June 9, 2023 By Ronda Swaney 4 min read

To understand why you need cybersecurity awareness training, you must first understand employees’ outsized roles in security breaches.

“People remain — by far — the weakest link in an organization’s cybersecurity defenses,” noted Verizon on the release of their 2022 Data Breach Investigations Report (DBIR). They elaborate that 25% of all breaches covered in the report were the result of social engineering attacks, and when you add human errors and misuse of privilege, the human element accounts for 82% of the breaches.

What does the phrase “human element” mean? It describes the often unintentional and careless mistakes people make. Falling prey to a phishing attack. Losing a device like a company laptop or phone. Mistakenly emailing sensitive information to the wrong person. Circumventing security protocols to make their work life easier.

No matter how these breaches happen, cyber crime is costly. In 2023, it’s anticipated that the global annual cost of cyber crime will top $8 trillion, according to a Cybersecurity Ventures report. Add to this the long-term costs associated with bad publicity and the reputational damage that results. No business is immune. The 2022 DBIR report notes that even very small businesses (10 or fewer employees) are targets. Cybersecurity should be a priority for every business regardless of size, type or industry.

The high cost of a breach makes cybersecurity awareness training seem like a simple decision. On the surface, it is. Like buying insurance, it’s something you know you need, but the details and choices feel overwhelming. Let’s review the basics of security awareness training and how to implement a program that works for your business.

The pros and cons of different training types

Building cybersecurity awareness centers on making employees aware of the role they play in securing information. Building that awareness takes time. Training must be updated and delivered regularly to keep pace with emerging and evolving security threats. This training helps employees understand why cybersecurity matters and teaches them how to identify and respond to potential threats.

There are two main types of training, in-person and remote. In-person instructor-led training is the most expensive. In this training, the instructor can spend time on specific topics if they prove challenging for students to grasp. Students can ask the instructor questions in real-time. This type of training works best when employees are close geographically.

Instructor-led remote training is another option. These sessions occur in a real-time video conference. They get less engagement since students can likely only ask questions in a chat program. It may be harder for the instructor to know if students are struggling with a topic since there won’t be visual or oral clues from students. This training is less costly, involves no travel time and students can attend from anywhere.

Finally, there is remote training that isn’t instructor-led. This may involve video segments or other online tools that students complete on their own time. This is typically the least expensive option and allows students to complete it from anywhere at their own convenience. However, there is less engagement, fewer options to ask questions and students may fast-forward through videos so they can mark the task as complete, whether they learned anything or not.

Your training program may also be a hybrid of all of the above. If you have in-person onboarding for new employees, consider adding a module for cybersecurity awareness training. Follow-up training sessions could then occur remotely, either with an instructor or as self-directed modules.

Detailing the greatest threats

The content of your cybersecurity awareness training depends on many things. First, let’s consider your sector. Some industries are more susceptible to cyber crime than others. The IBM X-Force Threat Intelligence Index 2023 found the top five most attacked sectors were:

  • Manufacturing
  • Finance and insurance
  • Professional, business and consumer services
  • Energy
  • Retail and wholesale.

Criminals go where the money is or to places that have records or proprietary knowledge that can be stolen and sold for large sums. Any business can be a target, but cybersecurity awareness training should have higher priority if you belong to a targeted sector.

How many employees you have and what they do also affects your threat level. If you have thousands of worldwide employees who interact with others via email, travel frequently or use company-issued devices, then your organization has many possible attack surfaces. That’s an alluring proposition for cyber criminals seeking easy targets.

Another consideration may be how often your organization has been attacked in the past and if those attacks were successful. If you’ve noted specific types of attacks (like phishing or other social engineering tactics), then that needs to be addressed in your training.

Prioritizing training — What’s needed most

Knowing your greatest threats and past vulnerabilities offers insight into the training needed most. If employees succumbed in the past to phishing attempts or ransomware demands, that may be where to start. If you know you have records that, if stolen, could deliver a huge payday for criminals, prioritize training for the groups most responsible for protecting those records, such as your internal IT security teams. Compliance regulations such as HIPAA, GDPR or PCI are also an obvious starting point for your training program.

Prioritizing training — Who should learn first

Everyone in your organization needs general cybersecurity awareness training, but some groups will need more specific training. Security teams require specialized training to be aware of new and growing threats, as well as the best policies and actions to reduce risks. If you have a large C-suite or executive team, they and their support personnel should stay up to date on spear phishing when attackers impersonate C-level executives to get other employees to reveal sensitive information or wire transfer funds. If you are subject to compliance regulations, employees who generate, share and refer to data will need regular training on how to follow regulations, the costs of not complying and when or if regulations change.

Maintaining cybersecurity awareness training programs

Getting started is the biggest roadblock, but keeping training relevant and constant is the next. Here are a few tips for maintaining your cybersecurity awareness training:

  • Add it to new employee onboarding so that everyone has a base level of knowledge
  • After training, choose key performance metrics to track that it changed employee behavior in a positive way
  • Make the training regular. Some businesses offer annual training, while others do monthly mini-courses to keep the topic top of mind.
  • Perform drills or penetration tests to give everyone real-world experience in recognizing and responding to threats
  • Constantly review, renew and revise training to ensure it’s engaging, relevant and easy to understand.

As long as cyber criminals remain a threat, cybersecurity awareness training remains a necessity.

More from Risk Management

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today