June 9, 2023 By Ronda Swaney 4 min read

To understand why you need cybersecurity awareness training, you must first understand employees’ outsized roles in security breaches.

“People remain — by far — the weakest link in an organization’s cybersecurity defenses,” noted Verizon on the release of their 2022 Data Breach Investigations Report (DBIR). They elaborate that 25% of all breaches covered in the report were the result of social engineering attacks, and when you add human errors and misuse of privilege, the human element accounts for 82% of the breaches.

What does the phrase “human element” mean? It describes the often unintentional and careless mistakes people make. Falling prey to a phishing attack. Losing a device like a company laptop or phone. Mistakenly emailing sensitive information to the wrong person. Circumventing security protocols to make their work life easier.

No matter how these breaches happen, cyber crime is costly. In 2023, it’s anticipated that the global annual cost of cyber crime will top $8 trillion, according to a Cybersecurity Ventures report. Add to this the long-term costs associated with bad publicity and the reputational damage that results. No business is immune. The 2022 DBIR report notes that even very small businesses (10 or fewer employees) are targets. Cybersecurity should be a priority for every business regardless of size, type or industry.

The high cost of a breach makes cybersecurity awareness training seem like a simple decision. On the surface, it is. Like buying insurance, it’s something you know you need, but the details and choices feel overwhelming. Let’s review the basics of security awareness training and how to implement a program that works for your business.

The pros and cons of different training types

Building cybersecurity awareness centers on making employees aware of the role they play in securing information. Building that awareness takes time. Training must be updated and delivered regularly to keep pace with emerging and evolving security threats. This training helps employees understand why cybersecurity matters and teaches them how to identify and respond to potential threats.

There are two main types of training, in-person and remote. In-person instructor-led training is the most expensive. In this training, the instructor can spend time on specific topics if they prove challenging for students to grasp. Students can ask the instructor questions in real-time. This type of training works best when employees are close geographically.

Instructor-led remote training is another option. These sessions occur in a real-time video conference. They get less engagement since students can likely only ask questions in a chat program. It may be harder for the instructor to know if students are struggling with a topic since there won’t be visual or oral clues from students. This training is less costly, involves no travel time and students can attend from anywhere.

Finally, there is remote training that isn’t instructor-led. This may involve video segments or other online tools that students complete on their own time. This is typically the least expensive option and allows students to complete it from anywhere at their own convenience. However, there is less engagement, fewer options to ask questions and students may fast-forward through videos so they can mark the task as complete, whether they learned anything or not.

Your training program may also be a hybrid of all of the above. If you have in-person onboarding for new employees, consider adding a module for cybersecurity awareness training. Follow-up training sessions could then occur remotely, either with an instructor or as self-directed modules.

Detailing the greatest threats

The content of your cybersecurity awareness training depends on many things. First, let’s consider your sector. Some industries are more susceptible to cyber crime than others. The IBM X-Force Threat Intelligence Index 2023 found the top five most attacked sectors were:

  • Manufacturing
  • Finance and insurance
  • Professional, business and consumer services
  • Energy
  • Retail and wholesale.

Criminals go where the money is or to places that have records or proprietary knowledge that can be stolen and sold for large sums. Any business can be a target, but cybersecurity awareness training should have higher priority if you belong to a targeted sector.

How many employees you have and what they do also affects your threat level. If you have thousands of worldwide employees who interact with others via email, travel frequently or use company-issued devices, then your organization has many possible attack surfaces. That’s an alluring proposition for cyber criminals seeking easy targets.

Another consideration may be how often your organization has been attacked in the past and if those attacks were successful. If you’ve noted specific types of attacks (like phishing or other social engineering tactics), then that needs to be addressed in your training.

Prioritizing training — What’s needed most

Knowing your greatest threats and past vulnerabilities offers insight into the training needed most. If employees succumbed in the past to phishing attempts or ransomware demands, that may be where to start. If you know you have records that, if stolen, could deliver a huge payday for criminals, prioritize training for the groups most responsible for protecting those records, such as your internal IT security teams. Compliance regulations such as HIPAA, GDPR or PCI are also an obvious starting point for your training program.

Prioritizing training — Who should learn first

Everyone in your organization needs general cybersecurity awareness training, but some groups will need more specific training. Security teams require specialized training to be aware of new and growing threats, as well as the best policies and actions to reduce risks. If you have a large C-suite or executive team, they and their support personnel should stay up to date on spear phishing when attackers impersonate C-level executives to get other employees to reveal sensitive information or wire transfer funds. If you are subject to compliance regulations, employees who generate, share and refer to data will need regular training on how to follow regulations, the costs of not complying and when or if regulations change.

Maintaining cybersecurity awareness training programs

Getting started is the biggest roadblock, but keeping training relevant and constant is the next. Here are a few tips for maintaining your cybersecurity awareness training:

  • Add it to new employee onboarding so that everyone has a base level of knowledge
  • After training, choose key performance metrics to track that it changed employee behavior in a positive way
  • Make the training regular. Some businesses offer annual training, while others do monthly mini-courses to keep the topic top of mind.
  • Perform drills or penetration tests to give everyone real-world experience in recognizing and responding to threats
  • Constantly review, renew and revise training to ensure it’s engaging, relevant and easy to understand.

As long as cyber criminals remain a threat, cybersecurity awareness training remains a necessity.

More from Risk Management

What can businesses learn from the rise of cyber espionage?

4 min read - It’s not just government organizations that need to worry about cyber espionage campaigns — the entire business world is also a target.Multipolarity has been a defining trend in geopolitics in recent years. Rivalries between the world’s great powers continue to test the limits of globalism, resulting in growing disruption to international supply chains and economics. Global political risk has reached its highest level in decades, and even though corporate attention to geopolitics has dropped since peaking in 2022, the impact…

Cost of a data breach: Cost savings with law enforcement involvement

3 min read - For those working in the information security and cybersecurity industries, the technical impacts of a data breach are generally understood. But for those outside of these technical functions, such as executives, operators and business support functions, “explaining” the real impact of a breach can be difficult. Therefore, explaining impacts in terms of quantifiable financial figures and other simple metrics creates a relatively level playing field for most stakeholders, including law enforcement.IBM’s 2024 Cost of a Data Breach (“CODB”) Report helps…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today