To understand why you need cybersecurity awareness training, you must first understand employees’ outsized roles in security breaches.

“People remain — by far — the weakest link in an organization’s cybersecurity defenses,” noted Verizon on the release of their 2022 Data Breach Investigations Report (DBIR). They elaborate that 25% of all breaches covered in the report were the result of social engineering attacks, and when you add human errors and misuse of privilege, the human element accounts for 82% of the breaches.

What does the phrase “human element” mean? It describes the often unintentional and careless mistakes people make. Falling prey to a phishing attack. Losing a device like a company laptop or phone. Mistakenly emailing sensitive information to the wrong person. Circumventing security protocols to make their work life easier.

No matter how these breaches happen, cyber crime is costly. In 2023, it’s anticipated that the global annual cost of cyber crime will top $8 trillion, according to a Cybersecurity Ventures report. Add to this the long-term costs associated with bad publicity and the reputational damage that results. No business is immune. The 2022 DBIR report notes that even very small businesses (10 or fewer employees) are targets. Cybersecurity should be a priority for every business regardless of size, type or industry.

The high cost of a breach makes cybersecurity awareness training seem like a simple decision. On the surface, it is. Like buying insurance, it’s something you know you need, but the details and choices feel overwhelming. Let’s review the basics of security awareness training and how to implement a program that works for your business.

The pros and cons of different training types

Building cybersecurity awareness centers on making employees aware of the role they play in securing information. Building that awareness takes time. Training must be updated and delivered regularly to keep pace with emerging and evolving security threats. This training helps employees understand why cybersecurity matters and teaches them how to identify and respond to potential threats.

There are two main types of training, in-person and remote. In-person instructor-led training is the most expensive. In this training, the instructor can spend time on specific topics if they prove challenging for students to grasp. Students can ask the instructor questions in real-time. This type of training works best when employees are close geographically.

Instructor-led remote training is another option. These sessions occur in a real-time video conference. They get less engagement since students can likely only ask questions in a chat program. It may be harder for the instructor to know if students are struggling with a topic since there won’t be visual or oral clues from students. This training is less costly, involves no travel time and students can attend from anywhere.

Finally, there is remote training that isn’t instructor-led. This may involve video segments or other online tools that students complete on their own time. This is typically the least expensive option and allows students to complete it from anywhere at their own convenience. However, there is less engagement, fewer options to ask questions and students may fast-forward through videos so they can mark the task as complete, whether they learned anything or not.

Your training program may also be a hybrid of all of the above. If you have in-person onboarding for new employees, consider adding a module for cybersecurity awareness training. Follow-up training sessions could then occur remotely, either with an instructor or as self-directed modules.

Detailing the greatest threats

The content of your cybersecurity awareness training depends on many things. First, let’s consider your sector. Some industries are more susceptible to cyber crime than others. The IBM X-Force Threat Intelligence Index 2023 found the top five most attacked sectors were:

  • Manufacturing
  • Finance and insurance
  • Professional, business and consumer services
  • Energy
  • Retail and wholesale.

Criminals go where the money is or to places that have records or proprietary knowledge that can be stolen and sold for large sums. Any business can be a target, but cybersecurity awareness training should have higher priority if you belong to a targeted sector.

How many employees you have and what they do also affects your threat level. If you have thousands of worldwide employees who interact with others via email, travel frequently or use company-issued devices, then your organization has many possible attack surfaces. That’s an alluring proposition for cyber criminals seeking easy targets.

Another consideration may be how often your organization has been attacked in the past and if those attacks were successful. If you’ve noted specific types of attacks (like phishing or other social engineering tactics), then that needs to be addressed in your training.

Prioritizing training — What’s needed most

Knowing your greatest threats and past vulnerabilities offers insight into the training needed most. If employees succumbed in the past to phishing attempts or ransomware demands, that may be where to start. If you know you have records that, if stolen, could deliver a huge payday for criminals, prioritize training for the groups most responsible for protecting those records, such as your internal IT security teams. Compliance regulations such as HIPAA, GDPR or PCI are also an obvious starting point for your training program.

Prioritizing training — Who should learn first

Everyone in your organization needs general cybersecurity awareness training, but some groups will need more specific training. Security teams require specialized training to be aware of new and growing threats, as well as the best policies and actions to reduce risks. If you have a large C-suite or executive team, they and their support personnel should stay up to date on spear phishing when attackers impersonate C-level executives to get other employees to reveal sensitive information or wire transfer funds. If you are subject to compliance regulations, employees who generate, share and refer to data will need regular training on how to follow regulations, the costs of not complying and when or if regulations change.

Maintaining cybersecurity awareness training programs

Getting started is the biggest roadblock, but keeping training relevant and constant is the next. Here are a few tips for maintaining your cybersecurity awareness training:

  • Add it to new employee onboarding so that everyone has a base level of knowledge
  • After training, choose key performance metrics to track that it changed employee behavior in a positive way
  • Make the training regular. Some businesses offer annual training, while others do monthly mini-courses to keep the topic top of mind.
  • Perform drills or penetration tests to give everyone real-world experience in recognizing and responding to threats
  • Constantly review, renew and revise training to ensure it’s engaging, relevant and easy to understand.

As long as cyber criminals remain a threat, cybersecurity awareness training remains a necessity.

More from Risk Management

The Growing Risks of Shadow IT and SaaS Sprawl

4 min read - In today's fast-paced digital landscape, there is no shortage of apps and Software-as-a-Service (SaaS) solutions tailored to meet the diverse needs of businesses across different industries. This incredible array of options has revolutionized how we work, providing cost-effective and user-friendly tools that streamline tasks and boost productivity. However, this ever-expanding application ecosystem comes with its challenges: namely, shadow IT and SaaS sprawl. According to a recent study by Entrust, 77% of IT professionals are concerned about shadow IT becoming a…

Are you ready to build your organization’s digital trust?

4 min read - As organizations continue their digital transformation journey, they need to be able to trust that their digital assets are secure. That’s not easy in today’s environment, as the numbers and sophistication of cyberattacks increase and organizations face challenges from remote work and insider behavior. Digital trust can make your organization’s digital transformation stronger. A lack of digital trust can do irreparable harm. However, according to ISACA’s State of Digital Trust 2023 report, too many organizations struggle to define and implement…

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging. We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically. For this reason, 75% of organizations…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…