Security white paper.

The ultimate guide to security awareness training

White paper fish image-1

How to reinvent your end-user security

Security is a high priority for most companies, yet most employees are not confident they would know a social engineering attack if they saw one.

Security awareness training provides peace of mind for IT security teams by establishing enforceable security policies, improving employee knowledge of cybersecurity best practices, and increasing customer confidence that their data is secure with you.

What's in the eBook?

  • What security awareness training should include
  • Things to look for in a security awareness training program
  • How to select a security awareness training partner
  • Things to watch out for when selecting a security awareness training provider
  • How to get buy-in for a security awareness training program
  • How BrainStorm can help
By submitting this form, you are agreeing to BrainStorm, Inc.’s privacy policy.

Download a PDF version of this guide by filling out this form, or keep scrolling to read.

By submitting this form, you are agreeing to BrainStorm, Inc.’s privacy policy.

Chapter 1


older woman taking security awareness training course

Fun fact: 59% of employees are not confident they would know a social engineering attack if they saw one. 

This stat is extra alarming because, although phishing scams have been on the IT security radar for a long time, in 2020, cybercriminals shifted into high gear thanks in large part to COVID-19 fears and the sudden global shift to remote work. 

In fact, during one 12-month period, thousands of new phishing pages trying to steal personal and company data, employee login credentials, and financial information such as credit card numbers were released every hour. And by the end of 2020, security experts were seeing 50,000 phishing attempts per day, for an increase of 42% over the 2019 numbers. 

With this current uptrend expected to continue indefinitely, companies need to proactively protect their sensitive data, systems, and applications not only from phishing campaigns but also from the wide variety of cyber threats that are constantly evolving. 

Security Awareness Training to the Rescue

Small mistakes can have big consequences when it comes to cybersecurity. Today, employees and end-users are on the front line in the war against cyber threats, which is why scheduling regular security awareness training is an essential part of a holistic cybersecurity strategy. 

These customizable learning programs are designed to educate employees about cyber threats and provide actionable advice to combat them. Security awareness training addresses the human element of cybersecurity, including what threats exist, how to recognize them, how to avoid them, and what users can do about them.

Studies show cybercrime is becoming more frequent, more destructive, and more expensive. So in today’s highly distributed and always-connected business environments, companies of every size—from brand new startups to giant multinational corporations—are making regularly scheduled, customized security awareness training part of their safety net.

Hackers are always changing and evolving their techniques, and frequent security awareness training keeps organizations up to date on the latest threats and tactics.

IT tends to view users as a liability, but with the right security awareness training, these users can act as an extension of IT and be a partner in securing the company’s perimeter. 

When done well, security awareness training provides peace of mind for IT security teams by establishing enforceable security policies, improving employee knowledge of cybersecurity best practices, and increasing customer confidence that their data is secure with you. 

Chapter 2

What should security awareness training include?

image 70

It’s important to note that all security awareness training programs are not created equal. For example, many training programs focus only on types of malware and their impact on the business. A better approach is to address how the malware gets into your system in the first place. 

To ensure your organization gets the full security benefits of a training initiative, there are several areas you will want to include in the curriculum. 

Phishing/Cyber Threat Awareness

It’s impossible to avoid being a victim of a cyberattack if you don’t know what to look for. So the best place to start when increasing awareness of security threats is getting to know the enemy. Here are some of the most common ways cybercriminals gain access to company networks:

Suspicious Emails: Phishing emails often appear to be from a trusted source but normally have one or more red flags such as small discrepancies in the email address, spoofed hyperlinks, and websites, poor spelling and grammar, or bad formatting. 

When opened, the email text prompts the recipient to click a link or open an attachment and enter credentials to an account. 

Malicious Links: These links are frequently embedded in official-looking emails. When you click the link, malware downloads onto the computer and starts running amok. 

Infected Attachments: Similarly to the malicious links, cybercriminals launch malware onto your device when you open an infected file, usually attached to a business email.

Malvertising: Malicious advertising might look legit, but its active scripts can download malware or other unwanted content onto your computer. So-called drive-by malvertising can infect your device even if you don’t click it.

Smishing and Vishing: Smishing (SMS phishing) and vishing (voice phishing) try to trick victims into revealing personal information, credentials, bank account number, and so on, by clicking a link in a text or calling a number.

Data Privacy and Compliance Regulations

Different industries contend with different levels of compliance regulations, but one thing is universal: Users are becoming rabidly protective of their data privacy. 

Security awareness training should include overarching best practices for keeping data secure as well as drill down on the laws that govern your specific company, country or region, and industry.

Passwords and Authentication

Weak and shared passwords are an open invitation to cybercriminals, yet many companies fail to enforce strong password policies. In fact, passwords are such a big security risk that many organizations are doing away with them altogether.

With an estimated 4 out of 5 global data breaches traced back to weak or stolen passwords, many IT departments are implementing new access management strategies like password lockers, least privilege, and multifactor authentication. 

Incident Reporting

Humans are fallible, and cybercriminals are persistent, so there’s a good chance your organization will have to deal with a phishing attack. Part of your security awareness training should educate employees on how to report suspicious emails and attachments, immediate steps to mitigate damage, and whom to notify of a potential or actual security breach.

User Behavior

Human error is a leading cause of security breaches. But with the right training backed up by consistently enforced security policies, organizations can not only mitigate risk, but they can also make employees the first line of defense against cyberattacks.

To address the human factor in security awareness, you have to understand the 6 habits of a secure user and how these practices contribute to the company’s overall security strategy.

Habit 1: Content Protection

Securing documents from unauthorized access is essential. This includes how and where documents are stored, who can access them, and even printing protocols. 

Habit 2: Device Care

In today’s highly distributed work environments, employees have to be responsible for some of their own IT functions to keep devices secure, including:

  • Running virus scans
  • Checking for updates
  • Installing updates and patches quickly
  • Restarting devices frequently 

Habit 3: Protected Collaboration

Cloud-based collaboration has become the norm, so employees have to be smart about sharing. Some best practices for safe sharing include:

  • Share file links instead of attachments
  • Review document permissions
  • Microsoft 365 users should use Inspect Document to remove hidden data or personal information 
  • Set up rights management
  • Don’t “work” in email. Use Microsoft Teams or another IT-approved collaboration tool

Habit 4: Safe Workspace 

Whether you’re working at home, at the office, or at the coffee shop, securing your physical workspace is job No. 1.

  • Don’t use public Wi-Fi
  • Don’t leave computer unattended/unlocked
  • When possible, don't use personal devices or personal apps for work and vice versa
  • Secure removable media

Habit 5: Secure Communication

Communication is key to productivity and meeting business objectives. Be sure employees are aware of secure communication best practices:  

  • Avoid: Text messages from your personal mobile phone
  • OK: Email—use BCC and send links to documents rather than sending them as attachments
  • Best: Company-owned messaging applications (Microsoft Teams, Cisco Webex, Slack, or Google Chat)

Habit 6: Security Awareness

Due diligence can mean the difference between rock-solid security and thousands of dollars (or more) in cyberattack cleanup costs. With human error being the No. 1 cybersecurity risk, knowledge is power.

  • Hover over links
  • Check webpage security status
  • Avoid shadow IT
  • Separate work files and personal files
  • Don’t use shared accounts or logins

Chapter 3

Things to look for in a security awareness training program


As with most learning experiences, how security awareness is taught is just as important as what is taught. Taking a nontraditional approach that is both engaging and relevant to the audience will be the most impactful, especially if the content is customized to meet the learners where they are in their security awareness journey. 

The content should address the roles user behavior and external threats play in cybersecurity and take a comprehensive view of security (i.e., look at all threats, not just those that arrive via email).

It’s also important to assess the features included in the training platform to ensure it provides a robust and personalized learning experience. Some key capabilities to look for include:

  • Easily consumable training content
  • Prebuilt campaigns/templates/emails
  • Ability to blast emails 
  • Integration capabilities
  • Ability to target specific users based on groups
  • Ability to create groups and segment users (bonus points if it’s automated)
  • Robust reporting
  • Survey capabilities
  • Automated remediation 

Chapter 4

How to select a security awareness training partner

image 68

Now that you know what you are looking for in a security awareness training program, how do you find a solutions provider you can trust to do the job right? 

First and foremost, look for a training provider with a partnership mentality and a commitment to a culture of learning. These are your people. 

A partner will work closely with your team to define what success means in your organization, and they are invested in helping you reach that goal.

A great training partner also provides excellent customer service, so issues are resolved quickly, questions don’t go unanswered, and you always know you are being heard. Your training partner should work as an extension of your IT team but also empower you to run the show yourself if that’s a better option.  

Be sure your security awareness training provider addresses both the security and productivity aspects. 

For example, today’s teams tend to do a lot of their work in email and with email attachments, which creates a huge target for phishing scammers. But ensuring emails are safe requires the user to read every email address closely, hover over every single link, and know every potential scam that’s out there. 

If a user gets 50, 60, 100 emails a day, either productivity suffers, or they don’t do the work and security suffers.

A good training program will not only teach you to avoid phishing scams, but it will also help your team become more productive and secure by suggesting ways to reduce the number of emails users receive each day. One way to accomplish this is by moving the bulk of work and collaboration out of your email box and into Microsoft Teams, SharePoint, Yammer, and so on.

Chapter 5

Things to watch out for when selecting a security awareness training provider

image 71

Many service providers talk a big game when they are trying to get your business, but there are some red flags to watch for that indicate a vendor isn’t a great fit. 

Some training providers focus primarily on one-off or intermittent training offerings versus iterative and ongoing learning opportunities. This approach is fine if you’re just trying to “check the box” for compliance. However, if your goal is sustainable, long-term security, this isn’t a good approach.

When a lot of time passes between refreshers, employees are bound to forget what they’ve learned and slip back into old patterns and behaviors. It’s crucial to offer ongoing training opportunities customized to each user’s knowledge gaps.

Additionally, cybercriminals are always changing up their tactics and techniques. Frequent, ongoing security awareness training is the best way to keep employees current on the latest threats.

Another sign you should keep searching for the right partner is if a service provider doesn’t meet you where you are. Maybe they only speak IT, or they are focused on only what’s in the contract, not what your team needs to succeed. If a vendor isn’t willing to make the experience personal, keep looking.

And finally, be wary of a training provider that only teaches your team how to handle the delivery technology or the consequences of a security breach. Yes, it’s important to understand what spyware is, but it’s far more valuable to know how spyware and other cyberthreats can infect your systems so the consequences can be prevented altogether.

Chapter 6

How to get buy-in for a security awareness training program

image 69

Getting buy-in for any new IT initiative is always a challenge, and security awareness training is no different. However, if you go in prepared with the right tools, you will get a lot less push back and maybe even a bit of enthusiasm.

Start by tailoring your approach to the audience, with two distinct strategies—one for employee buy-in and one for management.

Getting Buy-in From Employees

Security should be a priority for every employee from day one. If you add security awareness training to the onboarding process, each new employee will start off armed with up-to-date knowledge of security best practices and company-specific policies, so there’s no playing catch up later.   

IT teams aren’t normally known for their communication skills, so get the marketing or internal communications people involved. They can help draft compelling messaging and assist with the delivery.

It’s also helpful to get a sponsor from higher up the food chain to express public support for the training initiative. However, be sure to recruit an executive that the majority of the company respects and admires rather than fears, or you may find your security awareness trainees are just going through the motions.

Getting employees to fully engage in the training program is key to improving security. Make security awareness feel personal by emphasizing the role each person plays in keeping the company safe. 

Because security training is ongoing, be sure to mix up the content regularly to keep it fresh and interesting. Employees are likely to disengage if they have to endure the same programming several times a year.  

Getting Buy-in From Management

Buy-in from management requires a separate tack and a bit of research and number crunching. 

Executives love data, so arm yourself with facts and figures. Research stats on the current rates of phishing and other cyberattacks. Then cite some of your organization’s known vulnerabilities. 

Then illustrate the value and ROI of implementing recurring security awareness training for all employees. Use your company’s real numbers if possible to compare the cost of a good training program to the cost of cleaning up after a security breach. 

Be sure to include both the direct costs—such as lost revenue, lost productivity, and noncompliance penalties—and the indirect costs of losing customers and reputational damage. Also mention unknowns like the ramifications of stolen personal data, intellectual property, and confidential business information. 

If the data doesn’t get their attention, find out what your competitors are doing to protect themselves against cyber threats and data loss. No executive wants to have the least secure product on the market.

Chapter 7

How BrainStorm can help

Adoption landmines (vid thumb)

BrainStorm’s first priority is the user. And as a user-focused service provider (as opposed to a seller of technology), the BrainStorm team is flipping the popular narrative that users are a liability to company security.

We don’t just think—we know that with the right security awareness training, your employees are an organization’s first and best line of defense. 

BrainStorm Threat Defense takes a targeted approach to security awareness training with highly scalable and customizable programs to address your organization’s specific risks. We are committed to helping you solve your real-world security challenges, so we don’t churn out generic, one-size-fits-all training content.  

Our four-step security awareness program is focused on creating a partnership between users and IT:

Understand: We work closely with a client to learn about the users’ and organization’s weaknesses. This will be an ongoing conversation because remediation will cause these weaknesses to change over time.

Teach: We provide users with a skill path to learn how to overcome known weaknesses. For example, if we feel like the user doesn’t recognize the types of scams that are out there, we focus on increasing awareness of the different types of scams and how to avoid them. 

Assess: The BrainStorm Threat Defense approach to learning doesn’t rely on punishment and humiliation to drive home learning. We understand that people learn best in an environment where they feel safe, so we employ positive correction in our phishing campaigns to better measure what the user has learned.

Remediate: The teaching step of BrainStorm Threat Defense’s training program can be repeated and retargeted as needed to ensure users are ready for anything. Because remediation is automated, users can keep learning while the information is fresh.

We also use polls and surveys to solicit feedback from users to learn why they made the decisions they did. This helps IT understand the mind of the user so they know what behaviors to target in future training. 

One-size-fits-all security awareness training doesn’t address the full spectrum of security risks users encounter in the real world. That’s why the BrainStorm Threat Defense approach focuses on users and individual behavior. 

We aren’t a “check-the-box” security awareness training company. We believe there is a symbiotic relationship between recognizing external threats and using the right, IT-approved tools. We teach the user productive, security-minded behavior and encourage them to adopt the best tools for supporting a secure IT environment. 

Phishing scams, ransomware, and other cyber threats will never go away. Our best defense is to make the target smaller by creating a strong partnership between IT and users to build a security perimeter. Security awareness training is the foundation of that perimeter.

    close chapters modal