Importance of Employee Cybersecurity Training

Daniel Goymer • May 26, 2023

Cybersecurity threats are spreading and becoming more expensive for businesses that experience data breaches. One reason for this is that hackers have realised it's easier to trick someone into opening a malicious attachment during a moment of vulnerability than to exploit software vulnerabilities.


When it comes to addressing these risks, many organisations rely more on technology-based solutions than on training their employees to be more aware of cybersecurity threats. However, people have a significant impact on security outcomes, even more so than technology, policies, or processes. This highlights the importance of security awareness training, recognising that people's ability to learn and their potential for error play a crucial role in an organisation's overall security.


There are right and wrong ways to train employees in cybersecurity awareness. The wrong approach treats training as a once-a-year event, where employees are passively subjected to lengthy or rushed PowerPoint presentations in the break room. This method fails to engage employees effectively and can make training feel like punishment rather than an opportunity to educate and inspire them to actively contribute to their organisation's safety.


Proper security awareness training involves breaking it down into smaller, more frequent sessions that expose employees to varied content, resulting in a deeper impact. This approach treats training as a positive incentive, encourages interactivity, and tailors it to employees' roles, making it more relevant and valuable to them. By challenging employees, it enhances their engagement, learning, and retention, surpassing the passive experience of a yearly or regular presentation.


To reduce susceptibility to social engineering, the primary goal of security education is to modify employees' behavior so they won't fall for tactics like phishing emails or SMS messages. Security awareness training should demonstrate to employees their vulnerability to social engineering, using effective tools that expose them to real-world phishing examples via email, SMS, and phone. Failures should be addressed constructively, followed by relevant training. Cultivating a culture of fear through punishment can perpetuate security weaknesses in an organisation.


One critical aspect of training is teaching employees how to recognise safe and unsafe email attachments, such as emphasizing that only attachments ending in .txt are absolutely safe to open out of the various file types. Additionally, incorporating short quizzes throughout the training helps employees review and reinforce their understanding, instilling trust in the course's impact and motivating them to complete it.


Training exercises should tell compelling stories and immerse trainees in scenarios where they are targeted, putting them in the shoes of someone like a company's financial controller or sales rep. By engaging all the senses and presenting them with choices to respond to suspicious emails, employees can have a Eureka! moment when they realise the potential consequences of making a mistake.


To sustain behavioral changes, continuous reinforcement is crucial. While training and repeated testing can significantly reduce the rate of employees clicking on phishing links, leaving them without further training will likely result in a gradual increase over time. Ongoing efforts are necessary to maintain a strong security culture within an organization.

Recommended Action Items

  1. Be realistic about what is achievable in the short term and optimistic about the long-term payoff. If your goal is behaviour change, focus on 2 to 3 behaviours for 12 to 18 months at a time. You can’t effectively train on everything. 
  2. Reinforce learning through multiple channels, simulated e-mails, online quiz’s and training, staff meeting discussions, internal newsletters. 
  3. Don’t introduce fear and force security issues underground, treat failure as an opportunity to learn and discuss. 
  4. Ensure training is taken seriously, some push back is inevitable, keep to the message consistent across the business. 


Encouraging employees to be less vulnerable to social engineering involves a regular and consistent method of educating them about security. Effective security awareness training actively involves users and helps them develop the skills to recognise and respond to potentially risky social engineering techniques. To bring about successful changes in behavior, it's crucial to communicate clearly to employees about the importance of security education, while also considering the specific culture and dynamics of the organisation. Implementing a practical security awareness training program will empower users to safeguard themselves and contribute to strengthening the organisation's final line of defense.

Recent Posts

Why you should think of your technology partner as an iceberg.

February 21, 2025
And no, it’s not because it has the potential to turn you into a Titanic. Rather, it’s because what you see and interact with most days is just the tip of what we do. Below the waterline of everyday interaction is a significant mass of knowledge, expertise, and strategic value – all aimed at helping to secure and enable the growth of your business.

NZ Privacy Act – what you really, really need to know - (Data Privacy Day Part 2)

By Yorb January 30, 2025
In part 1 of our Data Privacy Day blog, we discussed the state of cybersecurity in New Zealand (as you do) and the critical importance of data governance. You can catch up on the whys and wherefores of data governance as it applies to you here . Moving on, this time, we’re focusing on the 13 Information Privacy Principles in our Privacy Act (2020) and what you need to do to stay on the good side of our legislation – and your customers. But first, this is why you should care.

Data Privacy Day, and why you should mind your own business - (Data Privacy Day Part 1)

By Yorb January 23, 2025
Data Privacy Day has been internationally observed on 28 January since 2007. Its purpose is to raise awareness and promote best privacy and data protection practices. It serves as an excellent reminder of exactly how precious our data is, as well as our ethical and legal obligations as businesses to securely manage and protect it. So, in terms of data privacy, how have we fared here in New Zealand? Why is data governance so important - what is it, and why exactly do you need it? Warning – triggering content: It may not be your job to manage data – and you may not think you even need to care about it. But if you are a stakeholder, it’s your responsibility to make sure that your business complies with New Zealand’s privacy and data protection best practices.  This is a big topic (sorry!), so it’s in two parts.
Share by: