How to build a successful security awareness training program

By February 27, 2019 No Comments

Security awareness training is crucial in the fight against cybercrime, Patrick Hart, CEO, Soteryan, explains getting it right needs more than a check-box mentality… you need to engage your employees!

One of the core things to remember with cybersecurity is that people are both your weakest link and your best defence. On the negative side, in too many organisations people are probably sharing passwords, and using unauthorised devices and applications to access corporate data. And this is just the tip of the iceberg for their risky activities . Some won’t know this breaches company security policy, yet others will but won’t care. And these people could be anywhere in the organisation – from the shop floor to the boardroom.

On the positive side, if employees understand what is appropriate in their environment and how they can act as a barrier to cybercrime it can really boost your security. For example, with phishing still being the most common attack vector for malware, having staff be vigilant about what to look for can really help cut your risk factor. On top of this, tech industry association CompTIA research points to the fact that human error is responsible for 52% of security breaches, so awareness is critical for ALL employees in companies of all sizes.

At its most basic level, employee security training is important because it helps prevent cybersecurity incidents that could be caused by user error. On top of this, it’s often required by law. Most legislation requires a security training and awareness program. For example, GDPR calls for a wide range of measures to reduce the risk of a PII data breach, and requires that the data protection officer, “monitor compliance…including the assignment of responsibilities, awareness raising, and training of staff involved in processing operations.”

Of course, without proper thought, having a cybersecurity awareness training program can be miles away from having one that actually makes a difference to the security positioning of your organisation. Successfully communicating your security message throughout your organisation is key to ensuring real awareness of the issues. If that communication is wrong your policy stands little chance of being effective – no matter how much effort you put into the content.

So how can you ensure that your security awareness leaves a lasting and meaningful impression? Here are five areas you need to focus on:

The personal touch is crucial

The harsh reality is that most employees probably aren’t as interested in the business at a technical level as you might hope. This tends to be one of the key reasons that organisational cybersecurity awareness isn’t, on average, as effective as it should be. Making your awareness training relatable is one simple way to combat this. This means not making it boring and non-personal, and instead ensuring you provide the kind of advice that employees are going to connect with. For example, giving them tips they can apply out of the workplace to help secure their personal data, is a great start. You’ll find that this way it quickly becomes second nature to apply the same skills at work.

Remote and clinical is not the answer

Online learning tools are great, and should form part of any program but they should only be part of your wider training scheme. The best security training is the sort that leaves a lasting impression, and you’re only really going to get this by having face-to-face training as well. Allowing staff to ask questions so they can get considered answers from someone who has done their homework and understands the issues, will help them really understand the risks and how to mitigate them.

For example, a lot of companies use simulated phishing attacks as part of their security awareness programs. These are only going to really effective if you follow them up with one-to-one (or group) sessions where their questions can be answered and mitigating procedures discussed.

Make sure consequences are clear

The only way to ensure your security positioning is actually strengthened by your security awareness training is to make sure employees understand these two key things:

  • Why policies and procedures are in place
  • What the consequences to the business and to them personally are of not following those procedures

Any ambiguity in these areas will not only water down your messaging, but it will also fail to connect with your audience. And remember, keeping things positive and inclusive is better than simply saying “don’t do this” all the time. The bulk of human error cyber events can be mitigated with simple common sense, so encourage people to use theirs don’t just talk at them.

Change with the times

One of the constants of the security landscape is that it is constantly changing. This means your security awareness training needs to be able to change with it. While you don’t need to reinvent the wheel every six months, the most successful programs are those that view security training as an on-going process. So, you do need to make sure you keep staff updated on any new types of attacks they should be aware of. A mandated mail out, that requires them to acknowledge and submit questions is the best way to manage this.

Also, remember that with new threats emerging all the time, it’s not just non-security focused staff that need to be trained. The security team itself also needs to be kept up to date with new threats, evolving threats, management and mitigation. This has to be a priority.

Measure effectiveness

In a constantly changing risk environment, companies need to be able to track the impact of any awareness training particularly when it comes to demonstrating compliance. This can be a challenge as there are currently no universally accepted metrics, but here are some ideas to set you on the right track.

Annual surveys can be a useful starting point as they can provide an insight into staff attitudes toward information security, as well as their understanding of organisational policies. They can also be used to reinforce the security awareness training.

However the most important thing you can track is actual behaviour.  This could mean tracking things like: the amount of reported lost or stolen devices; an increase in the number of phishing email reports; a decrease in reaction time of incident response teams to reported phishing emails; and the number of hours spent by staff learning at voluntary events. All of which can help demonstrate whether behaviour is changing across your organisation.


Using these five tips as the grounding for your security awareness training will give it the greatest chance of success. The main things to remember is that you need to instil a sense that security is everyone’s responsibility. With the growing skills gap in the security sector this is more important than ever, as staff are your frontline in the fight against cyberattacks, so companies should think twice before cutting budgets in this area. Only by establishing this level of ownership and understanding, can you ensure that security really does become part of your organisation’s DNA.