How to Future Proof Cybersecurity Postures in the Modern Enterprise


Companies today are facing cyber threats that are constantly increasing in volume, severity and sophistication. Recently, Mailchimp, Riot Games and LastPass all found themselves on the wrong ends of data breaches. These repeated security lapses beg the question: How effective is modern cybersecurity training, and what should organizations do to future-proof it?

Security awareness training in enterprises has come a long way since employees were forced to listen to quarterly two-hour lectures about phishing. Despite advances in training methods, the evidence tells us that companies must use better tactics to ensure employees eliminate mistakes when interacting online.

Let’s take a look at how enterprises can future-proof their approach towards cybersecurity awareness training.


Cybersecurity training and the messaging around it can often seem threatening to employees. For instance, a company might list the potential ramifications of a data breach, such as brand image loss, system downtime or loss of revenue, and leave employees in fear of clicking the wrong link.

These fear-based methods do not change employee behavior, since they aren't learning anything. They're merely tiptoeing, trying their best to not bring the company down. The result is a level of cybersecurity knowhow that is less developed and cannot cope with modern malicious tactics.

Companies must instead acknowledge the difficulty in spotting malicious tactics and offer as many educational resources to employees as possible. For instance, educating employees about the anatomy of a personal data breach is a good way to emphasize the serious nature of a company data breach.

Offering resources that help employees check whether they have personally suffered from cybercrime builds empathy, leading to more engagement in training. Talking about important incidents (whether internal or external) and highlighting possible steps to mitigate those risks will help companies build a culture of cybersecurity.

Emphasize the ‘why’

In an age where brand trust is a type of currency, cybersecurity readiness has become a differentiating attribute for many enterprises. While executives and customer-facing employees understand this fact, many internally-facing employees do not. To them, cybersecurity is something that simply exists, much like accounting or sales exists. It's someone else's responsibility and is full of technical jargon they do not understand.

Shifting an employee's mindset from this to assuming responsibility for cybersecurity, no matter their technical skill, is essential to boosting training programs. After all, even the best training module will fail to impact an employee who believes the material has nothing to do with them.

One way of explaining the importance of cybersecurity is by quantifying the impact of data breaches. Numbers, charts, and images convey the consequences of such incidents. As noted above, it’s important to remember that the aim isn't to scare employees into accepting cybersecurity. Instead, companies can highlight positive stats, such as how much money an employee will contribute to the bottom line by following basic cybersecurity principles.

And if framed as part of an action plan, demonstrating the after-effects of negligent security practices, using a gamified training platform, is also a good way to drive home the "why" behind cybersecurity.

Simulate threats

People learn by doing. Companies can trot out as many experts as they like in seminars, but until employees get their hands dirty working through an incident, information is unlikely to stick. Simulations have come a long way over the past decade and currently help companies create realistic environments that simulate breaches.

A basic simulation could walk the user through an incident and demonstrate the negative effects of a breach. A full-blown simulation can have employees deal with threats interactively while rewarding them for good performance.

The data from these platforms can be used to create customized learning paths. The result is a workforce that receives tailored security training, instead of a one-size-fits-all program that leaves many unengaged.

Companies can use simulations to train their technical personnel too. Penetration tests and red hat testing give security teams the training they need to simulate threats and prepare them for real-world incidents.

Hit the right frequency

Deliver training lessons far apart, and employees will forget what they learned. Deliver them too close together, and everything becomes a whirlwind of facts that employees soon forget as they lament being taken away from their core responsibilities for yet another training. There is no single great training frequency.

Much depends on an individual's ability to retain information and employ it. The key to hitting the right frequency is measuring training data and noting the progress each person makes on the training platform. For instance, if an employee is having issues with certain tasks, delivering those tasks repeatedly to enforce repetition is a good idea.

Currently, cybersecurity training assumes every employee has a similar technical background and ability to retain information. While trainers know this isn't true, they have no choice due to limited training windows and the formats used to deliver information.

Gathering feedback from employees regarding training frequency is also a good way to figure out the right frequency when delivering training programs.

Measure the right KPIs

Many companies lack a way of measuring the effectiveness of their training programs. This is because of the way most training is delivered. Group seminars and presentations do not give trainers enough feedback to measure effectiveness.

Even the enterprises that use electronic platforms to deliver training often end up measuring the wrong KPIs, such as the percentage of lessons completed or time spent on the platform. Instead, companies must measure KPIs that quantify the behavior change effectiveness of their programs.

For instance, instead of measuring the number of tasks successfully completed, measuring in-task actions such as methods used or decisions made will let trainers know how employees are behaving under stressful situations.

Rethinking KPIs will help companies understand how their employees are reacting to training and how prepared they are to deal with a real-world situation.

Effective security training is critical

Security training is critical to preventing cybercrime. The current state of security training leaves a lot to be desired, and companies have a lot of room to improve. Rethinking training formats and measuring the right KPIs will help companies design training programs that impact employees and prevent security incidents.

Get stories like this delivered straight to your inbox. [Free eNews Subscription]
Related Articles

Why Block Websites? Understanding the Reasons

By: Contributing Writer    5/6/2024

The internet is such an expansive network where every click can lead to information, entertainment, or opportunities for productivity. However, this a…

Read More

ChatGPT Isn't Really AI: Here's Why

By: Contributing Writer    4/17/2024

ChatGPT is the biggest talking point in the world of AI, but is it actually artificial intelligence? Click here to find out the truth behind ChatGPT.

Read More

Revolutionizing Home Energy Management: The Partnership of Hub Controls and Four Square/TRE

By: Reece Loftus    4/16/2024

Through a recently announced partnership with manufacturer Four Square/TRE, Hub Controls is set to redefine the landscape of home energy management in…

Read More

4 Benefits of Time Tracking Software for Small Businesses

By: Contributing Writer    4/16/2024

Time tracking is invaluable for every business's success. It ensures teams and time are well managed. While you can do manual time tracking, it's time…

Read More

How the Terraform Registry Helps DevOps Teams Increase Efficiency

By: Contributing Writer    4/16/2024

A key component to HashiCorp's Terraform infrastructure-as-code (IaC) ecosystem, the Terraform Registry made it to the news in late 2023 when changes …

Read More