What Is the Main Purpose of Security Awareness Training?

What is the purpose of security awareness training? Find out how your staff can be a bottleneck for your organization's protection.

Blog Post

5 minutes

May 21, 2021

What is the main purpose of security awareness training? To prevent otherwise avoidable cyberattacks taking place. Businesses that employ security awareness training see improvements in their ability to fend off attacks and keep themselves from harm.

So, you’ve identified that your cybersecurity is lacking, you’ve got yourself some next-gen antivirus, or an endpoint monitoring solution, or perhaps a BDR solution for your most sensitive data.

All set, right?

Wrong. Businesses in 2021 continue to make a crucial mistake in their approach to cybersecurity—forgetting that their staff are the biggest threat to their business.

Related Post: Why Security Awareness Is Crucial for the Future

Why staff are your biggest threat and what you can do about it will be addressed in this blog post, where we look at whether employees are a bottleneck for cybersecurity.

Why Does this Matter?

The reason we’re taking a look at employee human error and security awareness is because it is without a doubt the biggest reason businesses fall victim to cyberattacks every single day.

98% of cyberattacks rely on social engineering.

The overwhelming majority of cyberattacks are routed in some form of social engineering.

Social engineering refers to the manipulation of end users into divulging or exposing sensitive data or information.

This kind of manipulation is very common and is typically delivered to end users via email, but other vectors for social engineering include text message and “watering hole” attacks, which target websites frequently used by a particular organization or industry.

top attack vectors line graph

What’s the Cause?

Cybercriminals operate on the basis that the majority of users who are targeted will not fall for their attack.

They also know, however, that they only need one person at one time to slip up or click a link they weren’t supposed to and they’re in.

According to the results of Terranova’s 2020 Gone Phishing Tournament, almost 20% of all employees are likely to click on phishing email links and, of those, a staggering 67.5% go on to enter their credentials on a phishing website.

This is a law of averages operation—not every attack is needed to succeed, just one—and it works.

In short, if employees are not prepared to deal with the kinds of cyberattacks that hit organizations every day, there’s a high probability they will fall victim to social engineering.

The best way to avoid this is not just by implementing new tech solutions, but by educating staff on what attacks look like and how to avoid being “phished”.

Why Don’t Companies Take Security Awareness Seriously?

Organizations often lack an understanding of the importance of security training as part of their cybersecurity initiatives, with many simply undervaluing the main purpose of security awareness training.

Just 11% of respondents in a survey by Hiscox in their annual report said that their companies had increased spending on security awareness training after a cyberattack.

This is typically simply because of not realizing the threats of having a workforce that is undereducated (or not at all) about the risks of attack vectors like phishing.

Europe is the most targeted continent in the world (31%), followed by North America (27%), and Asia (25%).

When asked what their cybersecurity priorities were, a survey of leading security leaders in Europe put “increasing security awareness across the organization” as their fifth-most important objective.

Over 80% of security awareness professionals reported that they spend half or less of their time on awareness, indicating far too often that security awareness is a part-time effort.

What this all shows us is that while cybersecurity is clearly an issue—not just in the United States, but worldwide—decision makers are routinely ranking security awareness as a lesser issue in comparison to other pressing needs such as disaster recovery, cloud security, and mobile device management.

So, Are Employees the Bottleneck?

The simple answer is, yes, employees certainly are a bottleneck when it comes to security, but this is through no fault of their own.

While organizations have correctly recognized that cybersecurity is an issue that must be tackled, many of them are pouring their investment primarily into solutions rather than education.

Related Post: 6 Lessons Learned from Recent Data Breaches

It’s an indication of progress that companies are taking security in general more seriously, and this aforementioned investment is key to fighting against cybercrime and protecting businesses from harm.

But the lack of widespread investment in education for workforces across the country and around the world means that employees are highly susceptible to attack, as demonstrated by the sharp rise in attacks during the pandemic and continuing today.

In this regard, it is not the employees that are the bottleneck for businesses, but the security strategies of the businesses themselves.

What Can a Business Do to Remove Bottlenecks Like These?

A quality program for cybersecurity in 2021 should take a layered approach and include a variety of solutions, of which awareness training is just one.

For organizations that are unsure of what bottlenecks they have, or if they have any at all, it’s strongly recommended to engage with a cybersecurity provider and have an assessment conducted.

Related Post: What Happens During a Cybersecurity Risk Audit?

A cybersecurity audit will take a deep dive into your organization’s capabilities and determine where your strengths and weaknesses are.

This is the best way to adjust or formulate your strategy to best protect your company.

Bottom Line

We hope that you now have a clear understanding of what the main purpose of security awareness training is.

Security awareness is a major issue when it comes to cybersecurity and is frequently neglected or overlooked by decision makers.

With human error the leading cause of data breaches and other successful cyberattacks, businesses should not take for granted the ability of their own workforce to avoid attack.

Investing in a cybersecurity awareness program is an excellent way to safeguard a business and will become a necessity as cybercriminals continue to rely heavily on social engineering as a primary attack vector going forward.

Subscribe to our blog to receive monthly insights into business technology and stay up to date with marketing, cybersecurity, and other tech news and trends.


CybersecurityMitigate Cyber Risks


Impact Insights

Sign up for The Edge newsletter to receive our latest insights, articles, and videos delivered straight to your inbox.

More From Impact

View all Insights