Cyber Security Awareness Training

Chapter 9

10 min

Cyber Security Awareness Training

Security awareness training (SAT) is the process of educating employees on practical matters of cybersecurity, often accompanied by drills and attack simulations to give them first-hand experience in recognizing attacks. With the threat of phishing and breaches always looming over every business, security-conscious employees form your company’s first (and last) lines of defense against ransomware, business email compromise, and other modern threats that allude to traditional email security technologies. 

Growth of phishing sites graph

Growth of phishing sites from 2013-2022 (source)

Today’s phishing attacks are much more sophisticated than the classic Nigerian Prince scams from decades past. In 2015, for example, an advanced hacker group used a targeted phishing campaign to infect the Ukrainian national power grid. In this case, inadequate security awareness had consequences at the level of national security.

Even if your company is small enough that you don’t think advanced hacking groups will target you, don’t be complacent. Phishing attacks, including those from advanced threat actors, cast a wide net using automated spam software to breach as many targets as possible. This allows advanced hackers to attack your employees and business partners, further increasing financial and reputational damage.

SAT products and commercial solutions go far beyond the traditional concept of training videos. For example, some integrated communication email security (ICES) solutions can include SAT, which uses artificial intelligence to recommend awareness training for employees or departments that are frequently targeted by attackers or employees that have failed phishing simulation tests.

Key cyber security awareness training best practices

In this article, we explore the most important components of highly effective security awareness training and ways that you can implement these principles to improve your organization’s cybersecurity posture. The table below summarizes the best practices covered in this article.

Best practices Description

Tailor training to the threat model

The contents of the training should match the specific kinds of threats the company is most concerned about.

Conduct regular training Prevent employees' security knowledge from getting stale, account for new employees, and incorporate new attack vectors by conducting periodic cyber security training.
Encourage strong password hygiene Require strong credentials to better withstand brute force attacks, protect credentials with multi-factor authentication, and implement other strategies to prevent password theft and account takeovers.
Address social engineering attacks Even if you have strong technical defenses, attackers can still get in by convincing employees to simply give them access under false pretenses. Learning how to detect social engineering attacks is a core component of SAT.
Remember physical security Cybersecurity is not just about protecting and monitoring the software: Physical buildings and devices must also be protected from in-person or physical threats.
Encourage proactive incident reporting Training should foster open communication about threats between employees and the security team.
Highlight policy familiarity Ensure that employees are aware of and understand the company's cybersecurity policies.
Leverage integrated approaches Your company's SAT solution should be able to integrate with existing software solutions, maximizing employees' capacity to apply what they learn.

Understanding SAT best practices

Let’s walk through each of the best practices outlined in the table above, looking at how to use them to run an effective training program for your team.

SAT cloudPhishing simulations, multimedia, reporting, and continuous improvement form the pillars of a solid SAT program.

Tailor training to the threat model

Commercial SAT solutions typically offer various phishing simulation scenarios that you can apply to your organization’s internal phishing simulation testing campaigns. For example, IRONSCALES offers the ability to integrate your phishing simulation campaign with AI-generated content to ensure maximal customization of phishing content.

Click me

More broadly, you want to ensure you cover aspects of your business that make it unique. For example, a network that manages industrial IoT devices in factories has different needs than a typical urban office environment.

Conduct regular training

One-time SAT sessions have three big problems:

  1. Employees tend to forget the training in a short period of time.
  2. New employees may be onboarded after the training session, so they never receive the training.
  3. New threats emerge after the training session is complete.

An example of the third point occurred during the COVID-19 pandemic, when many phishing campaigns flooded inboxes, attracting attention by claiming to have important information about new infections or vaccines.

Whenever a new geopolitical event, technology, or crisis occurs, scammers are first to incorporate it into new phishing tactics. Regularly retraining employees is essential to account for these emerging threats.

Encourage strong password hygiene

A policy should be enforced on your organization’s networks, devices, and accounts to prevent weak passwords. The usual array of protections includes:

  • Mandatory password lengths and complexity
  • Multi-factor authentication (MFA)
  • Prohibiting the use of default passwords
  • Checking the hashes of passwords against known breached passwords (via services like haveibeenpwned)
  • Disallowing the reuse of credentials
  • Periodically rotating credentials and cryptographic keys

Employees should be taught how to implement these practices in ways appropriate to their roles. For example, Linux systems administrators should know how to rotate their SSH keys, and there should be a mechanism for enforcing this.

Address social engineering attacks

One of the trickiest forms of attack to counter, social engineering relies on vulnerabilities in the way humans think and relate socially. Employees should be taught to look for unusual or unnecessary signs of authenticity in communications and trained to safely verify the claims of messages about sensitive actions. 

For example, a phone call from an executive could very well be an attacker using AI software to mimic that executive’s voice, spoofing the phone call to appear to come from the executive’s phone. If the executive seems to be telling the employee to perform some critical action, the employee should independently verify with the executive via some other channel of communication. Scenarios like this are where attack simulations shine: By finding what kinds of attacks your employees fall for, you can decide what training is most needed for your organization.

Read our comprehensive 20-page study of AI’s role in email security WHITE PAPER

Remember physical security

An often overlooked aspect of security is that physical devices should be protected against in-person threats. For example, hard drive encryption (via tools like BitLocker) should be mandated as a policy in case devices are stolen or simply lost. Furthermore, physical access to the building should be protected via authentication mechanisms to prevent random people from entering, aka tailgating.

Physical security is a broad field, and it’s important to consider when implementing a holistic SAT.

Encourage proactive incident reporting

An effective Security Awareness Training (SAT) program not only informs but also empowers employees to become active in your security strategy, providing frontline intelligence on emerging threats against your company. To maximize this frontline defense, it’s crucial that training sessions comprehensively cover the most common and recent threats. For example, what steps should employees take upon discovery of an unattended USB drive? How should they respond to passwords left visible in plaintext? 

Instilling a security-first culture and empowering employees to recognize and quickly report security incidents should be considered an essential facet of any SAT program. These proactive measures help your cyber security team react to security issues that may otherwise go unnoticed.

Highlight policy familiarity

Your company likely already has specific policies on certain security topics, such as how to report threats or handle sensitive information. However, these policies mean nothing if employees aren’t aware of them. They need specific training and evaluation on their ability to adhere to these policies. Simply sending updates via email is not enough—employees should be actively engaged through formal testing (e.g., quizzes) to ensure that they understand crucial changes or new security policies. Simulations should ensure that incidents are handled according to well-defined policies.

SAT allows you to evaluate your employees’ understanding of your company’s security policies. It also informs you of the strengths and weaknesses of your policies so you can modify them.

Leverage integrated approaches 

When scouting for ICES solutions, it's important to choose options that either include Security Awareness Training (SAT) or integrate and synergize closely with it. The right ICES solution should offer more than just protection—it should provide valuable insights into security trends within your organization. This includes identifying departments or employees that are frequently targeted by attackers, as well as pinpointing individuals who have fallen for phishing simulations.

IRONSCALES gives you an easy-to-use web UI for managing internal phishing simulations

IRONSCALES gives you an easy-to-use web UI for managing internal phishing simulations (source).

By integrating ICES with SAT, companies can tailor their training programs to focus on areas of weakness, ensuring that employees who are more susceptible to phishing attacks receive the additional instruction they need. Such targeted training can drastically improve your team’s ability to recognize and respond to threats, ultimately strengthening your company’s overall security posture.

Whether you use your own SAT or (as we recommend) decide to use an integrated solution like IRONSCALES, go through the best practices outlined above and ensure that your training program empowers your employees to be a part of your security strategy.

Get a FREE 90-day email security scan test. BEGIN SCAN

Summary of key concepts 

A well-informed workforce is the bedrock of cyber defense. Proper training can drastically lower the odds of a cyber attack breaching your organization. This article delved into the essentials of high-quality Security Awareness Training (SAT), explored best practices, and highlighted some efficient solutions to kick-start your cybersecurity training initiatives effectively.

Continue Reading this Series

Chapter: 9 Cyber Security Awareness Training

Learn how to customize phishing simulations and use various SAT best practices to improve your organization's security posture.

Read chapter

Chapter: 8 Phishing Attack Simulation

Learn how to execute effective phishing simulation campaigns and integrate security awareness to protect organizations from threats.

Read chapter

Chapter: 7 Anti Phishing Training

Learn 7 best practices for effective anti-phishing training and tips to avoid mistakes.

Read chapter

Chapter: 6 Phishing Simulation

Learn seven best practices to improve quality and benefits of phishing simulations.

Read chapter

Chapter: 5 Phishing Simulation Tools

Learn how to simulate a phishing attack within an organization with six different tools, their key features, strengths, and weaknesses.

Read chapter

Chapter: 4 Security Awareness Training

Learn seven benefits of security awareness training that can reduce the risk of a breach and empower employees to be proactive about cybersecurity.

Read chapter

Chapter: 3 Phishing Education for Employees

Learn how to implement an effective phishing education program for employees to identify, think critically, and mitigate risk of malicious attacks.

Read chapter

Chapter: 2 Phishing Email Examples For Training

Learn 8 phishing examples to help protect against social engineering attacks and reduce phishing-based breach risks.

Read chapter

Chapter: 1 Phishing Awareness Training

Learn why phishing awareness training is critical to organizations defending against phishing attacks.

Read chapter