Roger Grimes, Data-Driven Defence Evangelist at KnowBe4 writes about the importance of security awareness training for all organisations
Cybersecurity has become a critical concern for organisations across the globe, with data breaches, ransomware, and phishing attacks posing significant threats. As businesses invest heavily in technical defences, the human element remains one of the most vulnerable links in their cybersecurity strategies. This is where Security Awareness Training (SAT) comes into play. But does SAT genuinely reduce breaches, or is it just another box to tick on a compliance checklist?
Why security awareness training is vital
The statistics surrounding human error in cybersecurity are alarming. Studies consistently show that 70-90% of successful cyber attacks begin with social engineering tactics, such as phishing. Just as technology continually advances, it is important that SAT remains updated and refreshed in order to avoid becoming stale and out of date.
Organisations that neglect to address the human factor often face significant consequences. According to recent research from KnowBe4, ransomware and data breaches frequently stem from employees unwittingly clicking malicious links, sharing sensitive information, or failing to follow proper protocols. With the dramatic improvement in AI and deepfake abilities, it is becoming increasingly difficult for employees to differentiate scams from reality, and this results in a much higher chance of organisations suffering a breach. These actions can result in operational disruption, financial loss, and reputational damage.
Moreover, regulatory frameworks and insurance policies increasingly demand evidence of proactive risk mitigation. Many cyber insurance providers now require organisations to implement SAT programmes as a condition for coverage. By investing in SAT, businesses not only reduce the likelihood of breaches but also meet compliance requirements, demonstrating a commitment to robust cybersecurity practices.
Why security awareness training works
Effective SAT programmes focus on equipping employees with the knowledge and skills needed to recognise and respond to cyber threats. Education is a foundational element, where employees are taught to identify phishing emails, recognise suspicious activity, and understand their role in maintaining security. Training sessions often include real-world examples, making lessons relatable and impactful.
Simulation is another key component, involving regular simulated phishing exercises to test employees’ ability to apply what they’ve learned. These exercises help identify gaps in knowledge and provide opportunities for improvement. Reinforcement plays a crucial role as well. Consistent and frequent training ensures cybersecurity remains a top priority. Behavioural change takes time, and ongoing reinforcement helps embed secure practices into daily routines.
The results speak for themselves. Research by KnowBe4 shows that organisations with effective SAT programmes are 8.3 times less likely to experience data breaches. Additionally, a study of over 17,500 breaches revealed that 97.6% of organisations using robust SAT programmes avoided appearing on public breach lists. These findings highlight the tangible impact SAT can have on reducing human risk.
How to get the most out of security awareness training
To maximise the benefits of SAT, organisations should adopt a strategic approach. Tailoring training to the organisation is crucial, as different industries face different threats. Customising training content to address the specific risks relevant to the organisation ensures employees receive the most pertinent information.
Fostering a positive security culture is equally important. SAT should not be perceived as punitive. Encourage employees to view training as an opportunity to contribute to the organisation’s safety rather than a burden. Integrating training into daily operations can also enhance its effectiveness. SAT should be an ongoing process, not a one-off event. Regular sessions, combined with simulated phishing exercises, help maintain awareness and preparedness.
Leveraging metrics to measure effectiveness is another best practice. Using key performance indicators, such as the Phish-Prone Percentage, allows organisations to assess training outcomes. Analysing trends over time can reveal areas for improvement and highlight successes. Finally, engaging leadership ensures that SAT receives the attention it deserves. When leaders actively support and participate in SAT, it reinforces its importance and encourages broader employee engagement.
Building a resilient future through security awareness training
Security awareness training is by no means a silver bullet, but it is a vital component of a comprehensive cybersecurity strategy – though not all programmes are created equally. While it is true that by addressing the human factor, organisations can significantly reduce their risk of breaches and build a resilient defence against evolving threats, programmes that are dynamic, engaging and relevant to the business and all its moving parts are far more effective in the long term.
The evidence is clear: SAT works. It equips employees with the tools to recognise and respond to cyber threats, mitigates human risk, and supports regulatory compliance. However, its success depends on thoughtful implementation and sustained effort. For organisations willing to invest in their people, SAT offers not only a safer digital environment but also a more informed and security-conscious workforce.
Roger A. Grimes is Data-Driven Defense Evangelist at KnowBe4. He is a 30-year computer security professional, author of 13 books and over 1,200 national magazine articles. He frequently consults with international organisations of all sizes and many of the world’s militaries. Grimes regularly presents at national computer security conferences, and is known for his often contrarian, fact-filled viewpoints.
If you’re interested in contributing a thought leadership piece to IoT Insider, reach out to editor@iotinsider.com.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.
