Four tips for implementing effective cyber security awareness training

Drawing of a cloud with a padlock in the middle on a green background

Security threats are constantly evolving and multiplying to target valuable resources. A small business is successfully hacked every 19 seconds in the UK and a recent report estimates that the average cost of a data breach in 2020 is $3.86 billion, or about £2.96 billion.

Securing your business is difficult enough in normal circumstances, but with about half of employed adults currently working from home and accessing company resources through personal devices and networks, the risks are only increasing.

As a CISO or someone responsible for cyber security spending, you may be tempted to seek out the latest security technologies tailored to each new type of attack. However, this avenue is costly and runs the risk of over-complicating and slowing down your processes. It’s also not the most effective approach.

It’s often reported that employees are the biggest security risk for most businesses. When employees aren’t aware of security hygiene best practices, they’re likely to do things like create weak passwords, reuse or share those passwords, or click on phishing emails. According to Verizon’s Data Breach Investigation Report, phishing and stolen credentials are the top two methods behind a data breach.

However, it's possible that, given the right awareness training, your employees can in fact become one of your strongest lines of defence. Here are four tips for implementing security awareness and training programmes that can get you real results.

1. Train your teams for their specific security risks

Take into account the specific risks your business faces. Phishing is the most common attack and will probably apply to every department of every business, but how exposed specific employees will be will depend on the nature of their role.

One popular technique is to conduct internal phishing tests – not to catch your employees out, but to see which departments are clicking on them and what types of messages are getting through.

Beyond phishing, programmes need to be tailored to the other specific threats of each business and department. A marketing assistant and a financial analyst won’t need to be aware of the same threats as an IT consultant. By defining what threats your specific departments are facing, you can eliminate the risk of overloading or boring your staff with training that isn’t relevant to them.

2. Use simulations to make awareness training engaging

Not only are in-person workshop-style programmes unviable in the current climate, but they are often dry and don’t encourage employees to remember or engage with the content. There are other methods you can use, such as LinkedIn-Learning style videos with quiz questions, but what you really need is an engaging programme that sticks in your employees’ minds and gets them excited about security.


Employees behaving badly?

Why awareness training matters


Trial and error has proved that simulation is the best way to teach security awareness. Have your employees undergo simulated attacks tailored to their job and the newest types of threats. For example, some companies run simulations that test the flexibility of their HR teams, seeing if they’re able to cope with a flurry of internal and external complaints about loss of data and downtime. However, these simulations will notably differ from those run with IT teams, which would normally test their ability to get systems back online after an outage

Whether they successfully prevent the attack or not, have them share their experiences afterwards. This will highlight gaps in the company and help inform awareness programmes going forward.

IBM recently toured the UK in order to provide businesses with a better idea of what's effective and introduce them to the latest cyber security simulations.

3. Create cohesive communication and planning

Once you’ve developed an engaging new programme, you need to ensure that it’s deployed in every department and updated often. Create a formal plan with your IT team for updating the training, as well as a plan for communicating new information to the entire business. The best programme in the world won’t have the desired effect if it isn’t applied everywhere and addressing the latest threats.

4. Involve your staff in their own security training

Don’t make security only something that you teach your employees. Let them also teach each other.

Appoint someone in each department to be the cyber security culture advocate. These experts know their team better than anyone, and can keep them motivated in the business’ security efforts and help to reinforce any training they receive.

Reward the employees that fend off attacks, encourage people to share success stories, and work with those that fall prey to attacks, rather than shaming them.

With these four tips, you can shift the focus of your entire security effort from security technologies to people. Security becomes personal, with your employees’ increasing investment in cyber security only increasing their investment in the company itself.

Now, just make sure to instil security values and training in the onboarding processes of future employees, and you’re well on your way to a solid security culture with people empowered to help protect your company’s valuable assets.