Effective cyber security awareness training doesn’t have to be complicated

Cyber security awareness training, or cyber-SAT, has been on the radar for some time now, yet uptake of technologies to support cyber-SAT efforts—although increasing—are still relatively low.  

Not only is cyber security awareness training recommended and considered best-practice by a number of governing bodies including the National Cyber Security Centre (NCSC), but it’s a mandatory requirement when it comes to specific cyber insurance and regulations. 

So, what’s causing the hesitation? 

Perhaps it’s a lack of budget or resource. A lack of value-add understanding. Or maybe incorrect assumptions around complexity and on-going management of cyber-SAT solutions. 

Here are a handful of responses from organisations surveyed as part of the Government’s 2023 Cyber Security Breaches Survey 

  • “In moments of uncertainty, with costs increasing, it’s tempting to cut corners.” 
  • “Cyber security is seen as a scary, messy business with lots of complexity and technical challenges, best left to the experts.” 
  • “We can’t afford to allocate resource to cyber security. I’ll spend as and when I have it [budget], or when I need to.” 

But what if we told you cyber-SAT does not have to be complex, resource intensive, or expensive to be effective?   

Given the importance and the very real implications, would that change your mind? 

In this article, we debunk these assumptions and explain how a low-touch cyber-SAT platform combined with clear organisation-wide communication can significantly improve your overall cyber security posture. 

Cyber awareness is increasing 

Despite the hesitation, organisations are doing their research. The Cyber Security Breaches Survey reports that 91% of mid-sized organisations and 96% of large organisations consider cyber security a high priority. 

Organisations are increasingly recognising the need to broaden cyber awareness in order to mitigate risk, with as many as 49% seeking external information or guidance over the last 12 months on the cyber threats their organisation might face. 

As we’ve already mentioned, uptake of cyber-SAT solutions is increasing. Over the last three years, the percentage of organisations that have implemented training or awareness sessions has increased year on year, with many stating that their on-going focus is on people. This is great to see. 

Effective cyber risk mitigation goes beyond just technical controls. Firewalls, internet gateways and malware protection are all critical pieces of technology to protect an organisation from cyber-attacks. But stand alone, they’re not enough. 

Cyber criminals and their methods of attack are becoming more sophisticated, regularly getting past such technical measures. Your people are often your first line of defence, and so developing their awareness is crucial. 

Understanding over awareness 

Cyber-SAT should sit in the centre of your human risk management strategy. More on human risk management strategies in our next article. If you’d like to be the first to know when this is live, head over to our resources page and sign up to our newsletter 

Done properly, cyber-SAT not only elevates awareness within your organisation, but it creates an understanding. And it is this understanding that is the key to influencing security behaviour. If you can influence security behaviour, you can significantly improve your overall cyber security posture.  

So, how do you do it?  

Organisations should not rely on cyber-SAT alone. Especially in the early stages of rolling out any new initiative. It’s the combination of a cyber-SAT solution with clear communication that’s proven to deliver the best results. 

The cyber security stigma 

Cyber security awareness comes with a stigma. For many years, messaging has included phrases such as ‘your employees are your weakest link’ or ‘your people are your biggest risk’. This applies unnecessary pressure on your workforce. Employees are scared to do something wrong, and if they do, they’re hiding it. A ‘poor’ cyber security culture is one of the biggest reasons why organisations fail to influence and improve security behaviours.  

So first, we’d always recommend that you address that. An organisation-wide communication goes a long way.  

Focus on the ‘why’ and understanding will follow 

Before rolling out any cyber-SAT platform, you need tell your employees what you are doing, but more importantly, you need to tell them why you are doing it.  

It’s not because you don’t trust them. It’s not because you’re tracking their behaviour. And it’s not because you want to ‘catch them out’ with a random phishing simulation and point the finger. It’s because your people play a huge part in strengthening your overall cyber security posture, and it is everyone’s responsibility—not just the IT teams—to be aware, understand and mitigate risk. 

All too often, we see organisations telling employees that they need adhere to certain security behaviours, but without context as to why. Take phishing as an example. Your employees know that phishing emails are bad, and that if they click a suspicious link, they should report it. But do they know why they should report it? Many will likely panic and delay telling anyone for fear of getting their wrists slapped. This is a problem. 

The Cyber Security Breaches Survey reports that 79% of all attacks in the last 12 months originated from an employee clicking a phishing link. This is reflected in our data. Recent analysis of over 400K users shows that in the last 12 months, over 88K untrained employees were susceptible to a simulated phishing email sent out via our platform by their employer. These are huge numbers. 

It’s so important that you let employees know that they won’t be penalised, and that by reporting a potential breach immediately, it allows your organisation to react accordingly and minimise impact. 

By taking that education one step further—including the why—we guarantee you will begin to see a positive shift in security behaviour. 

All our training content is built with this concept in mind. Our videos not only educate on the use of password managers as an example, but they dig into the why. 

It’s also one of the reasons we aim to form true partnerships with our customers, and not just hand them a product. We help organisations develop simple, yet effective, communication plans to rollout alongside the Boxphish platform; helping that transition towards a more positive view of cyber-SAT within the organisation. 

A low-touch platform to suite any organisation 

We often speak with organisations that have stretched IT teams. It’s understandable. IT is a critical function with lots of priorities. And those priorities can shift quickly day-to-day in order to keep things moving. 

The current micro-economic climate hasn’t helped. It’s applying further pressure to organisations globally, with many making the difficult—but necessary—decision to reduce resources, streamline processes and pause initiatives. 

There are many ways organisations can approach cyber security: risk management, cyber insurance, deployment of technical controls, and organisation-wide awareness training, just to name a few. With so many options, you can understand why cyber-SAT may sometimes be de-prioritised. But with the ever-increasing risk, can you afford to ignore it?  

We’ve said it once and we will say it again. Cyber criminals and their methods of attack are becoming more sophisticated and regularly get past technical measures. It’s crucial that you work with your employees to develop their awareness and understanding.  

Our aim has always been to make cyber-SAT low-touch, affordable and effective. The Boxphish platform has been built with automation in mind. This allows IT teams to focus on the day job, but with the confidence employees are getting the training they need to keep cyber awareness and understanding front of mind.  

From Microsoft Office and Google Suite user syncs right through to automated 12-month training journeys, we have developed our platform to be low-touch. Our in-house research team ensures our content is up-to-date and educating on the latest threats, including everything from cyber essentials, phishing and data privacy to malware, security in the office and business ethics. 

Through a mixture of educational phishing simulations and to-the-point, jargon-free training content, we help organisations arm their employees with the tools and knowledge needed to influence security behaviour and effectively mitigate risk. 

If you’d like more information, or to see our platform in action, request a demo and a member of the team will be in touch. 

Want to know more about Boxphish?

Download our service overview

See our platform in action

Fill out the form below and a member of the team will be in touch to arrange a 20-minute demo

Boxphish get a demo product section