Share This:

The core of Cybersecurity Awareness Month is in its name: Awareness. Experts agree that user training is the most effective and cost-efficient way to raise awareness and deter cyberattacks.

Key statistics from SANS Institute’s 2024 annual cybersecurity awareness report reinforce this idea:

  • 41 percent identified lack of time and staff as the primary challenge in building and managing an effective security awareness program.
  • 89 percent of respondents highlight social engineering attacks as their primary, human-related concern.

Managed service providers (MSPs) can be on the frontlines of implemented cybersecurity training. What better time than Cybersecurity Awareness Month to recommit to its benefits!

Keep it positive

Craig Taylor, co-founder of security training platform CyberHoot has been educating users for 30 years. “Cybersecurity Awareness Month is the perfect opportunity to discuss the most effective user training techniques that can make a difference,” Taylor says. “Building employee cyber-literacy is crucial to establishing effective cyber hygiene practices across organizations.”

Taylor states that one of the most effective techniques for educating users on cybersecurity is positive reinforcement rather than punitive measures. “Traditional phish testing often punishes users for clicking on malicious links, creating anxiety and a counterproductive environment,” he explains. Instead, companies, MSPs, and CISAs should celebrate success.

“By celebrating successes—whether it’s correctly identifying phishing attempts or adopting secure email habits—we create an environment of learning, rather than one of fear and punishment,” Taylor continues.

Another effective approach, he recommends is interactive and scenario-based learning. “Real-world simulations of phishing attacks or social engineering tactics, paired with immediate feedback, help employees learn to respond to cyber threats as they would in an actual situation,” Taylor advises, adding that a key strategy is consistent, bite-sized training.

“Employees are busy and overwhelmed by long training sessions. It is important to build muscle memory in employees to reinforce good habits continuously. Research has shown that ongoing micro-training is much more effective than a single, long session held once a year,” he says. He emphasizes that the combination of positive reinforcement, scenario-based learning, and ongoing micro-training makes repeated cybersecurity awareness training effective in cultivating cyber hygiene across organizations.

“I believe that by emphasizing education, training, and positive reinforcement, we can improve overall security postures and significantly reduce the risk of successful cyberattacks,” Taylor suggests.

Switch it up

Yousef Hazimee, Head of Security at security training company LearnUpon explains the key is to keep training interesting or participants will lose interest fast.

“If you keep serving up the exact same content every year, employees will lose interest, and the training will lose its value, which can end up being a big cybersecurity risk,” Hazimee warns, adding that the goal should be to give employees the skills and confidence to build security into the way that they (and their team) work. Hazimee recommends that core training topics include:

  • Social engineering and phishing techniques
  • Password management
  • Incident response processes
  • Data privacy/working with personal data
  • Cyber hygiene
  • Device security
  • Malware awareness
  • Remote work security

“My best advice would be to start with something manageable and design the program with your audience in mind,” Hazimee says, adding that even his own company follows his advice. “We take training our employees with our software very seriously. We run company-wide security awareness training annually, keeping all employees up to date on new and evolving threats and reinforcing the robust security practices we have in place.” He adds that an enterprise can create an impressively comprehensive security awareness course. Although, if it’s pitched at the wrong level for your audience, it won’t work.

“Focus on your learners and try to build a program that feels relevant and realistic to them,” Hazimee advises, noting that you must tailor training to your audience.

“If they are learning on-the-go, then a course of short videos might be best,” he says. “Are they not the most tech-savvy? Then you might want to start with the basics and work up to more sophisticated topics.” Hazimee emphasizes that as the audience becomes more security-aware, adjustments to the training can be made to grow with them.

Photo: fizkes / Shutterstock


Share This:
Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

All Posts

Leave a reply

Your email address will not be published. Required fields are marked *