June 9, 2023 By Ronda Swaney 4 min read

To understand why you need cybersecurity awareness training, you must first understand employees’ outsized roles in security breaches.

“People remain — by far — the weakest link in an organization’s cybersecurity defenses,” noted Verizon on the release of their 2022 Data Breach Investigations Report (DBIR). They elaborate that 25% of all breaches covered in the report were the result of social engineering attacks, and when you add human errors and misuse of privilege, the human element accounts for 82% of the breaches.

What does the phrase “human element” mean? It describes the often unintentional and careless mistakes people make. Falling prey to a phishing attack. Losing a device like a company laptop or phone. Mistakenly emailing sensitive information to the wrong person. Circumventing security protocols to make their work life easier.

No matter how these breaches happen, cyber crime is costly. In 2023, it’s anticipated that the global annual cost of cyber crime will top $8 trillion, according to a Cybersecurity Ventures report. Add to this the long-term costs associated with bad publicity and the reputational damage that results. No business is immune. The 2022 DBIR report notes that even very small businesses (10 or fewer employees) are targets. Cybersecurity should be a priority for every business regardless of size, type or industry.

The high cost of a breach makes cybersecurity awareness training seem like a simple decision. On the surface, it is. Like buying insurance, it’s something you know you need, but the details and choices feel overwhelming. Let’s review the basics of security awareness training and how to implement a program that works for your business.

The pros and cons of different training types

Building cybersecurity awareness centers on making employees aware of the role they play in securing information. Building that awareness takes time. Training must be updated and delivered regularly to keep pace with emerging and evolving security threats. This training helps employees understand why cybersecurity matters and teaches them how to identify and respond to potential threats.

There are two main types of training, in-person and remote. In-person instructor-led training is the most expensive. In this training, the instructor can spend time on specific topics if they prove challenging for students to grasp. Students can ask the instructor questions in real-time. This type of training works best when employees are close geographically.

Instructor-led remote training is another option. These sessions occur in a real-time video conference. They get less engagement since students can likely only ask questions in a chat program. It may be harder for the instructor to know if students are struggling with a topic since there won’t be visual or oral clues from students. This training is less costly, involves no travel time and students can attend from anywhere.

Finally, there is remote training that isn’t instructor-led. This may involve video segments or other online tools that students complete on their own time. This is typically the least expensive option and allows students to complete it from anywhere at their own convenience. However, there is less engagement, fewer options to ask questions and students may fast-forward through videos so they can mark the task as complete, whether they learned anything or not.

Your training program may also be a hybrid of all of the above. If you have in-person onboarding for new employees, consider adding a module for cybersecurity awareness training. Follow-up training sessions could then occur remotely, either with an instructor or as self-directed modules.

Detailing the greatest threats

The content of your cybersecurity awareness training depends on many things. First, let’s consider your sector. Some industries are more susceptible to cyber crime than others. The IBM X-Force Threat Intelligence Index 2023 found the top five most attacked sectors were:

  • Manufacturing
  • Finance and insurance
  • Professional, business and consumer services
  • Energy
  • Retail and wholesale.

Criminals go where the money is or to places that have records or proprietary knowledge that can be stolen and sold for large sums. Any business can be a target, but cybersecurity awareness training should have higher priority if you belong to a targeted sector.

How many employees you have and what they do also affects your threat level. If you have thousands of worldwide employees who interact with others via email, travel frequently or use company-issued devices, then your organization has many possible attack surfaces. That’s an alluring proposition for cyber criminals seeking easy targets.

Another consideration may be how often your organization has been attacked in the past and if those attacks were successful. If you’ve noted specific types of attacks (like phishing or other social engineering tactics), then that needs to be addressed in your training.

Prioritizing training — What’s needed most

Knowing your greatest threats and past vulnerabilities offers insight into the training needed most. If employees succumbed in the past to phishing attempts or ransomware demands, that may be where to start. If you know you have records that, if stolen, could deliver a huge payday for criminals, prioritize training for the groups most responsible for protecting those records, such as your internal IT security teams. Compliance regulations such as HIPAA, GDPR or PCI are also an obvious starting point for your training program.

Prioritizing training — Who should learn first

Everyone in your organization needs general cybersecurity awareness training, but some groups will need more specific training. Security teams require specialized training to be aware of new and growing threats, as well as the best policies and actions to reduce risks. If you have a large C-suite or executive team, they and their support personnel should stay up to date on spear phishing when attackers impersonate C-level executives to get other employees to reveal sensitive information or wire transfer funds. If you are subject to compliance regulations, employees who generate, share and refer to data will need regular training on how to follow regulations, the costs of not complying and when or if regulations change.

Maintaining cybersecurity awareness training programs

Getting started is the biggest roadblock, but keeping training relevant and constant is the next. Here are a few tips for maintaining your cybersecurity awareness training:

  • Add it to new employee onboarding so that everyone has a base level of knowledge
  • After training, choose key performance metrics to track that it changed employee behavior in a positive way
  • Make the training regular. Some businesses offer annual training, while others do monthly mini-courses to keep the topic top of mind.
  • Perform drills or penetration tests to give everyone real-world experience in recognizing and responding to threats
  • Constantly review, renew and revise training to ensure it’s engaging, relevant and easy to understand.

As long as cyber criminals remain a threat, cybersecurity awareness training remains a necessity.

More from Risk Management

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

The evolution of ransomware: Lessons for the future

5 min read - Ransomware has been part of the cyber crime ecosystem since the late 1980s and remains a major threat in the cyber landscape today. Evolving ransomware attacks are becoming increasingly more sophisticated as threat actors leverage vulnerabilities, social engineering and insider threats. While the future of ransomware is full of unknown threats, we can look to the past and recent trends to predict the future. 2005 to 2020: A rapidly changing landscape While the first ransomware incident was observed in 1989,…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today