach notification requirements and — critically for this guide — introduced a new affirmative obligation: any business that owns or licenses New Jersey residents' personal information must implement "reasonable security procedures and practices."
For smaller businesses (fewer than 50 employees and less than $3 million in revenue over the prior three years), the SHIELD Act provides a scaled standard. You must implement safeguards "appropriate to the size and complexity" of your business. The law explicitly identifies employee training as one of the required administrative safeguards alongside policies for employee security practices, vendor oversight, and disposal of data.
Practical compliance steps for NJ small businesses:
- Create and maintain a written information security policy (WISP) — even a two-page document counts.
- Document employee training annually at minimum, with sign-off records.
- Establish a written incident response plan that identifies who to notify (NJ AG's office) and when.
- Ensure any vendors who touch your customer data have their own reasonable security practices.
- Inventory what personal information you collect and where it is stored.
NYC businesses should also be aware of the New York SHIELD Act (which preceded NJ's) and NYDFS Cybersecurity Regulation (23 NYCRR 500) if you operate in financial services or insurance. Minuswires helps NJ and NYC businesses establish the documentation and digital infrastructure to meet these obligations without enterprise-level overhead.
Building a Security-Conscious Culture
Training sessions and phishing simulations are tools. A security-conscious culture is what makes those tools work over time. Culture is built through leadership behavior, consistent communication, and removing friction from secure behavior.
Concrete steps that move the needle:
- Owners and managers go first. If leadership visibly uses a password manager, enables MFA, and completes training alongside employees, the signal is clear. Exempting senior staff destroys credibility and creates your highest-risk accounts.
- Celebrate reporting, not just avoidance. An employee who clicks a phishing link and immediately reports it did something right. Reward that behavior explicitly.
- Make secure defaults the easy option. Pre-configure MFA on company accounts before issuing them. Require a VPN on company devices before they leave the office. Default-deny is always more effective than opt-in.
- Discuss real incidents in team meetings. When a major breach is in the news (and there is always one), spend five minutes explaining what happened and what your team would do differently. This contextualizes training in real consequences.
- Review your program annually.The threat landscape changes. Last year's phishing email looks different from this year's AI-generated spear-phishing message. Your training content should stay current.
Security awareness training is not a one-time project — it is an ongoing operational habit. The businesses that get breached are almost never the ones with the worst technology; they are the ones who treated security as a checkbox rather than a practice. Start with a phishing simulation this week, layer in quarterly micro-training, document everything, and revisit your program every year. That is a reasonable security program under the SHIELD Act and a meaningful reduction in your real-world breach risk.
Minuswires works with NJ and NYC small businesses to build and maintain the digital infrastructure — secure hosting, access controls, and documented processes — that supports a sound security posture. If you want help reviewing your current setup or putting a training framework in place, schedule a free consultation.