Importance of Employee Cybersecurity Training

Daniel Goymer • May 26, 2023

Cybersecurity threats are spreading and becoming more expensive for businesses that experience data breaches. One reason for this is that hackers have realised it's easier to trick someone into opening a malicious attachment during a moment of vulnerability than to exploit software vulnerabilities.


When it comes to addressing these risks, many organisations rely more on technology-based solutions than on training their employees to be more aware of cybersecurity threats. However, people have a significant impact on security outcomes, even more so than technology, policies, or processes. This highlights the importance of security awareness training, recognising that people's ability to learn and their potential for error play a crucial role in an organisation's overall security.


There are right and wrong ways to train employees in cybersecurity awareness. The wrong approach treats training as a once-a-year event, where employees are passively subjected to lengthy or rushed PowerPoint presentations in the break room. This method fails to engage employees effectively and can make training feel like punishment rather than an opportunity to educate and inspire them to actively contribute to their organisation's safety.


Proper security awareness training involves breaking it down into smaller, more frequent sessions that expose employees to varied content, resulting in a deeper impact. This approach treats training as a positive incentive, encourages interactivity, and tailors it to employees' roles, making it more relevant and valuable to them. By challenging employees, it enhances their engagement, learning, and retention, surpassing the passive experience of a yearly or regular presentation.


To reduce susceptibility to social engineering, the primary goal of security education is to modify employees' behavior so they won't fall for tactics like phishing emails or SMS messages. Security awareness training should demonstrate to employees their vulnerability to social engineering, using effective tools that expose them to real-world phishing examples via email, SMS, and phone. Failures should be addressed constructively, followed by relevant training. Cultivating a culture of fear through punishment can perpetuate security weaknesses in an organisation.


One critical aspect of training is teaching employees how to recognise safe and unsafe email attachments, such as emphasizing that only attachments ending in .txt are absolutely safe to open out of the various file types. Additionally, incorporating short quizzes throughout the training helps employees review and reinforce their understanding, instilling trust in the course's impact and motivating them to complete it.


Training exercises should tell compelling stories and immerse trainees in scenarios where they are targeted, putting them in the shoes of someone like a company's financial controller or sales rep. By engaging all the senses and presenting them with choices to respond to suspicious emails, employees can have a Eureka! moment when they realise the potential consequences of making a mistake.


To sustain behavioral changes, continuous reinforcement is crucial. While training and repeated testing can significantly reduce the rate of employees clicking on phishing links, leaving them without further training will likely result in a gradual increase over time. Ongoing efforts are necessary to maintain a strong security culture within an organization.

Recommended Action Items

  1. Be realistic about what is achievable in the short term and optimistic about the long-term payoff. If your goal is behaviour change, focus on 2 to 3 behaviours for 12 to 18 months at a time. You can’t effectively train on everything. 
  2. Reinforce learning through multiple channels, simulated e-mails, online quiz’s and training, staff meeting discussions, internal newsletters. 
  3. Don’t introduce fear and force security issues underground, treat failure as an opportunity to learn and discuss. 
  4. Ensure training is taken seriously, some push back is inevitable, keep to the message consistent across the business. 


Encouraging employees to be less vulnerable to social engineering involves a regular and consistent method of educating them about security. Effective security awareness training actively involves users and helps them develop the skills to recognise and respond to potentially risky social engineering techniques. To bring about successful changes in behavior, it's crucial to communicate clearly to employees about the importance of security education, while also considering the specific culture and dynamics of the organisation. Implementing a practical security awareness training program will empower users to safeguard themselves and contribute to strengthening the organisation's final line of defense.

Recent Posts

MCI & Associates and Yorb: A journey from support to strategy

April 10, 2025
MCI & Associates is an accountancy firm with over 45 employees across offices in Dannevirke and Pahiatua. The practice services a diverse range of clients, including those in the farming and commercial sectors, and its core services include tax preparation, business advisory and planning, and general accounting. The relationship between Yorb and MCI goes back over three decades to when both companies were in their formative stages. The trust-based relationship has endured and evolved as each business has grown and matured - going through name and ownership changes.

Cyber security in small-town NZ: why it’s time to pay attention

March 26, 2025
If you think cybercriminals only go after big corporations in major cities, think again.  The majority of incidents recorded by the NCSC impact individuals and small to medium businesses, proving that cyber threats don’t discriminate based on location - they target opportunity. With over 23,000 reports to the Netsafe helpline, and $17.8M in losses reported last year, small-town businesses are very much in the spotlight. In the past few months alone, three local accounting firms in regional New Zealand have suffered a data breach,and local ISP - Inspire was recently the target of a malicious cyber attack.

What's happening at Yorb - Q1 2025

March 21, 2025
We've had a flying start to the year, and given we're really just past the point where you start to realise what day it actually is, we thought we'd share everything we've been working on lately. 2024 In Review As we reflect on 2024, it's clear that this year has been one of remarkable achievements and significant advancements for Yorb. We were very proud that we won the Reseller News Innovation Awards in the Regional Partner Category, a testament to our commitment to excellence and innovation. AI has continued to dominate the headlines, with some businesses making great strides in how they work and interact. However, the majority are still grappling with understanding the full impact of this technology on their business, industry, and society. As we navigate this evolving landscape, companies must adapt to the security implications, ensure the integrity of data, and adjust to changing work and consumer patterns. In line with our commitment to security, we launched our new Security Platform, Yorb Defender 2.0. Designed from the ground up to be Essential 8 compliant, we believe this solution is now a best-in-class product that meets the requirements of modern business. 2025 Looking Forward Looking ahead to 2025, we have set ambitious goals following the EOS business framework. Our recent Annual Planning has helped us develop our 10-year, 3-year, and 1-year goals, with a strong focus on several key areas: Client Experience: We are dedicated to ensuring that every interaction with Yorb meets and exceeds your expectations. Automation Platforms: We will continue to develop our automation platforms to provide more consistent and efficient service. Investing in New Technologies: Our focus will be on AI, Hyper-Automation, and Data Governance to stay ahead of the curve. Team Development: We are committed to investing in our team, ensuring they receive the best skills training in technical, people, professional, and business areas. We will are also excited to be launching business peer groups focussed around AI, bringing together business owners and leaders from across the regions to explore what the future holds for all of us. This year we are injecting new energy into our Total Support agreement, we believe there is more to our partnership than phones calls, Teams Conferences and remote support. We are therefore introducing ongoing scheduled visits as part of the contract, alongside a productivity focus with scheduled access to our development team. Kicking off this year will be monthly seminars on topics such as Security, AI, Productivity, we want to hear what topics matter most to you. Look out for your invite in the coming weeks. I’m incredibly excited by 2025 and the opportunities it brings, we call breath a collective sigh that 2024 is behind us lets get cracking on what promises to be a great year. Daniel Goymer CEO