cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Tools and tactics to train cyber security savvy employees

Richard Addiscott from Gartner offers tips to organisations looking to enhance the cyber security capabilities of their workforce.

user iconRichard Addiscott
Fri, 13 Aug 2021
Richard Addiscott
expand image

Perfect cyber security protection isn’t possible. Human error and social engineering attacks continue to be the primary reasons behind data breaches affecting organisations. In fact, people directly affect security outcomes more than technology, policies or processes.

In the last 12 months, the “human element” has been involved in 85 per cent of breaches and phishing was the primary mode of attack in 36 per cent of them, according to Verizon’s 2021 Data Breach Investigations Report.

This has been heightened by the continued impact of COVID-19, resulting in significant changes to how the workforce operates and interfaces with technology. All these factors are influencing cyber security risk exposures and threat activity continues to find ways to exploit human error.


Security awareness training programs play a crucial role in mitigating human-born cyber risks. They help ensure workforces remain aware and vigilant to the activities of malicious actors seeking to compromise sensitive data or business operations, but the programs must continually evolve to be successful. This is a critical element in delivering a defence-in-depth, or multilayered, enterprise security program.

Top of the agenda for many organisations with such programs is to drive behaviour change, ensure regulatory compliance, enhance employee knowledge and reinforce behavioural expectations.

Organisational support is key

The success of a security awareness program will come from clearly defined objectives, sustained executive sponsorship and collective organisation-wide involvement. Senior leadership plays a strong role in promoting employee education and behaviour change to combat cyber threats.

Attaining and sustaining executive support for security awareness must be a top priority to achieve optimal results from your program. Without it, your team will struggle to get penetration with key messages across the organisation.

Computer-based training

Security awareness computer-based training is both a growing and rapidly evolving market. A natural by-product of changes in normal work operations over the past 18 months is the requirement to communicate what these changes mean to end users across the entire organisation, and any resulting security implications. This is where security awareness computer-based training has really helped.

The market is characterised by vendor offerings that include one or more of the following capabilities: ready-to-use training and educational content; employee testing and knowledge checks; availability in multiple languages, natively or through subtitling or partial translation; phishing and other social engineering attack simulations; and platform and awareness analytics to help measure the efficacy of the program.

Trends that Gartner has identified in the market for computer-based security awareness training include lower prices, a shift towards shorter training modules delivered more frequently; gamification to win the hearts and minds of end-users; and an increasing number of providers using proprietary scoring techniques to provide a quantifiable measure of an organisation’s human risk exposure.

Define a clear vision for your security awareness program before buying a computer-based training platform and involve stakeholders outside of IT and information security to attain executive buy-in.

Training as a managed service

Many resource-constrained organisations, specifically midsize enterprises, struggle to provide even basic security awareness training to their users, let alone develop a sophisticated, multichannel, context-specific and employee-centric enterprise security awareness program.

Training delivered as a managed service might be a good fit. They assist in orchestrating many elements of a security awareness training program if there’s a gap in dedicated security awareness expertise on staff, or if other budgetary, financial or program-driven constraints exist.

Achieving awareness success

Security awareness is more than phishing simulation and computer-based training. Leading programs leverage vendor platforms that enable and augment the execution of a multichannel, context-specific and employee-centric approach to educate employees and change behaviours.

Employee awareness of security threats is best observed through their day-to-day behaviours, as well as their response when challenged by adversaries, IT systems and business processes that are perceived to be impeding on how they work.

Construct truly context-specific and employee-centric security awareness programs by being prepared to use multiple content sources for security training curriculums where necessary.

Increase the effectiveness of your program by augmenting traditional regular, curriculum-based training approaches with “in the moment” communications that alert an end-user prior to, or directly after, they have undertaken an action that exposes the organisation to cyber security risks.

Richard Addiscott is a senior director analyst at Gartner. He advises information and cyber security leaders on improving security risk management maturity and outcomes; optimising security risk postures; and demonstrating clear alignment between security and strategic business outcomes.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.