David Kelleher
May 26, 2025
David Kelleher
May 26, 2025
Cyrille Aubergier, Senior Compliance (GRC) Specialist at BMIT talks about making a success of security awareness training and to be wary of the pitfalls.
Errors typically stem from two primary sources: spoofing (phishing) and mishandling. In cases where errors arise from spoofing, the appropriate solutions are a strong security awareness programme and phishing tests, and I'll mention a few best practices.
When errors result from incorrect handling, privilege comes with responsibility. And this can be addressed in multiple ways, such as comprehensive technical training, “four-eyes” validation, and adherence to robust engineering principles for testing and implementation.
To return to your question, this disconnect is mainly due to the quality of the training programme. Live training sessions, whether remote or in-person, are more effective than recorded sessions or videos. Interactive and context-specific training is much more stimulating and impactful compared to traditional training.
Additionally, sharing real examples of security incidents that happen within the company (without naming individuals) will clearly highlight the consequences of security breaches that may affect you indirectly.
Traditional training can be unengaging when it fails to address current threats, current risks, and the evolving technical landscape. Training content disconnected from the company's ecosystem leads to disinterest among participants.
Organisations may underestimate the phishing risk but also the benefits of a robust cybersecurity awareness programme. This oversight is frequently due to budget constraints or the lack of well-defined Key Performance Indicators (KPIs). Without clear metrics to evaluate effectiveness it becomes challenging to measure benefits and justify the cost.
They need to shift their mindset from compliance to competence. The goal should not just be to meet regulatory requirements; it should be to help employees to make smart security decisions every day. A key strategy will be to adapt the training to the audience. For example, “An introduction to Cybersecurity” will enforce your code of conduct with all staff. A Table-Top Exercise (TTX) will educate and empower they key people who may one day find themselves handling a security incident.
Organisations should tailor their programmes to align with the local and technical context, as well as their existing security policies. Aligning training materials with the organisation's Code of Conduct will help in clarifying acceptable behaviours and prohibited actions, which can lead to the errors we mentioned earlier. Additionally, we all agree that confidential information must be encrypted when sent over the Internet. This is mentioned in almost every security policy, and technical solutions exist to manage this. Training materials should include practical guidance on how to use encryption with email.
Take the universal nature of cyber threats. Cybercriminals use similar psychological tactics whether targeting individuals at work or at home, aiming to compromise personal, professional data or the company itself. Highlighting this dual threat can motivate employees to consider a fundamental question: “How can I protect myself and my family?” This underscores the importance of vigilance at all times.
Maintaining a regular frequency of cybersecurity training is key. Most regulations suggest a minimum of once a year, but it depends on how your phishing risks have been evaluated. Additionally, just as security policies and codes of conduct are periodically updated to reflect new technologies, threats, and business changes, training content should also be regularly refreshed.
Cybercriminals target all employees in search of the "weakest link”. But we must remember that it is the leadership's responsibility to ensure that all weaknesses are properly addressed. And to choose the appropriate security awareness programme that will mitigate the phishing risk.
To measure their effectiveness, you can incorporate interactive elements like open questions, anonymised quizzes, use cases, and discussions to validate understanding and improve impact. The programme can also be measured using two indicators: trends in the number of phishing incidents and periodic phishing tests. These tests are the only way to measure KPIs such as the number of clicks on malicious links, the number of ignored emails, and the number of reports of suspicious emails, which will help evaluate the current risk. The goal is to encourage employees to report any dubious emails. What is worse than an employee falling for a phishing trick? Not reporting it.
Empowering humans remains a critical component of cybersecurity. Despite advancements in technology and artificial intelligence, we are all still receiving unsolicited emails - and for more than 50 years! Humans are and will remain the first line of defence. Focus on creating a culture of security, where employees feel involved and engaged to take the right decision every day. Building this culture requires continuous reinforcement, role-specific training, leadership involvement, and the use of appropriate technology. By investing in the education and empowerment of employees, organisations can significantly enhance their global security posture.
