Banner image for Scaling New Heights 2024, the premier accounting technology conference in the United States. The image features the conference theme and dates.
 
A person’s hands typing on a laptop keyboard with a glowing key icon overlay, surrounded by lock and document icons, symbolizing cybersecurity awareness training.

The Importance of Cybersecurity Awareness Training

Dax Wiseman
Posted by Dax Wiseman on Jun 10, 2025 2:23:46 PM

I recently watched a documentary (The Twister: Caught in the Storm) on the Joplin EF5 Tornado that hit Joplin, Mississippi May 22, 2011. Part of the documentary included an interview with the mother of a teenage boy who grew up fascinated with weather. The local weather forecaster had invited her son to work with him for a week to see what it was like to be a meteorologist. He invited him during tornado season for the excitement.

They were at a diner in Joplin having dinner before the EF5 Tornado hit the town, ultimately taking 158 lives. The storm warning sirens were going off and all the local diners were just eating and chatting and carrying on like everything was fine. The woman asked another diner if they should be concerned about the sirens and was told, “They go off all the time, you get used to just ignoring them." 

It made me think of cybersecurity awareness training. Well - bad cybersecurity awareness training.   

It has been my experience in talking with small business owners that the importance of cybersecurity awareness training is not taken seriously. Just another drain on the bottom line and necessary evil. Forgetting that the weakest link in your company's cyber security is your end users.    

Why do I need cyber security training for my firm?  

Scammers are after your money, and everyone is a target. Without proper training, I have seen two outcomes. Users with blatant disregard to security, passwords on post it notes, PII (personal identifiable information) and data saved on the desktop for ease of use. 

The other outcome is possibly worse, users who fear opening emails, panic over any system hiccups, putting in support tickets, halting work and impacting productivity.    

Statistically speaking: 

  • Studies show that 80% of organizations reported that security awareness training decreased staff vulnerability.   
  • Regular training rapidly reduces the risk from 60% to 10% within the first year. 
  • 60% of cybersecurity breaches are caused by human involvement, phishing being the major factor. 
  • $115,000 - The median amount paid to ransomware groups currently, proving that small business is not immune to hackers. 
  • 4X – A user with recent phishing training is 4X less likely to fall for a phishing attack. 
  • 2nd - Financial organizations were the second highest in incidents and breaches in both small and large organizations.   

In today’s digital business world, a once-a-year PowerPoint security training is not enough. Do you leave the office door unlocked when you head home for the day? The importance of cybersecurity awareness training has led to professional offerings by most security companies and some specialized offerings that only do training.  

How do I choose the right package for my firm?  

When evaluating a cybersecurity awareness training package ask the following questions: 

How often does the user get training?    

I recommend short trainings that a user can do quickly on downtime. You want to ensure the content is constantly updating, just like the cyber threats. The 4X rate of a user being less likely to be phished after training, declines as time goes by. Short weekly trainings are ideal. Most providers allow you to choose how often to do the training so you can find what works for your firm.  

How is the training administered?  

I evaluate training as a user. Would I want to take this training? Look for an engaging and entertaining delivery. How can it be delivered? Can users do it on their phone? Is there a Microsoft Teams plug in?

A good cybersecurity awareness training will leave you wanting to tell people what you learned. Hearing employees discuss what they learned is a bonus.

“Did you know that malware has been found in public charging airport kiosks and even USP ports of hotel lamps? If you do use one, make sure you turn off the device first”.    

Is there a phishing campaign element?  

Most trainings will offer a phishing campaign element to test your users. Make sure you can customize when it is delivered. You don’t want all your employees getting the same phishing email at the same time. See if you can set the difficulty level and change it over time as your employees get smarter.  

How does the training drive the user to participate?   

One of the hardest aspects of security training is getting employees to participate. Your biggest producers and busiest employees are some of the highest at risk but feel they don’t have time and are immune to discipline due to their profitability. Management needs to set a tone of the importance, but there are also training packages that offer contests and scoring to create healthy competition among your employees. Consider an office contest for highest score.  

Is there a new hire training component? 

New hires are targeted frequently and should receive training, review the company use policy, and sign that they understand it on day one. Does the training offer this? I worked at a company that had a newly hired sales associate get phished into spending $500 on gift cards based on a phishing email from the CEO, only to turn in an expense report that didn’t get paid and earn the nickname Gift Card Chris. You don’t want a Gift Card Chris on your team.  

Ask your IT company who they recommend and then evaluate that choice. A simple google search will give you reviews and competitors, and they all offer a free trial. Cost will fluctuate, but an ongoing package is usually $1.50 to $3.50 per employee, per month, depending on volume. A low-cost vs the alternative in my opinion, but if it is outside your budget check with CISA. CISA (Cybersecurity and Infrastructure Security Agency) offers information at https://www.cisa.gov/resources-tools/programs/cisa-cybersecurity-awareness-program. You can also look at the National Cybersecurity Alliance at https://www.staysafeonline.org/. These will require more work on your part and lack features, so I do prefer the 'set it and forget it' commercial offerings.   

Topics: Technology Advisory, Professional Development

 

Sign up and stay plugged into the education, news pieces and information relevant to you.

Subscribe to The Woodard Report today! 

Do you have questions about this article? Email us and let us know > info@woodard.com

Comments:

Most Recent Articles

The Woodard Report provides educational articles, news pieces and relevant information to advance the understanding and knowledge surrounding the accounting profession and technologies connected to that profession.

More Woodard:

© 2022 Woodard Events, LLC All Rights Reserved. Woodard, Tech Makeover, and Woodard Institute are trademarks of Woodard Events, LLC. Scaling New Heights is a registered trademark owned by Woodard Events, LLC. Woodard Groups is a trademark of National Advisor Network, LLC. Woodard Consulting is a trademark of Woodard Consulting Group, Inc.