How to Build an Effective Cyber Security Employee Awareness Program

January 09, 2019

How to Build an Effective Cyber Security Employee Awareness Program

6 Minute Read

With the proper education and awareness training, employees can be deployed as the best defense against cyber attacks. The current approach to training requires an overhaul to deal with today’s new wave of attacks.


According to the 2017 Cyberthreat Defense Report by CyberEdge Group, a lack of security awareness among employees is “the greatest inhibitor to defending against cyber threats.” A recent Verizon report found that in 60 percent of breach cases, attackers were able to compromise an organization within minutes. As businesses navigate a growing landscape of cyber threats, coaching appropriate employee behaviour will continue to be a critical risk management measure.

With the proper education and awareness training, employees can be deployed as the best defense against cyber attacks. The current approach to training requires an overhaul to deal with today’s new wave of attacks.

Taking a Non-Traditional Approach to Training

Workplace security training traditionally involves mandating employees complete learning modules complete with testing that involves answering multiple-choice questions. The training reinforced through executive communications and reminders any time a breach occurs.

For employees pressured to achieve higher results with fewer resources, security training becomes both burden and a distraction. Although the training content may be comprehensive and include all the necessary instructions to put a strong security policy in place, the messages aren’t resonating with the people who need to enact them. Instead security fatigue may be leading employees to push the information aside, dismissing threats as an “IT problem.”

Make It Personal

While the modern workplace has become focused on digital assets and connectivity, many employees have developed digital workarounds which are contributing to the problem. Even millennials, who were raised in the digital world and are aware of the need for strong cyber security habits, are not immune to taking shortcuts at the expense of proper protocols.

Introducing awareness programs that relate their security practices in the workplaces to a benefit in their personal lives may be an effective way to increase employee engagement and compliance. Demonstrating how creating strong, secure passwords or avoiding unsolicited links can protect their personal assets can transform how employees view policies they may have dismissed as unimportant or overly cautious.

Make Training Engaging

Although the content of the training modules are professionally developed, the information and delivery may not be engaging. Employees may walk away without absorbing enough knowledge to know how to recognize and avoid a security breach. Instead, companies must look for ways to increase engagement by integrating security awareness into the company’s culture.

One approach to increasing security awareness involves running a phishing exercise to reveal how many employees would click on malicious link sent by email. When the results are reported back to employees, they have a tangible example of how their actions are linked to a potential security breach. The exercise should be followed by a comprehensive and engaging awareness campaign. The expectation is that when the phishing exercise is repeated, the results should show a significant improvement.

Encourage Rather Than Penalize

Another unfortunate traditional approach to security training involves penalizing employees with threats of discipline or dismissal for security breaches. While this approach is intended to discourage malicious intentions, it may unintentionally deliver a message that mistakes will not be tolerated.

By most estimates, only 20 percent of employee-at-fault security breaches occur due to malice on the part of the offending employee. The vast majority of security issues happen because of a lack of attention or awareness. With the threat of discipline or dismissal looming in their minds, employees may be hesitant to report security breaches.

When IT and security departments react to reports with encouragement rather than interrogations, employees become part of the solution. The benefits are two-fold. Security has the information they need to identify a breach and fix the problem. The employee is more likely to notify IT or security if they suspect a problem.

Changing the Way of Doing Business

Traditional approaches to cyber security have shifted substantially as old controls such as firewalls, anti-virus software, and security patches are no longer sufficient in and of themselves to keep organizations safe from attack. Employee education and training needs to evolve to provide the right level awareness in a format and with content that can help employees become partners in cyber security.

Find out where your company stands by completing MNP’s free Cyber Health Assessment Tool.

To find out what MNP can do for you, contact:

Ron Borsholm
B.C. Leader, Cyber Security Services
T: 778.350.3562
E: [email protected]


  • Progress

    May 20, 2022

    Enhanced hospital GST / HST rebates for long-term care facilities

    If you operate a long-term care facility and are currently only claiming the GST / HST rebate for charities or qualifying not-for-profit organizations, it may be time to revisit your eligibility for an enhanced hospital rebate announced in the 2022 Federal Budget.

  • Agility

    May 19, 2022

    Crypto asset mining – A review of recent proposals

    Proposed amendments to tax rules around crypto assets could impact business engaged in crypto mining activities. We explore how new definitions shift GST / HST costs under the proposed changes.

  • Agility

    May 17, 2022

    The power of putting people first

    For your organization to thrive in a modern and competitive workforce, you may need to shift your mindset and your approach towards employee satisfaction.