Home / Blog / General / 6 steps of a successful cyber security user awareness programme

December 6, 2019

The unfortunate truth is that technology alone cannot protect you from cyber security attacks. You can have the best tools available, the most skilled security operations team, but…

Unless you have an effective ‘cyber’ user awareness programme, your business will always be at risk.

While it is unlikely (albeit possible) a disgruntled employee could cause deliberate harm, it is highly likely that they’ll make an honest mistake that opens the door to cyber attack.

In fact, 90% of successful cyber attacks start with a phishing email.

Hackers target weaknesses caused by users. Weak passwords are the unlocked windows.  Phishing is your aunt letting a con man into the house.

A cyber security user awareness programme trains, supports and empowers your users to ensure your business isn’t low-hanging fruit for criminals.

If you can measurably reduce human error, or the likelihood of clicking on a phishing email, you have significantly improved your cyber security defences – at considerably less cost than another new technology.

Cyber security user awareness programme

6 steps of a cyber awareness programme…

Establish a baseline.Step 1: Establish a baseline

It is important to establish a baseline measure – a starting point. How much do your employees know about cyber security, particularly phishing scams?

With huge data breaches and ransomware attacks hitting the headlines in recent years, you could be forgiven for assuming your users understand these threats. While users might be aware that threats exist, they often don’t know much of a threat they pose – and don’t be surprised if some have never heard of the word phishing!

Once you have established a baseline you can then develop tailored training programmes and measure improvements.

To assess your employees, test them!

Develop mock phishing attack training programmes and see how well they perform. This will give you a clear picture of the current employee awareness levels of phishing, ransomware, and spear phishing. From this point, you should have a clear picture of potential security weaknesses.

Review processes.Step 2: Review processes and compliance

Once you have established user security awareness it is important you conduct a thorough audit on all policies and procedures. Check these against regulatory compliance and tighten accordingly.

GDPR etc.

Ensure you factor in GDPR, PCI-DSS and other compliance requirements.

You should also look at the results from Step 1 and shape your policies to address security vulnerabilities among your staff.

Provide broad based trainingStep 3: Provide broad-based training

Here, you outline the basic information to improve user security awareness.

This would include:

> The motive/objectives of hackers.

> What phishing, spear phishing are. Provide good examples and highlight the consequences of the most common types of cyber attack.

> The seriousness of the threat, the possible consequences to the business.

> Outline what staff should do with suspect emails, or in the event of a successful scam.

Your internal communications should take the form of department-wide emails, publications and awareness posters covering specific cyber security awareness issues, such as ‘How to create a strong password’ (they can remember!) or ‘How to identify a phishing email’, together with regularly planned training briefings to keep staff on their toes.

Security awareness training.Step 4: Targeted user security awareness training

Once you’ve revised your policies and procedures it is time to put your policies to the test.

This is the point where you develop training programmes for specific roles or departments, such as HR, senior management – and even IT.

To do this you should:

> Send out simulated phishing emails, and make spoof phone calls. Can you “reset a password for a user”, without following the correct protocols? Tailor your campaign by job role, department and awareness level (assessed from Step 1).

> Who clicked on the phishing emails? These individuals should be enrolled in a user awareness training programmes (ideally role-based). Senior Managers have more responsibility and access to sensitive data than non-management employees. The training should reflect likely scenarios the employee is likely to face.

> Utilise the main cyber attacks in training simulations. Including phishing, spear phishing, password strength and ransomware attacks.

Assess resultsStep 5: Assess results & address the risks

Now your employees have undergone simulated cyber attacks assessing the results is the next step.

This will tell you:

> The effectiveness of your training programmes, policies and procedures

> The weak areas that require mitigation.

It is good practice to grade the weaker performing areas by severity. This makes it easier to revise policies and training to address the most vulnerable and prone to attack areas first.

When complete, develop and introduce a plan to address problem areas.

Regular auditingStep 6: Regular auditing for continued improvement

Finally, as cyber crime continues to evolve, you should develop audit programmes and assessments to keep pace. Formulate proactive processes and procedures that check for trend changes in cyber security attacks.

Cyber security user awareness training is not a one-off exercise.

You need to continually assess your ‘cyber awareness’ to maintain a high level, with continuous training initiatives and up-to-date policies which includes new joiners, new technologies and new threats.

Comtact’s ‘ready-to-go’ security user awareness programmes

Implementing a security awareness programme can have a big impact, significantly reducing human-based threats – although will naturally require time and effort to implement and manage.

Comtact’s comprehensive Email Phishing & Cyber Security User Awareness Service provides and ready-made security awareness programme to maxmise the impact and effectiveness, without using up the bandwidth of your internal team.

  • A central record of activity on all training campaigns delivered
  • 1000+ library of customisable phishing templates
  • Extensive library of Security Awareness Training content (videos; posters etc.)
  • Monthly simulated phishing attacks
  • Themed campaigns, by user group, language
  • Quarterly spear phishing emails
  • Monthly reports on performance improvement on all employees
  • Production of legal documentation to the ICO, courts PCI Audit Boards etc.

Related articles:


About Comtact Ltd.

Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).

Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.