When we talk about cyber security, we almost always focus on the newest technology available to combat cyber security risks and threats. Companies focus so much on protecting hardware and software against cyber threats that they forget about securing processes and most importantly, providing adequate training for people involved in cyber security.

While a good cyber security awareness training program and campaign alone will not ensure adequate protection against cyber security threats, it is possibly the most important part of any cyber security prevention approach. Research from the US State of Cybercrime Survey by PricewaterhouseCoopers has shown that companies with an awareness training strategy have significantly lower losses when a cyber-related event happens than those who do not train their staff.

Cyber security is not just an IT problem, but a business problem, awareness training is not just for IT personnel but for all employees who has access to a computer and the Internet. The focus and specialty of awareness training need to be tailored to each employees function and their role within an organization. Cyber security needs to be part of an organizations culture to be effective, if it is just a checkbox approach, which employees don’t understand, what it is about and why it will surely be ineffective.

Both the recent Equifax breach (145 million US consumers records) and the SA Master Deeds Leak (30 million South Africans ID numbers at the time of writing) were caused by human error, with Equifax not patching a vulnerability relating to their Apache Servers for two months, while in the case of the SA Master Deeds Leak, the back-up was published on a public facing server (See here the whole process). Cyber Awareness might not have stopped both these incidents, but they do show that the biggest vulnerability is the human aspect.

The combined cost of hardware, software, and policies for cyber security can easily be over $71,000 per year for a medium-sized company, but this can be meaningless expenditure if the end users in your organization are not properly trained to enforce and apply cyber security principles and good practices. Awareness training will provide your organization the best value for money solution in the fight against cyber threats.

The benefits of cyber security awareness training is immense, the following list highlights some of the more important ones:

* Less exposure to cyber security related risks;
* Lower costs due to both the lower frequency of cyber-related loss-incidents and the severity of those incidents;
* Lower costs associated with cyber security Insurance premiums;
* Saving time, as a lot of time, is wasted post Cybersecurity incidents in both finding out what happened, as well as possibly having to redo do the affected work;
* Market edge over your business competition, as public knowledge of Cyber Incidents, will negatively affect your business reputation; and
* Positive staff culture regarding the Cyber and Information security.

Not all cyber security awareness training is equal, you should ensure that the training you select for your organization is suited to your specific needs, your business environment and your level of cyber security maturity.

An effective cyber security awareness program should have the following attributes:

* Should be focused on real-life examples, both with the most common causes and the effects these examples might have.
* The training program should be based on your own organization’s culture, policies, procedures and perceived threats.
* Each individual needs to understand their role in securing the business information, the importance of their roles and the consequences of their actions.
* The training should cover the Prevention and the responses to Cyber incidents.
* The program should be easy to understand, not too technical, and should be measurable.
* The training needs to be updated as new threats emerge and as the business culture and operations change.
* All employees must participate in the training program including executives.
* The training needs to be continual and not a one time event.
* Cyber Security Awareness Training must be part of a broader Human Risk Management program.