Why security awareness training is so important
Learn how to identify and prevent cyber threats to defend your business.
We know we know, we’ve gone on about how security awareness is dead. We even dedicated a whole webinar to the topic (you can watch it on demand). But we’re not swallowing our words. We’re just adding more context!
So, let’s take it from the top, shall we?
What is security awareness training?
A definition to kick things off, then.
Security awareness training is the process of educating people to understand, identify, and avoid cyber threats. The ultimate goal is to prevent or mitigate harm—to both the organization and its stakeholders—and reduce human cyber risk.
Security awareness statistics
What can some recent figures reveal about the security awareness landscape? Well, strap in.
The average cost of a data breach in 2022 was just under $4.35 million. That’s an all-time high.
Only 1 in 9 businesses (11%) provided a cybersecurity awareness program to non-cyber employees in 2020.
1 in 3 data breaches involves phishing.
20% of organizations faced a security breach as a result of a remote worker.
Gulp! Pretty shocking, right. But should it be?
Most people just don’t have the knowledge, tools, and support they need to protect themselves and their organizations. And the average person’s cybersecurity knowledge is, well, patchy. And it’s not their fault!
7 ways security awareness can make or break your year
So, why is security awareness training so important? And how can you make your security program more effective?
Glad you asked, because we just so happen to have some handy tips on that.
1. By preventing data breach and phishing attacks
Okay, this one’s simple. But we make no apologies for that. Good information security awareness training can help prevent breaches.
The hard bit? Knowing how many breaches a security awareness training program could prevent.
That’s because any sane organization is understandably reluctant to equip only half their people with training and leave the other half untrained, just to compare the results.
But in an ideal cybersecurity world, that’s what we’d do. A controlled trial comparing those who received training and those who didn’t.
So, how can we demonstrate the return on investment (ROI) of security awareness training?
By comparing a before and after. That is, looking at the number of incidents before and after cybersecurity awareness activities. The resulting metrics can be used to get a sense of ROI.
But we don’t need metrics to know that data breaches can cost millions. Meanwhile, cybersecurity awareness training is relatively inexpensive. So, really, it doesn’t take much to get serious returns.
2. By creating a culture of security
A people-centric security culture—it’s the holy grail for cybersecurity professionals.
But . . . it’s notoriously hard to achieve, as you’ve probably figured.
It means building security values into the fabric of your organization. Something any human risk platform worth its salt should help you with.
3. By bolstering technological cyber defences against cyber threats
Technological defences can be a valuable weapon in preventing breaches. But they still require input from people.
Firewalls need to be turned on. Security warnings need to be heeded. Software needs to be updated.
Few organizations today would dream of operating without technological defences.
And yet, without security awareness training and cybersecurity education, technological defences can’t fulfil their potential.
Security awareness training helps people make the most of technological defences, keeping attackers out.
4. By reassuring your customers
Consumers are increasingly aware of cyber threats. Your customers want to feel safe and secure. The same goes for any partners your organization has.
We all know that a trusted organization breeds loyalty. So, what measures will generate consumer trust?
Recent research tells us 70% of consumers think businesses are slacking on cybersecurity. And nearly 2 out of 3 consumers would stay away from an organization that had experienced a cyber-attack in the past year.
Consumers were asked what types of security incidents would put them off an organization. The list included compromised endpoint security, phishing attacks, social engineering, and data breach as possible red flags.
When you provide security awareness training to your employees, your customers may see you as more responsible—which you are, really. And this can only benefit your business.
5. By meeting compliance requirements
Achieving compliance doesn’t mean your organization is secure. Read that again.
If you launch a training program solely to comply with regulations, you’re doing the bare minimum. And that’s not good enough.
Compliance should be a by-product of good security awareness training. When you provide the right training content, you’ll wind up smashing those regulatory requirements, almost by accident.
6. By upping your organization’s social responsibility credentials
Is lax security training an antisocial faux pas? We think so.
Cyberattacks can spread quickly. WannaCry and NotPetya made this painfully clear back in 2017.
As an infection spreads to more networks, other networks become increasingly at risk. As one new network succumbs, the risk rises for as-yet-unaffected networks.
Which means one organization’s lack of security awareness training can make other organizations vulnerable.
It’s a little like leaving your house door unlocked—with your neighbour’s keys inside.
Security awareness training doesn’t just benefit you. It benefits your customers, your suppliers, your people’s friends and families, and everyone else in your network.
So, we’d argue that failing to train your people is pretty inconsiderate. And that investing in security awareness training is a socially conscious act.
7. By improving employee wellbeing
Happy people are productive people. Countless studies tell us that. And you’ve no doubt noticed it in the wild, too.
Yes, your job may be focused on managing the risk in your organization. But cybersecurity threats aren’t confined to the workplace.
So, keep in mind that security awareness training doesn’t just keep people safe at work. It should keep them safe from cybersecurity threats, phishing threats, and social engineering in their personal life, too.
Effective cybersecurity awareness training delivers threat prevention tools to people, not simply an organization. That means it isn’t just an employer benefit. It’s also an employee benefit.
What topics should security awareness training cover?
So, as you know, a staggering portion of cybersecurity incidents are linked to people.
And one of the ways to help people improve their security behaviours is training.
But not all programs are created equal. You need data-driven training that can help you bring about real and lasting behaviour change in your organization.
But we’re getting ahead of ourselves. Let’s take a look at the main types of security awareness training, and the pros and cons of each.
Generally speaking, security awareness training is delivered in one of four ways:
1. Classroom-based training program
In case there’s even a smidgen of doubt, this is the sort of awareness training where people step away from the day job while an instructor leads them through various security topics.
The main benefit is that people can get immediate feedback. Plus, they can chat with the trainer, which means they can pick an expert’s brains. So, they could discover more useful information than in, say, a video seminar.
However, some argue that a classroom approach conflicts with something called Adult Learning Theory, which suggests that classroom learning suits children far more than it does adults.
What’s more, classroom-based training can be pricey, and it takes people away from their main roles for a large chunk of the day. Both these hurdles mean the sessions are often long and infrequent. Neither of which bodes well for information retention.
2. Visual aids
Visual aids aim to influence cybersecurity behaviour through (gasp) visuals. We’re talking anything from posters to handouts to videos, all of which can cover a range of topics, from password security to phishing scams.
Visual aids are easy to process. Unlike written messages, visuals are simple to understand. That means they communicate complex information quickly, without overwhelming people.
What’s more, they’re pretty cheap to get in place, especially compared to classroom-based training. You’re potentially just looking at covering the costs of a graphic designer (if you need one), printer ink, and some paper. And, in return, people are reminded to stick with good cybersecurity practices.
However, they do have some downsides. Visual aids can be easily ignored if they’re not engaging or interactive. Plus, over time, we stop “seeing” things that we’re used to. And unlike classroom-based training, there is no feedback loop between the sender and receiver.
Last but not least, we know that follow-up testing can boost recall rates. So, visual aids may result in a lower rate of the important advice sticking in people’s minds.
3. Through phishing simulations
The popular way to test people’s response to cyber threats—attacking them! Okay, it’s just a simulation. You can send a phishing email, SMS, and even a “misplaced” USB stick.
Evidence tells us that simulated attacks are a super-powerful way of cementing messages in people’s minds, thus changing long-term behaviour.
Sounds like a no-brainer, right? Wrong.
Some argue that simulated attacks are unproductive—even immoral. You’re choosing to put people through the wringer, which can raise a few eyebrows. Plus, it’s an emotionally charged experience, and that can impact people’s mental wellbeing.We’re behavioural science nuts. So, we know that phishing sims can do more harm than good—if they’re done wrong. But that’s not a good reason to dispense with them. It is, however, a reason to make sure you get them right.
4. Computer-based training
Online training can take many forms, from text to audio, video and quizzes. It’s also dynamic—when a new threat emerges, you can add a new module.
Some providers offer compliance-based training that’s no more than a tick-box exercise. Training should influence long-term security behaviours and reduce the risk of a breach.
It’s also important to look for training offered by security specialists, not training specialists. That’s not to say all security specialists are created equal, and they’ll need to demonstrate how their offering can go about influencing security behaviours, and how it can nurture a culture of security.
What’s the best security awareness training style?
So, the right training program fosters awareness. And it makes it easy for people to turn that awareness into action.
In the past, CISOs may have chosen only one training method for their organization. Today, it’s widely accepted that it takes a combination of techniques to cater to different learning styles, roles, and risks to effectively tackle the human aspect of cybersecurity.
What topics should be covered in security awareness training?
Well, it depends on who you are and what you do. But here are 10 you’ll want to make sure you don’t miss:
Couldn’t be me - People don’t believe they’ll be a victim of cybercrime. That’s just the optimism bias at work, and by covering it, you’ll boost the effectiveness of your campaign. Why? Because if people think it’ll never happen to them, why would they listen in the first place?
Identity theft - Preventing identity theft is key to good cybersecurity training. Your program needs to help people spot warning signs, clean up their passwords.
Passphrases and multi-factor authentication - Encourage people to embrace passphrases and use 2FA for added security.
Public Wi-Fi - This is where people can learn all about the risks of unsecured public Wi-Fi–and how to use a VPN for protection.
Social engineering - From phishing to SMShing, people need to feel confident about how to identify and avoid scams. A simulated phishing attack can (when done well) transform how people respond to threats.
Browsing securely - Support people in how to browse securely, and how to avoid tracking or form auto-filling. Break it down with step-by-step guides on browser configuration.
Device security - Help people to make their devices into Fort Knox. Teach them how to configure antivirus software, firewalls, and set up auto-updates.
Malware - Give people time to learn about different types of malware and how to identify the signs of infection.
Breach recovery - Advocate for regular back-ups, and lay out how to recover from a data breach and minimize damage.
GDPR and data privacy - It’s not uncommon for people’s roles to involve being a “data handler” under the General Data Protection Regulation. That means they have specific responsibilities—but what are they, and what do they need to do to keep data security tight? Your training should cover it all.
Want more? We explore these topics in more detail in this write-up on cybersecurity awareness training topics.
Modern security awareness training vs traditional training
The landscape is evolving—fast. A solution that meets today’s challenges is worlds apart from traditional solutions.
We’ve said it above, and we’ll say it again. Traditional training just doesn’t cut it. In fact, it’s holding you back. And frankly, we all need to mourn and move on.With the rise of sophisticated cyber-attacks, security awareness is long overdue an overhaul. And with criminals’ mind games playing off human behaviour and our relationship with risk, organizations need to rethink their approach—and the sooner, the better.
The differences? Immense. Let’s take a look.
Traditional security awareness training is more likely to be an annual or six-monthly thing with a focus on technical concepts.
By comparison, modern security awareness training uses a blend of fresh training methods to engage people daily, prevent complacency, and make security a part of their daily routine.
Back in the day, awareness training was probably one-way, and probably as dry as last week’s office donuts. Modern security awareness; however, is engaging, interactive, and, dare we say, fun!
Now, this one’s super important when you’re looking at providers.
Traditional awareness training eats lunch at the table where annual first-aid refreshers and basic health-and-safety courses sit. Which is to say it’s normally about ticking boxes to achieve compliance.
But the truth is: Paying lip service to basic compliance gets you nowhere. Modern security awareness and training platforms can reduce the risk of a breach and protect your organization from the consequences of lost data, reputational damage, and financial loss by influencing people’s long-term security behaviours. Traditional training could NEVER.
What cybersecurity certifications are worth pursuing?
There are many certifications that demonstrate a commitment to security. Here are some of the most common certifications:
Cyber Essentials certificate: This is a UK government-backed scheme to help organizations protect themselves against common cyber threats. The certification shows that an organization has implemented specific security controls and measures to lower security risk.
ISO 27001: This is an internationally recognized standard for information security management. It demonstrates an organization’s commitment to a comprehensive and systematic approach to managing sensitive information.
SOC 2: This is a set of auditing standards developed by the American Institute of CPAs (AICPA) that evaluates the security, availability, processing integrity, confidentiality, and privacy of a service organization. It’s a popular certification for SaaS and cloud-based organizations.
PCI DSS: This is a set of security standards developed by major credit card companies to protect against credit card fraud. It’s important for any organization that processes payments or handles credit card data.
HIPAA: This is a set of regulations that protects the privacy and security of individuals’ health information in the United States. It’s essential for organizations that work with healthcare organizations or handle patient data.
NIST Cybersecurity Framework: This is a set of guidelines developed by the National Institute of Standards and Technology (NIST) that outlines best practices for managing security risk. It’s not a certification, but it’s widely recognized and followed by many organizations.
What is the best protection from cyber threats?
We’ve talked about what security awareness training is, ways of delivering it, and what it should cover. We’ve touched on why we think binning traditional security awareness training is long overdue, and why we believe you need a modern, holistic security awareness strategy instead. But what features of a good security culture should organizations be trying to cultivate? Here are some main players.
People use strong and unique passphrases: A passphrase ruleset can help users create strong and memorable passwords that are less vulnerable to brute-force attacks.
People opt for multi-factor authentication: MFA adds an extra layer of security by requiring users to provide additional credentials beyond just a password.
The security team deploys phishing attack simulations: Regular phishing simulations can help raise awareness of common scams and teach users how to spot and avoid them.
People know how, and why, to limit online exposure: Be mindful of the information you share online and consider limiting your digital footprint.
People keep their software up-to-date: Regularly updating software can patch security vulnerabilities and reduce the risk of cyber-attacks.
People use virtual private networks: VPNs encrypt internet traffic, making it more difficult for hackers to intercept.
The security team has the means to foster long-term security behaviours: Encouraging good security habits is crucial for maintaining a secure environment.
People have adopted good password habits: They may have been attached to their old password habits, but they know why it’s crucial to break them.
The organization’s strategy uses behavioural science: By understanding the psychology behind security behaviours, organizations can design more effective security measures.
Back-ups happen all the time: Backing up data is essential for recovering from cyber-attacks and data loss.
Remote work environment risks are managed: With remote work becoming more prevalent, it’s important to ensure that security measures are in place.
Overall, reducing the risk of cyber-attacks requires a combination of technical measures, security awareness training, and behavioural change.
By putting these strategies in place, organizations and individuals can better protect themselves from the ever-evolving threat of cyber-attacks.
The takeaway? People have the power
So, you skipped to the end for the key message, did you? Hey, no judgment here.
Very simply:
People are an essential part of the cybersecurity question.
People need support to boost their security skills and knowledge.
Traditional security and awareness training doesn’t influence the way people act in the long term, so it doesn’t impact risk.
People’s role in protecting against cyber threats is absolutely vital. They deserve security awareness training that engages them, motivates them, and makes a difference to them.
Your security team deserves solutions that raise security awareness, yes, but also influence security behaviours, measure risk, and foster a positive security culture in your organization.
And there we go.
Now you’re ready for the bombshell... that is security awareness is dead.
You may have already spoken to one of our V-Hub Digital Advisers, but if not and you're looking for more support you can get in touch here. Our Knowledge Centre is also packed with information and tips to help you on your digital journey, and for more cyber security help for small businesses, visit our cyber security hub to help keep your business safe and secure.
Partnership content from CybSafe.
CybSafe
Measure and reduce your organisation's human cyber risk.
Free one-to-one support
Available Monday to Friday, 8am-6pm, our friendly team are here to provide guidance and support on the topics that matter to your business.
0808 239 8345
Content made available to you on this website is for general information purposes. Independent advice should be obtained for your needs. Read full disclaimer