We’ve all been there — compelled by HR to sit through yet another classroom lecture filled with dire warnings about malware. The truth is that most cybersecurity awareness training programs miss the mark, leaving staff undereducated and organizations vulnerable to attack.
We know employees can be stubbornly oblivious to cyber risk, but the 45-minute videos and tick-box questionnaires that dominate security education sessions seem designed to disengage.
Even the best malware removal tools won’t save you from insider threats. So, how can organizations build a program that embeds cyber awareness in day-to-day company culture?
Here’s how to succeed where so many fail.
Key Takeaways
- Employees are one of the biggest sources of cyber vulnerability.
- Training staff to be risk-aware is essential to any effective defense strategy, but it’s easier said than done.
- Security fatigue, distraction, inconvenience, and a sense of invulnerability stop people from thinking too hard about risky behaviors.
- Hackers, meanwhile, are using AI to up their attacks.
- The answer is to re-think and recalibrate how cyber awareness training is delivered. We asked the experts about the barriers to success and how to overcome them.
- Show Full Guide
‘Everyone Who Likes Cyber Training, Raise Your Hand’
With phishing attacks still rising every year, programs meant to mobilize staff and turn them into the organizations’ cyber eyes and ears are becoming more popular.
Employees tend to work at the network edge, where security is most brittle. It just makes sense to keep them informed about an ever-changing threat landscape and how to identify attempted breaches when they occur.
Yet many programs fail from the outset as ineffective learning methods and outdated content ensure that users tune out. Despite the time and effort put in by everyone involved, the organization isn’t any safer.
The approach, structure, and content of cyber awareness training programs must be designed to cut through the noise and distractions of office life. Recognizing this reality and changing course is something every security professional needs to consider. We all have full-time jobs to attend to. If training fails to hold our attention, it’s a significant threat to enterprise security.
Shape of the Insider Threat in 2024
People can be the biggest source of vulnerability. Often called the insider threat, it encapsulates the inevitable risk that arises when hundreds to thousands of front-line staff, managers, supervisors, partners, and contractors have access to network resources.
Cybercriminals use sophisticated tactics to trick them into clicking unsafe links or downloading infected files and attachments. It works like a charm.
The Ponemon Institute’s widely regarded Cost of Insider Risk Global Report shows that the number of organizations hit by insider threat incidents grows every year, while the cost of remediation keeps going up.
In 2022, the average cost of an insider-related attack was $15.4 million. In 2023, the number rose to $16.2 million.
AI Amplifies the Threat
David Emm, Principal Security Researcher with Kaspersky’s Global Research and Analysis Team, told Techopedia that some of the blame can be laid at AI’s door.
Cybercriminals have started using machine learning “to mimic trusted behaviors and automate attacks, making it harder to detect malicious activities.”
Robert O’Brien, Chief Evangelist at MetaCompliance, agrees. He told Techopedia that hackers were “essentially given a magic lamp when ChatGPT appeared on the scene.”
Their adoption and innovation in deploying AI as part of their scams have been much more agile and faster than either government or industry expected. O’Brien says:
“From an insider threat point of view, AI tools expand the threat landscape for most organizations – especially if their adoption of AI tools is not tightly coordinated.”
Tyler Farrar, CISO at Exabeam, says AI “can produce very convincing and persuasive messages, making it extremely difficult for users to discern whether or not they are fraudulent, thereby improving success rates.”
The Human Factor
Kaspersky’s Emm maintains, however, that deliberate insider threats, where trusted employees intentionally cause harm, remain the greatest challenge. Emm points out:
“This is harder for businesses to control due to the breach of trust between the company and the employee. Establishing access control measures, limiting the scope of actions to those who need it, can help mitigate these risks. Employee apathy and lack of awareness further exacerbate these issues, necessitating a proactive and adaptive approach to security.”
Worrying, but the problem isn’t new.
Acute awareness of the insider threat has existed since at least 2014 when a Harvard study estimated that US companies experienced 80 million cyberattacks involving employees or contractors every year — a figure now assumed to be on the low end given that so many breaches were going unreported.
What to Do?
Using AI to mount attacks at scale is a new twist, but more established hacking techniques are still the most effective way to fool employees.
“Cyber attackers continue to leverage social engineering as their primary way to hack the human,” says Lance Spitzner, Technical Director at SANS Security Awareness.
He told Techopedia that traditional email phishing is still popular, as are phone call (Vishing) and messaging (Smishing) attacks.
“While the overall strategy is the same, cyber attackers have become far more advanced. The spelling mistakes are gone. Instead, cyber attackers are customizing attacks for their intended victims, using their company logos, references to recent events, and stronger emotional triggers.”
Some are even combining different elements like email and phone calls, text messages and QR codes.
The old hacks are working, new approaches are being developed, and companies are taking action. A 2023 study by Code42 found that 72% of organizations were dedicating time and budget to cyber awareness training programs, yet 71% still believed insider-related breaches would grow over the next 12 months.
This year, Proofpoint says 54% of CISOs expect to prioritize improved employee cyber awareness in the next two years. Will it all prove fruitless?
A spokesperson for the company told Techopedia that while training is vital to raising awareness, “it’s only a start. Changing the ongoing security behaviors and culture is the key to lowering risk.”
But how do you get cyber-awareness into people’s heads – and keep it there?
The Problem With Cyber Security Awareness Training
The answer for many organizations is to gather people into boardrooms, show them scary PowerPoints, and leave them with a checklist to keep by their workstations. Given the sophisticated, evolving, and persistent nature of modern attacks – and the intangibles of human nature – traditional corporate training formats just won’t do.
Devin Ertel, CISO at Menlo Security, says:
“Threat actors have found new ways to exploit employee apathy, curiosity, and lack of security awareness to bypass even the most sophisticated technical defenses.”
He told Techopedia that “Humans remain the weakest link,” noting that “over 75% of phishing links are hosted on trusted websites, making them harder to identify as malicious.”
Chris Denbigh-White, Chief Security Officer at Next DLP, told Techopedia that any cyber awareness training program has multiple barriers to overcome. They include:
- Competing work priorities
- The fact that cyber threats are abstract rather than physical
- The inconvenience of security procedures
- ‘Security fatigue’ from a constant stream of security warnings and updates
Technical Babble Can Limit Understanding
Cybersecurity training often relies on jargon, alienating non-technical employees and making the training seem irrelevant or overwhelming, which hinders comprehension. There’s also the issue of “invulnerability bias, where people underestimate their value as targets or feel protected behind company firewalls – an ‘it won’t happen to me’ mentality.”
The problem is often with the security team. Security teams often lead the security training efforts, yet the individuals leading these programs are often highly technical. Therefore, companies should consider how to make security training simple for people, in their terms.
Lance Spitzner of SANS Security Awareness says most security awareness programs fail because “they don’t align with how people think or operate.” Security teams may also be ill equipped for a training role.
“Security teams have lots of experience working with computers, but very little experience of how to engage, motivate and train people or make security simple. What they need is a new set of training skills that work with human nature, not against it.”
Expert Tips on How to Embed Cyber Awareness
Experts say a successful cyber awareness training program requires resources, time, and a sophisticated approach. These are the key success factors to consider:
1. Get the Messaging Right
“Security awareness is similar to any other organizational marketing campaign,” says MetaCompliance’s Robert O’Brien. “The key is that people see consistent and relevant messaging, not just in the form of training but everywhere they look.
2. Engage & Reinforce
NextDLP’s Chris Denbigh-White suggests CSOs develop training that is “interactive and relatable, emphasizing the why behind security practices, not just the how. Adding recognition and reward programs will incentivize employees to adopt stronger cybersecurity practices.”
3. Organize Security Teams for Training
“The most effective awareness programs have people on the security team dedicated to helping secure employees,” says SANS’ Lance Spitzner. “These people will have the skills needed for effective communications, training and ultimately behavior change. A mature awareness program is a continuous effort throughout the year that actively motivates, engages and trains the workforce.”
4. Personalize With Micro-Training
Mika Aalto, Co-Founder and CEO of Hoxhunt, told Techopedia that attackers are targeting people’s behavior, so awareness training should also take a behavioral approach. “You can personalize with micro trainings that are relevant to the user’s background and skill level,” Aalto says.
“Trainers should also strive to make it fun,” he adds. “Phishing training lends itself beautifully to gamification. You can embed threat reporting into the fabric of the organization by recognizing and rewarding people with prizes for catching a real attack.”
5. Forget One-off Sessions
Tyler Farrar, CISO at Exabeam, told Techopedia that a successful cybersecurity awareness training program in 2024 needs to be “immersive, adaptive, and continuous, integrating regular phishing simulations, personalized training modules, and interactive content like gamified exercises and VR/AR experiences. These elements ensure that employees are engaged and can relate to real-world scenarios, enhancing their ability to recognize and respond to threats.”
6. Involve Executives
Stephen Kowski, Field CTO at SlashNext Email Security, told Techopedia that leadership buy-in is needed “to cultivate a security-aware culture, deliver engaging, role-based modules using diverse formats, and emphasize high-risk behaviors like phishing.”
Kaspersky’s David Emm agrees, saying, “there must be real buy-in from the board to avoid the risk of staff and middle management prioritizing productivity over security.”
Robert O’Brien of MetaCompliance adds that “active participation by senior executives is important to constantly give voice to the importance of security awareness.”
7. Create the Right Content
A spokesperson for Proofpoint told Techopedia that “making sure training content is engaging, relevant and digestible is vital for keeping employees interested. Provide a variety of consumable materials that reinforce the importance of cybersecurity and guide employees toward the right behavior.
“Users are not security experts and have little interest in becoming one, so consider presenting the cybersecurity process as a story or journey, giving real-life examples to support knowledge and build understanding of the potential consequences.”
Successful Cyber Awareness Training: Simple 7-Step Template
Krishna Vishnubhotla, Vice President of Product Strategy at Zimperium, shared his 7-point plan for building a successful, “simple, practical, and ongoing” training:
Make It Hands-On
Use interactive sessions with real-life scenarios to keep employees engaged and make learning practical.Update Frequently
Regularly update employees on new threats and security practices to keep them informed.Emphasize Mobile
Highlight the importance of mobile security. Teach employees about the risks of using unvetted apps and emphasize the need for continuous monitoring, protection, and threat modeling for mobile devices.Make Content Role-Specific
Customize training for different roles within the company to address specific risks each role might face.Make Regular Assessments
Continuously evaluate the effectiveness of the training and provide feedback to employees to improve their practices.Integrate Into Daily Routines
Make cybersecurity a part of the daily routine by embedding practices into the company culture.Involve Leaders
Ensure the board and executives participate in and support the training program to show its importance and encourage a security-first mindset.
The Bottom Line
Vishnubhotla worries that insider threats will only become more complex this year due to increased remote work and the widespread use of personal devices for business tasks. He says:
“Enterprises must empower their employees to be the first line of defense by promoting a culture of security awareness and ethical behavior. Regular training and awareness programs are crucial in equipping them with the knowledge and skills to identify and report potential threats.”
FAQs
What is cyber awareness training?
How do I train my employees for cyber security?
How often do you need to train employees on cybersecurity awareness?
How long does cyber awareness training take?
Can I get a cybersecurity certificate for free?
References
- Ponemon Cost of Insider Risks Global Report – DTEX Systems Inc (Dtexsystems)
- The Danger from Within (Hbr)
- 2023 Data Exposure Report – Code42 (Code42)
- Voice of the CISO Report: Insights & Trends | Proofpoint US (Proofpoint)