Best practices
for cyber security
employee training

Author: Sue Poremba

Human behavior is by far the biggest risk to your cyber security. According to Verizon's Data Breach Investigations Report (DBIR), 82% of breaches were caused, at least in part, by human error. This shows the importance of cyber security employee training, and why the security awareness training market is expected to reach $10 billion annually by 2027.

Additional considerations to make sure you get employee security training right include:

Among the biggest mistakes an organization can make with cyber security employee training is to think that providing any type of training means they and their employees are now secure. One survey found respondents who reported receiving cyber security training did slightly worse in subsequent testing than those who did not. Further, 74% of respondents who answered all questions incorrectly reported feeling safe from cyber threats, whereas none of the respondents who answered all questions correctly felt the same.

The focus of employee security training

While employee security training benefits from being tailored to each organization's specific situation, there are some basic best practices every company should consider including in their security awareness education sessions. These best practices apply to organizations of any size; no business is too small to focus employee attention on understanding the basics of good cyber hygiene.

Understanding the risks

Employee security training should be designed to raise awareness of the need for good cyber hygiene for all employees including contractors and partners. It’s important for contractors, partners and employees to look at a data breach as something that can happen to them instead of being seen as something that happens on the news. It is important that all staff are aware of cyber threats that businesses face, and how something as simple as a click can have long-lasting consequences. Using recent examples can help employees gain a better understanding of how communication purportedly from LinkedIn, a virtual meeting platform or the CEO may actually be an attempt to install malware.

Cyber security employee awareness training is exactly that: training employees to be more aware of why they should take security more seriously. The added benefit is that it teaches them to be more cognizant of behaviors when working with business and personal data from all of their different devices. 

Understanding popular methods: Phishing as a case study

Phishing is the practice of sending fraudulent emails, usually purporting to be from a friend or a well-known business, with the intent of duping recipients into giving up sensitive information, such as passwords or credit card numbers. Gaining these credentials can enable bad actors to compromise email accounts and web app servers to launch follow-on attacks. Phishing emails can be used to deploy malware, including ransomware. Anyone in the public or private sector has the potential to be a target of a ransomware attack.

Phishing is one of the most used vectors for cyber attacks—present in almost two-thirds of all social engineering breaches according to the DBIR. The recent increase in phishing may be linked by the surge for businesses to have staff work from home and thus the resulting creation of a more mobile workforce. Phishing has also expanded into other, similar forms, for example, such as via messaging apps or SMS (known as smishing) and voice calls (known as vishing).

As noted in the DBIR, Verizon observed an overall phishing click rate of just 2.9% in 2022, indicating there is some awareness of the dangers. Simulations can be an important tool in helping employees understand how phishing can work. Like any training, the more realistic and reflective of current attack methods, the more effective the simulations will be for staff. Training should also cover how to report phishing attempts to your IT and internal security teams.

Best practices for cyber security employee training

You can implement some best practices to ensure your cyber security employee training is done right.

  • Make training enjoyable. Research suggests this is the best way to keep staff engaged, with popular techniques including breaking training into shorter courses, using every day, non-technical language, and including games and interactive content.
  • Benchmark employee progress. One cyber security awareness training study followed users over a 12-month period, and with regular training and testing, the phishing vulnerability percentage decreased from 31.4% to 4.8%. Using benchmarking metrics, such as this study used phishing vulnerability, is a great way to focus limited resources.
  • Tailor training to specific security risks. Employees have different risk levels, and their awareness training should emphasize those differences. Due to their different risk profiles, specific training should be provided to remote workers, employees who use their own devices for work and executives.
  • Ensure the content is current. Employee security training and simulations should reflect the evolving threat landscape. For example, the FBI has warned that threat actors are using other forms of communication to add legitimacy to their business email compromise attacks by using deepfake audio and leveraged video conferencing platforms.
  • Include security awareness when onboarding new hires. Onboarding new employees should include cyber security employee training, both general to the organization and specific to the job duties. This training should include the practices in place around the company, such as multi-factor authentication, access privileges, locking devices, and passwords.
  • Instill expectations for ongoing cyber security employee awareness training. Conduct regular awareness training and special sessions as part of the company culture and mindset. According to Forbes, “Studies show that regular security training increases security savviness.”

Learn how Verizon's security solutions are simple to use but sophisticated enough to keep modern cyber threats at bay.

The author of this content is a paid contributor for Verizon.