June 9, 2023 By Ronda Swaney 4 min read

To understand why you need cybersecurity awareness training, you must first understand employees’ outsized roles in security breaches.

“People remain — by far — the weakest link in an organization’s cybersecurity defenses,” noted Verizon on the release of their 2022 Data Breach Investigations Report (DBIR). They elaborate that 25% of all breaches covered in the report were the result of social engineering attacks, and when you add human errors and misuse of privilege, the human element accounts for 82% of the breaches.

What does the phrase “human element” mean? It describes the often unintentional and careless mistakes people make. Falling prey to a phishing attack. Losing a device like a company laptop or phone. Mistakenly emailing sensitive information to the wrong person. Circumventing security protocols to make their work life easier.

No matter how these breaches happen, cyber crime is costly. In 2023, it’s anticipated that the global annual cost of cyber crime will top $8 trillion, according to a Cybersecurity Ventures report. Add to this the long-term costs associated with bad publicity and the reputational damage that results. No business is immune. The 2022 DBIR report notes that even very small businesses (10 or fewer employees) are targets. Cybersecurity should be a priority for every business regardless of size, type or industry.

The high cost of a breach makes cybersecurity awareness training seem like a simple decision. On the surface, it is. Like buying insurance, it’s something you know you need, but the details and choices feel overwhelming. Let’s review the basics of security awareness training and how to implement a program that works for your business.

The pros and cons of different training types

Building cybersecurity awareness centers on making employees aware of the role they play in securing information. Building that awareness takes time. Training must be updated and delivered regularly to keep pace with emerging and evolving security threats. This training helps employees understand why cybersecurity matters and teaches them how to identify and respond to potential threats.

There are two main types of training, in-person and remote. In-person instructor-led training is the most expensive. In this training, the instructor can spend time on specific topics if they prove challenging for students to grasp. Students can ask the instructor questions in real-time. This type of training works best when employees are close geographically.

Instructor-led remote training is another option. These sessions occur in a real-time video conference. They get less engagement since students can likely only ask questions in a chat program. It may be harder for the instructor to know if students are struggling with a topic since there won’t be visual or oral clues from students. This training is less costly, involves no travel time and students can attend from anywhere.

Finally, there is remote training that isn’t instructor-led. This may involve video segments or other online tools that students complete on their own time. This is typically the least expensive option and allows students to complete it from anywhere at their own convenience. However, there is less engagement, fewer options to ask questions and students may fast-forward through videos so they can mark the task as complete, whether they learned anything or not.

Your training program may also be a hybrid of all of the above. If you have in-person onboarding for new employees, consider adding a module for cybersecurity awareness training. Follow-up training sessions could then occur remotely, either with an instructor or as self-directed modules.

Detailing the greatest threats

The content of your cybersecurity awareness training depends on many things. First, let’s consider your sector. Some industries are more susceptible to cyber crime than others. The IBM X-Force Threat Intelligence Index 2023 found the top five most attacked sectors were:

  • Manufacturing
  • Finance and insurance
  • Professional, business and consumer services
  • Energy
  • Retail and wholesale.

Criminals go where the money is or to places that have records or proprietary knowledge that can be stolen and sold for large sums. Any business can be a target, but cybersecurity awareness training should have higher priority if you belong to a targeted sector.

How many employees you have and what they do also affects your threat level. If you have thousands of worldwide employees who interact with others via email, travel frequently or use company-issued devices, then your organization has many possible attack surfaces. That’s an alluring proposition for cyber criminals seeking easy targets.

Another consideration may be how often your organization has been attacked in the past and if those attacks were successful. If you’ve noted specific types of attacks (like phishing or other social engineering tactics), then that needs to be addressed in your training.

Prioritizing training — What’s needed most

Knowing your greatest threats and past vulnerabilities offers insight into the training needed most. If employees succumbed in the past to phishing attempts or ransomware demands, that may be where to start. If you know you have records that, if stolen, could deliver a huge payday for criminals, prioritize training for the groups most responsible for protecting those records, such as your internal IT security teams. Compliance regulations such as HIPAA, GDPR or PCI are also an obvious starting point for your training program.

Prioritizing training — Who should learn first

Everyone in your organization needs general cybersecurity awareness training, but some groups will need more specific training. Security teams require specialized training to be aware of new and growing threats, as well as the best policies and actions to reduce risks. If you have a large C-suite or executive team, they and their support personnel should stay up to date on spear phishing when attackers impersonate C-level executives to get other employees to reveal sensitive information or wire transfer funds. If you are subject to compliance regulations, employees who generate, share and refer to data will need regular training on how to follow regulations, the costs of not complying and when or if regulations change.

Maintaining cybersecurity awareness training programs

Getting started is the biggest roadblock, but keeping training relevant and constant is the next. Here are a few tips for maintaining your cybersecurity awareness training:

  • Add it to new employee onboarding so that everyone has a base level of knowledge
  • After training, choose key performance metrics to track that it changed employee behavior in a positive way
  • Make the training regular. Some businesses offer annual training, while others do monthly mini-courses to keep the topic top of mind.
  • Perform drills or penetration tests to give everyone real-world experience in recognizing and responding to threats
  • Constantly review, renew and revise training to ensure it’s engaging, relevant and easy to understand.

As long as cyber criminals remain a threat, cybersecurity awareness training remains a necessity.

More from Risk Management

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today