Cyber Security Blog

Stay ahead of the curve with industry trends, cutting edge tech and inventive strategies.

How to build a more effective Cyber Security awareness programme?

Despite having best-in-class defence systems, many firms still experience security breaches. Unfortunately, you can’t rely on technology alone to prevent attacks.

You may have invested in sophisticated controls and layers of protection, but they will only take you so far. Just one careless click could lead to a severe security incident.  

According to Ponemon Institute, negligent insiders caused the majority of cyber attacks in 2021, showing a need for increased cyber awareness.

This includes employees:

  • Using insecure devices
  • Ignoring security policies
  • Clicking on phishing links
  • Not patching or upgrading software and devices

Many security leaders dread the actions of their employees. From speaking to our clients, human error is one of the top challenges keeping them up at night.

So how do you tackle this? You’ve tried running phishing simulations, provided annual training, and hosted the occasional quiz, but it’s still not doing the trick.

There could be several reasons why your efforts are unsuccessful. Read on to find out where you could be going wrong and how to build a more successful security awareness programme.

Why isn’t your Cyber Security awareness programme effective?

The easiest way to hack your systems is through your employees. Without effective Cyber Security awareness training, your firm is under increased risk of suffering a data breach. Attackers know employee cyber awareness is a common weakness and use this to their advantage.

Top reasons why your training and testing may be unsuccessful:

Unengaging content

Security awareness training must be engaging for employees to learn effectively. Whilst discussing security policies, best practice, and statistics is essential, it can lose meaning without relatable narratives or context to their job role.


How often are your carrying out awareness training? The key to a successful programme is consistency. Security awareness is a never-ending process. It involves creating and reinforcing good habits that will lead to positive changes in your team’s behaviour.

Despite the best of intentions, many firms host training and testing on an annual basis. Whilst this may initially boost awareness, knowledge retention decreases over time.

Lack of planning or direction

An ‘off the shelf’ service without clear objectives, will fail to improve your security culture. The programme requires a structure which aims to educate your users in a meaningful way. You need to establish strategic objectives and understand your high-risk areas.

10 steps to building a more effective Security Awareness Programme

Reconstructing your security culture from the ground up won’t happen overnight. But there are actionable steps which can set you on the right path.

1. Start by understanding your risk level

As a starting point, you need to establish a risk baseline. This helps you understand how ‘cyber-savvy’ your employees are before the programme begins. Don’t be too concerned if the results are worse than you’d hoped. You can then develop a tailored training programme which targets your weaknesses and measures improvements over time.

2. Social engineering is not just about phishing

Phishing awareness is important, but it’s not the only way hackers can target your employees. Onsite tailgating and social engineering attacks often get overlooked, but they also pose a significant risk to your information security.

An effective programme should incorporate onsite social engineering tests. These help you understand how easily a hacker could gain access to your physical office; you can then identify areas for further education.

3. Use staged and tailored phishing tests

You need to do more than blanket phishing tests across your departments. As your security awareness programme evolves, use the data gathered to develop a more targeted approach to testing and educating. Use previous tests results to shape future ‘phishing attacks’, making them more difficult to detect after mastering a certain level. You can then measure and improve the awareness over time.

For even more valuable insights, the messaging should be tailored to specific job roles. You can do this by targeting small focus groups within departments, using social engineered messages.

4. Train continuously – but avoid information overload

If you don’t maintain continuous training, knowledge can quickly erode. For best results, routinely test and educate your employees to keep up with developing threats. Whilst frequent phishing awareness training is important, you want to avoid ‘information fatigue’. To help your team better absorb training courses, break training down into small manageable chunks.

5. Your training should provide real-life examples

For the best retention keep cybersecurity awareness training specific to your business, help your team understand risks in the context. Use real-world examples of spear phishing and security threats faced by your organisation. Avoid offering abstract advice, it’s better to provide practical ways users can apply this in their everyday job roles.

6. Analyse results to identify patterns

Assess the results against the wider context of your security strategy. If your users are more prone to fall for particular phishing scams, review your controls and tighten email policies around problem areas.

7. Switch it up, and keep it interactive

If your training feels like a chore, it will do more harm than good. A successful training program needs to be interesting, varied, and interactive. Combining e-learning, in-person training, newsletters, posters, quizzes, and games can help keep your team interested and growing.

8. It starts from the top

Your management teams play a crucial role in improving cyber awareness. When it comes to changing company culture, influence starts from the top. Your managers should be given the power to act as security advocates and demonstrate secure behaviour.

9. Don’t play the blame game

You’re investing time and budget and have pressure to demonstrate ROI. Blaming your employees is counterproductive to your programme’s success. It’s better to create a safe environment for your users to own up to mistakes.

Avoid punishing people who make mistakes after they have been trained, as fear will not inspire your team. This will only achieve disengagement, and make them less likely to report mistakes.

10. Understanding the limits of technology

Train your users to understand that technology has its limitations. You can spend a lot of money on security controls, but it won’t guarantee total protection from cyber threats. The game of cat and mouse between hackers and security professionals is an endless cycle.

A security patch is released. A new security flaw is discovered. A ransomware decryption key is developed. A more aggressive strain follows. A phishing scam is quarantined. It reappears days later from a new IP. Technology is a start, but you also need proactive support from your team.

Are you confident your cyber awareness programme can control human risk?

Changing the very fabric of your company culture is no easy task, but by creating a programme with a strategic purpose, rich in helpful takeaways and actionable goals, you can work towards building a more security minded workforce.  

If you would like to chat to our team of security experts about improving data security and developing a more effective cyber awareness testing and education programme, you can call us on 0121 663 0055, start a live chat or email

Ready to achieve your security goals? We’re at your service.

Whether you are a CISO, an IT Director or a business owner, Equilibrium has the
expertise to help you shape and deliver your security strategy.

Latest posts