How to make cyber awareness training work: A step-by-step guide in 2024

Many of us have experienced mandatory cybersecurity lectures from HR, yet these programs often fail to effectively educate staff, leaving organizations vulnerable to attacks. Despite the prevalence of lengthy videos and checkbox questionnaires in security training, they tend to disengage employees who may remain unaware of cyber risks. Effective cybersecurity goes beyond tools; organizations must integrate awareness into their daily culture to mitigate insider threats. Here's how to create a successful program where others have fallen short.

Who enjoys cyber training?

As phishing attacks continue to increase annually, initiatives aimed at empowering employees to act as the organization's frontline against cyber threats are gaining popularity.

Employees often operate at the network periphery, where security vulnerabilities are most pronounced. Thus, it's crucial to educate them about evolving threat landscapes and how to recognize and respond to potential breaches. However, many training programs falter due to ineffective learning methods and outdated content, leading to disengagement among users. Despite the collective time and effort invested, organizational security remains compromised.

The structure, approach, and content of cyber awareness training must effectively capture attention amidst the distractions of office life. Recognizing this challenge and adapting strategies is essential for every security professional, as ineffective training poses a significant risk to enterprise security amidst our existing work responsibilities.

Insider threat landscape in 2024

People represent a significant vulnerability known as the insider threat, encompassing risks from various personnel accessing network resources—employees, managers, partners, and contractors. Cybercriminals employ sophisticated methods to exploit them, leading to costly incidents. According to the Ponemon Institute's Cost of Insider Risk Global Report, the frequency of such incidents is increasing annually, with remediation costs rising sharply—from $15.4 million in 2022 to $16.2 million in 2023.

AI intensifies the threat

David Emm, Principal Security Researcher at Kaspersky’s Global Research and Analysis Team, noted to Techopedia that AI bears some responsibility for the situation.

According to Emm, cybercriminals are now leveraging machine learning to replicate trusted behaviors and automate attacks, complicating the detection of malicious activities.

Robert O’Brien​​​​, Chief Evangelist at MetaCompliance, concurs, stating that the advent of ChatGPT has empowered hackers with unprecedented capabilities.

Their swift adoption and innovative use of AI in their schemes have outpaced expectations from both government and industry. O’Brien emphasizes:

“AI tools significantly expand the threat landscape for most organizations, especially when their integration isn’t carefully managed.”

Tyler Farrar, CISO at Exabeam, adds that AI is adept at crafting convincing and persuasive messages, making it increasingly challenging for users to distinguish fraudulent activities and thereby boosting success rates.

The human element

According to Kaspersky’s Emm, intentional insider threats, where trusted employees deliberately cause harm, remain the most significant challenge. Emm emphasizes:

"Businesses struggle to control this due to the breach of trust between the company and the employee. Implementing access control measures and limiting actions to those necessary can help mitigate these risks. Employee indifference and lack of awareness worsen these issues, requiring a proactive and adaptable security approach."

This issue is longstanding. Awareness of insider threats has been acute since at least 2014, when a Harvard study estimated that US companies faced 80 million cyberattacks annually involving employees or contractors — a figure now likely underestimated due to underreporting of breaches.

The challenge of cyber security awareness training

Many organizations attempt to address cybersecurity by convening employees in boardrooms, presenting alarming PowerPoints, and distributing checklists for their workstations. However, given the complex and persistent nature of modern cyberattacks, coupled with human factors, these traditional training methods often fall short.

Devin Ertel, CISO at Menlo Security, emphasizes:

"Threat actors exploit employee apathy, curiosity, and lack of security awareness to evade even the most advanced technical defenses."

Ertel notes that "Humans remain the weakest link," highlighting that "over 75% of phishing links are hosted on trusted websites, complicating identification of malicious content."

Chris Denbigh-White, Chief Security Officer at Next DLP, identifies several barriers facing cyber awareness training programs:

• Competing work priorities
• The abstract nature of cyber threats compared to physical threats
• Inconvenience of security protocols
• 'Security fatigue' from constant security alerts and updates

Simplifying cybersecurity training for all

Cybersecurity training frequently relies on technical jargon, which can alienate non-technical employees and make the content seem overwhelming or irrelevant, hindering comprehension. Additionally, there's a tendency towards "invulnerability bias," where individuals underestimate their vulnerability or feel shielded by company firewalls, fostering a mindset of "it won't happen to me."

A significant issue lies with the security teams themselves, who often spearhead training initiatives but may lack the ability to communicate effectively to a non-technical audience. Lance Spitzner from SANS Security Awareness highlights that many programs fail because they do not align with how people think or operate.

To address this, companies should prioritize making security training accessible and relevant to all employees, regardless of technical background, using language and concepts that resonate with their everyday experiences and concerns.

Expert advice on integrating cyber awareness

According to experts, a successful cyber awareness training program requires dedicated resources, time, and a strategic approach. Here are key factors for success:

Craft effective messaging

Robert O’Brien from MetaCompliance emphasizes that security awareness should mirror effective organizational marketing campaigns, ensuring consistent and relevant messaging throughout all communications channels.

Foster engagement and reinforcemen

Chris Denbigh-White of NextDLP recommends developing interactive and relatable training that explains the reasons behind security practices, not just the procedures. He also suggests implementing recognition and reward programs to incentivize cybersecurity diligence.

Empower security teams

Lance Spitzner from SANS underscores the importance of having dedicated security team members who excel in communication and training to drive behavior change effectively.

Personalize training with micro-lessons

Mika Aalto from Hoxhunt advocates for behavioral-focused training that can be personalized based on individual backgrounds and skill levels. He suggests making training enjoyable, leveraging gamification to simulate real threats and encourage active participation.

Embrace continuous learning

Tyler Farrar, CISO at Exabeam, stresses the need for immersive and ongoing training that includes regular phishing simulations, personalized modules, and interactive content like gamified exercises and virtual reality experiences.

Secure leadership buy-in

Stephen Kowski from SlashNext Email Security highlights the importance of executive support in fostering a security-conscious culture and delivering engaging, role-specific training modules.

Develop engaging content

Proofpoint emphasizes the importance of creating engaging, relevant, and easily digestible training materials that reinforce cybersecurity principles and guide employees toward secure behaviors.

By integrating these strategies, organizations can enhance cyber awareness among employees effectively, mitigating risks and strengthening overall security posture.

Successful cyber awareness training: Simplified 7-step approach

Krishna Vishnubhotla, Vice President of Product Strategy at Zimperium, outlines a straightforward yet effective template for implementing cyber awareness training:

Hands-on approach

Engage employees with interactive sessions featuring real-life scenarios to ensure practical learning and sustained interest.

Regular updates

Keep employees informed about emerging threats and best practices through regular updates to maintain awareness and preparedness.

Focus on mobile security

Educate employees on the risks associated with mobile devices, emphasizing the importance of using trusted apps and continuous monitoring for threats.

Role-specific content

Tailor training content to different roles within the organization, addressing specific cybersecurity risks relevant to each role.

Continuous assessment

Regularly evaluate the effectiveness of training initiatives and provide feedback to employees to refine their cybersecurity practices.

Integration into daily practices

Embed cybersecurity practices into the daily routines and company culture to foster a proactive approach to security.

Leadership involvement

Ensure that executives and board members actively participate in and endorse the training program to underscore its significance and promote a security-centric mindset across the organization.