IT Security

Why your business needs security awareness training and how best to go about it

Alexander Darcy



Alexander Darcy

In this article

    Security awareness training is a deliberate education exercise aimed at teaching employees about cybersecurity and other related topics such as IT best practices and regulatory compliance.

    Every modern business needs security awareness training because no matter how robust and update its security software tools are, its data is not safe if employees don’t have the right knowledge of the threats out there and how best to avoid them.

    The sad truth is that your employees are the Achilles heel in your organization’s cybersecurity system. They can easily fall prey to phishing and are vulnerable to clicking ransomware. They can also make easily make costly mistakes with compliance requirements and even mishandle sensitive client data.

    In fact, according to Verizon’s 2019 Data Breach Investigations Report 33 percent of cybersecurity incidents were social attacks and the 2018 edition of the same report revealed that 93 percent of successful security breaches start with phishing.

    The 2017 edition was even more indicting of employees, revealing that as many as 81 percent of hacking-related breaches leveraged stolen or weak passwords, and 1 in 14 users admitted being tricked into following a link or opening an attachment they shouldn’t have.

    What topics should be covered in security awareness training

    Below are ten of the most important topics every organisation should teach its employees about as part of its security awareness training, and the key sub-topics to cover under each:


    • Multi-factor authentication
    • Password managers
    • Password best practices


    • Types of phishing attacks
    • Risks presented by phishing
    • How to avoid falling for a phishing attack


    • General Data Protection Regulation (GDPR)
    • HIPAA Privacy & Security
    • PCI DSS
    • Data Breach Notification
    • Data Protection Act

    Websites & Software

    • The risks presented by malicious websites and software
    • How to identify malicious websites and software
    • How to stay safe when browsing the web

    Physical Security

    • Common physical security vulnerabilities (e.g. tailgating, removable media, etc.)
    • Best practices to stay safe (e.g. clean desk policy)
    • How to stay safe when working remotely (e.g. safe Wi-Fi usage)


    • Types of malware
    • How to identify polymorphic malware
    • How malware attacks usually unfold


    • Introduction to encryption
    • Types of ransomware (e.g. scareware)
    • How to avoid ransomware attacks

    Social Media

    • Risk presented by social media usage at work
    • Difference between social media for work and for personal use
    • How to handle sensitive customer data when using corporate social media

    Social Engineering

    • How to recognize and identify a social engineering attack
    • How to safely extricate oneself from a social engineering attack
    • Types of sensitive information that should never be disclosed to anyone

    Incident Response

    • Key steps and procedures to follow in case of an incident
    • Role of each employee in responding to an incident
    • Mock incidents for employees to practice responding to

    How to deliver an effective security awareness training program

    An effective cyber defence training initiative should cover three key elements such as:

    • Common threats the organisation currently faces
    • How to spot attacks early (red flags to watch out for)
    • Defensive procedures and threat reaction plans

    It’s also worth noting that effective security awareness training is not a one-time event but rather a continuous process that can be broken down into a cycle of seven steps:

    Assessing needs
    This is about evaluating the top risk(s) your organisation faces be it compliance, phishing or tailgating.

    Developing content
    Define security incidents and lay out a reporting procedure using some clear real-world examples.

    Scheduling training
    Create monthly activities as well as those specifically targeted at peak attack seasons like the holidays.

    Delivering training
    Use different methods such as email, face-to-face meetings, group seminars, webinars, PDF guides, etc.

    Testing efficiency
    Have tests regularly inserted into the program (both planned and impromptu) as well as mock attacks.

    Measuring progress
    Track who completes the training, how long they take and if there’s a drop or rise in security incidents.

    Adjusting accordingly
    Tweak training materials for better results and update them as new kinds of security threats emerge.

    In Summary

    Hackers are always evolving their approaches and techniques but with regular security awareness training for employees, businesses can significantly reduce the risk of cyber-attacks and data breaches.

    As a leading provider of innovative IT security solutions, TechBrain offers a robust awareness training service designed to arm your employees with the vital security knowledge, skills and best practices they need to navigate the cyber security risks of the modern business world. Get a free consultation today!