Business Daily Media

4 Tips for Getting Started with Cyber Awareness and Security Training

  • Written by Tyler Moffitt, Senior Security Analyst, Webroot + Carbonite

The pandemic transformed workplaces overnight: remote working conditions accelerated years into the future as entire companies learned new ways of collaborating, communicating and doing business. Unfortunately, not all impacts have been positive. There’s been an intense uplift in cyber-attacks, with Australia’s scamwatch reporting an increase of over 50,000 last year when compared with 2019. The value of the total attacks in 2020 was over $32 million more than 2019 observed, with businesses being the chief victim targeted by scams.

Blame it on increased phishing, already overstretched IT budgets or an increased use of home networks and technology by WFH employees. However, most of these classic issues we tend to ‘blame’ stem from a lack of awareness and cyber education. When these elements are properly engrained in an organization’s processes and culture, the number of risks to the business decreases.

Given that IT staff, especially those at SMBs and MSPs, are tasked with a lot of responsibilities, yet often lack proper resources and time, it can be difficult to get a cybersecurity training and awareness program up and running and maintained. Outlined below are four recommendations IT teams should take when starting a security awareness training or education initiative.

  1. Obtain Buy-in from Stakeholders

It’s a given that business stakeholders acknowledge the importance of security tools – after all, news headlines are only getting scarier and more novel as they reflect the latest breaches and hacks. But being removed from the day-to-day IT and cybersecurity management, these stakeholders often appreciate a critical eye looking at whether the business has the right tools or is using them in the right way. What they need is to clearly understand the threats that are present and popular, the risks that ill-informed personnel may be exposed to and the risks that those personnel can introduce to the business.

Obtaining stakeholder buy-in at the start of a security awareness training initiative is also important as business leaders should play an active, consistent role in promoting the importance of security awareness and compliance across the business and to all employees.

  1. Begin with a Baseline Phishing Campaign

Test employees with a phishing campaign, without warning or context, to establish a baseline understanding of how they understand and identify phishing threats. The baseline phishing test will help businesses see clearly which employees need extra education or guidance and also enables businesses to track progress with each additional phishing test. Our data indicates that the average click-through rate for a phishing simulation campaign is 11 percent – meaning that percentage of employees clicked on what would have been a real phishing link in the test scenario. That drops to eight percent in the second campaign, but by the eleventh in a calendar year it’s down to five percent.

  1. Require Compliance and Security Training

Establish a framework of training campaigns that highlights common and timely cybersecurity topics including phishing, malware, social engineering, strong password policies and more. Negotiate with stakeholders which employees or departments will need customized courses to best tailor the program where possible, or to identify training that needs to be required by all employees because of the business’ industry. For example, employees of a healthcare provider must understand HIPPA compliance protocol, for instance, and be able to identify an email spoofing a large insurance provider.

Real-world training should also mirror real-world events, such as news related to COVID-19, because cyber criminals adapt phishing tactics quickly to take advantage of news headlines and public interest.

  1. Test Regularly

While a baseline test is a good start to get a feel for the cyber preparedness of the office, measuring if the learning has resonated with users is key to fostering cyber resilience and truly seeing ROI. For workforces, repetition and reiterating key messages of the security training will be crucial. Holding regular simulations, with ‘chunked’ learning modules of 4-5 minutes will reinforce education without accompanying fatigue.

For businesses that are unable to run monthly tests, adjust to a quarterly cadence or the needs of your training program. Whatever the testing cycle, ensure you re-test only those who failed each test so that training doesn’t become a nuisance to those who passed.

As WFH setups seem to be ending in the near future, having a cyber aware and cyber resilient workforce is a must to prevent the threats of tomorrow, today. Educating workforces is a long-term commitment and expecting overnight change from remote workforces is unreasonable. But in building an effective security awareness program that involves all employees, IT and important stakeholders, workplaces can create cyber resilience through an informed and equipped audience to help drastically reduce cyber risks to the business.


Tyler Moffitt, Sr. Security Analyst, Webroot

Business Reports

Is Maintaining Good Customer Service Difficult?

Good service is the key to success within any customer-facing business. Employees should strive to help in a clear and friendly way, to attract new customers and retain current clients. There are many ways in which you can imple...

Business welcomes Safeguard consultations

A comprehensive consultation process on the Safeguard Mechanism will be critical to achieving our targets and locking in a stronger economy, Business Council chief executive Jennifer Westacott said. “It’s time to move beyon...

Adyen advances in-person payments with the launch of in-house designed terminal range

Adyen (AMS: ADYEN), the global financial technology platform of choice for leading businesses, is pleased to announce the launch of its first in-house designed terminals. Innovated to facilitate diverse payment use cases, the ...

Water education is key to creating sustainable communities

Water has shaped the unique landscape and the culture of the Northern Territory for over 60,000 years and is just as important today. Water is at the centre of the Territory lifestyle. In remote communities, preserving water hel...

Influential oil company scenarios for combating climate change don't actually meet the Paris Agreement goals, our new analysis shows

BP, Shell and Equinor all produce widely used scenarios of energy's future.Christopher Furlong/Getty ImagesSeveral major oil companies, including BP and Shell, periodically publish scenarios forecasting the future of the energy se...

How to Improve Marketing Strategy Using Surveys

Every business owner knows how important marketing is. However, there are more than a few ways to go about forming your marketing strategies. Many marketers will disagree on what the best approach is. However, there is one thing...

Web Busters - Break into local search

WebBusters.com.au