6.5 min to readDigital Workplace

5 steps of a successful cybersecurity user awareness program

Ravi Bindra
Ravi BindraCISO

In a recent report published by Thales, the company reported that in the last year, nearly half (47%) of 3,000 IT professionals surveyed believe that security threats are increasing in volume or severity with 48% reporting an increase in ransomware attacks. More than a third (37%) have experienced a data breach in the past 12 months, including 22% reporting that their organization had been a victim of a ransomware attack.

Sophos puts the global average payment at $1.5 million in 2023, though the overall cost to organisations is much higher, with IBM’s 2022 Cost of Data Breach Report saying it costs companies an average of around $4.5 million.

A modest investment in cyber security awareness can help prevent the stress caused by these attacks and save your businesses hundreds of thousands of dollars. Many businesses immediately reach for technical security solutions, such as advanced anti-malware suites or additional network security measures, with the hope this will be sufficient. However, cyber-criminals aren’t always targeting exploits in your infrastructure, network or applications. They’re also targeting your employees directly.

About 95 percent of cyber security breaches have been directly attributed to human error but despite this, many organizations spend the bulk of their cyber security efforts on sealing up technical vulnerabilities. Organizations need to learn how to detect and prevent these attacks by finding vulnerabilities within their workforce. Let’s take a look at how to get started.

Common cyber security risks to watch for

Your cybersecurity strategy is only as strong as your least informed employee. As a result, your entire organization, ranging from contractors to interns to the C-suite, need to understand and abide by certain cybersecurity standards. When designing a cybersecurity awareness plan, make sure your employees are aware of the following vulnerabilities:

Social engineering

Social engineering exploits human psychology to gain access to restricted information or areas. For example, a skilled social engineer may comb through your employee’s social media to learn more about them, and then leverage that information to convince an employee to give them secret information – like logins, important emails, building passcodes, and more. They could then use that information to launch an attack on your business.

Unsecured connections

Teach your employees to always watch the URLs of the websites they access – if a website’s URL is “http://” the connection is not secured with encryption and cybercriminals can intercept data. Therefore, employees should avoid conducting business over these channels, completing transactions, inputting passwords, or otherwise transmitting sensitive data. Instead, they should use sites with “https://” in the URL as these provide encrypted data transfer.

Password strength

Employees should ensure they use strong passwords. Remind employees that they shouldn’t use personal information, like only the street they were born on or the name of their cat, as a password. Employees should even avoid using real words in their passwords. Instead, ask employees to create a passphrase with a long string of letters and numbers (minimum 12 characters) they can easily remember – like “MyHouse;isNew-20” or “I.Love.Photography$.5D4”.

Password handling

Even if an employee creates a strong password, hackers can still access their accounts if they are not secretive with them. Employees should avoid writing down their passwords on sticky notes or in notebooks and should not send passwords to coworkers through email. Additionally, don’t input passwords on networks or devices you don’t control as there may be keyloggers or spyware present.

Reusing passwords

Employees need to use different passwords on each of their accounts – especially if those accounts contain sensitive information. Otherwise, if a hacker manages to learn one of the passwords, they may be able to access most of their online accounts. Keep in mind it can be difficult for your employees to remember 20, 50, or even hundreds of passwords – it’s strongly recommended to give them access to a password manager to ensure compliance.

Shoulder surfing

When employees work in public areas, like airports, train stations, or busy cafés – there’s a chance they could be watched by a malicious individual. If this person watches your employee take out a credit card, type in a PIN, or read a sensitive document, they could use this information against your company at a later time. To prevent shoulder surfing, ask your employees to avoid working in crowded public areas. If that’s difficult for certain roles – such as traveling salespeople – then outfit their computer and/or mobile device with a privacy screen.

How to create a cyber security awareness plan

As a reader, you’re now aware of six serious cyber security threats that can be solved through employee awareness – but how can you make your fellow team members more aware of common cyber security threats? It’s not as difficult as you may think – just follow these five steps, and you’ll be well on your way.

1. Align with leadership & get employee buy-in

Before you can get a cyber security awareness plan started, you need both leadership and employees to understand how important it is. Start by having a meeting with the CIO or another high-ranking individual to stress the importance of cyber security awareness and make it clear that some modest investments will be needed to help employees stay secure. Once leadership accepts, reach out to employees and begin pitching them on why they need to take cyber security seriously – namely, how much poor security costs the business, and how those costs can trickle down to them.

2. Train employees

Once you have buy-in about cyber security awareness training, start building your lesson plan. This should include information your core business needs, common threats within your line of business, and sample cases of how these attacks may play out in practice.  Additionally, tell employees exactly how they should respond to and report these cyber security threats to ensure the hacker does not succeed.

3. Test employees

After training is complete, it’s time to test what your employees learned with hands-on exercises. A few days or weeks after the training concludes, pretend you’re a malicious actor and try to get as many employees to fall for your tricks as possible. This may include sending malicious attachments from an outside email account, phishing via email, or trying social engineering tactics on your employees. If they don’t fall for it, give your employee some kind of reward for their diligence - like a gift card, free lunch, or a box of treats. If they are tricked, fall back to step 2 and retrain your employees.

4. Conduct a threat assessment

Threat assessments help you determine vulnerabilities within your organization, and quantifies the cost of different cyber security attacks, helping you prioritize risks based on your most critical business areas. Once the assessment is complete, share the findings with both general employees and the IT team. When you send this document to a typical employee, include suggestions on how they can help secure these business areas. When you send it to the IT team, let them know they should closely monitor the most high-risk parts of your business.

5. Assist security teams

Make sure your security team is aware of the findings within your threat assessment, and ensure they are equipped to handle the most pressing threats within your assessment. Check in with them regularly and consider providing them with a list of what’s currently trending in the world of cyber security. By taking this step, your business is more likely to have everything it needs to prevent a breach.

Final thoughts

Promoting cyber security awareness among all of your employees can be daunting – but when it’s successful, every member of your team will know exactly what to do in the event of a security incident. Considering the cost of a successful breach, each deflected attack will pay for your efforts many times over.

When your entire organization understands the risks inherent in modern business, and also are equipped with the knowledge and tools required to mitigate this risk, you can better protect your organization’s data. Keep in mind that creating a cyber security awareness program isn’t a one-time exercise – it’s important to train new employees, consistently retrain existing employees, and test every member of your organization, ranging from interns to the CEO. This continuous initiative will give you many of the tools you need to defend against today’s most pressing cyber threats.

If you still feel overwhelmed or in case your resources are limited, SoftwareOne is here to help you. Our cyber security user awareness trainings close the knowledge gap of your workforce and increase the resilience and security of your organization.


Want to increase the strength of your cyber security awareness program?

Contact us to learn how to craft one for your organization.

Want to increase the strength of your cyber security awareness program?

Contact us to learn how to craft one for your organization.


Ravi Bindra

Ravi Bindra

Ravi holds over 20 years’ experience as a cyber security evangelist, holding multiple leadership roles in the Swiss pharmaceutical industry, such as Global Head of Risk Management, Global Head of Architecture and Global Head of Security Operations.