The ultimate security awareness training guide for 2024

This is a SUPER detailed security awareness training guide for 2024.

In this new article you’ll learn about:

• The importance of security awareness
• The different types of security awareness training
• The best ways to get your organization on board
• The ways well-known Dutch brands train their employees

Let’s dive right in.

What is security awareness training?

Security awareness training is training that equips staff to recognize and avoid cyber threats that they may encounter at work or in their personal lives. A good security training program raises awareness around issues like phishing, malicious software (malware), social engineering and other hazards of the digital world.

Security awareness training may cover specific policy or regulatory frameworks, such as HIPAA, or it may be more general. Training can take many forms, from a yearly refresher class to ongoing learning delivered on a regular basis.

Why is security awareness training so important?

Up to 95% of all hacks and data leaks are caused by human error. From clicking a phishing link to using weak passwords — mistakes made by human beings are often at the start of cybercrime. That’s why it’s so crucial to train your employees to learn how to recognize and report cyber threats.

The importance of security awareness training has been a hot topic for years now. Not every security professional views it as necessary, as they believe human error can’t be ruled out. They believe in technological measurements to ensure safety even when human errors occur.

At Guardey, we believe in a combination of both. While it’s true that training can’t guarantee safety, we understand that technology can’t either. There is no spam filter in the world that guarantees it will catch all phishing mails. For the one percent of phishing that makes it through your technology defenses, you want your employees to be aware of the dangers of phishing.

There are a lot of cyber threats that can’t be prevented by technology. Think of real-life social engineering, where a person enters the office and convinces the reception that he is a contractor that needs access to the servers. Situations like these can only be prevented when everybody within your organization has a high sense of security awareness.

An introduction to common cyber threats

Phishing, vishing, smishing, and quishing

Phishing is the use of email messages to attack a target. Phishing emails pretend to originate from someone the target would usually trust, like a client or colleague, or from a trustworthy entity such as a bank or online retailer. Sometimes the object of a phishing email is to trick the recipient into downloading malware. More generally, though, the aim is to obtain sensitive information, such as the target’s login credentials for an online banking service, or personally identifying information like their social security number.

Vishing is a similar attack using voice and video calls, while smishing uses SMS and text messaging. Spear phishing means an attack aimed at a specific individual, like a C-suite executive or someone with IT access. In these cases, the hacker often uses social engineering to make the target feel like the message is authentic. Quishing refers to the use of QR codes that trick targets into visiting malicious websites or transferring money directly to criminals.

Malware

Malware is malicious software that is spread by cybercriminals. It can infect individual computers and other devices, or entire networks. There are many different kinds of malware. Here are some examples:

Viruses

Viruses are self-replicating programs designed to cause damage to a system, deleting data or introducing further vulnerabilities that can be exploited.

Trojan horses

Trojan horses are programs that are disguised as legitimate software but cause damage to a system. Trojan horses often hide undetected on computer systems for an extended period, stealing information and sending it to cyber criminals. A common type of trojan horse is a keylogger. This records all the keystrokes entered into an infected computer, potentially revealing passwords and other sensitive information. This can then be used for further crimes, such as data theft and identity theft.

Ransomware

Another common type of malware is ransomware. Ransomware is malware designed to obtain a ransom from the victim. Typically, ransomware will encrypt all the files on a computer system or network, then solicit a ransom from the victim in exchange for the means to decrypt them.

The ransoms demanded are often very high, sometimes much more than the victim can ever pay. Even if the ransom is paid, there’s no guarantee that the attacker will provide decryption keys. In many cases, the encrypted files are lost for good. In recent years, there have been many high-profile ransomware attacks, such as the 2023 attack on the UK’s National Health Service.

Ransomware is on the rise internationally, with the size of ransom payments increasing.

Malicious websites

Malicious websites, also known as attack sites, are websites that host malicious code with the intent of tricking users into downloading it onto their devices. In some cases, attack sites are set up for this specific purpose. In others, a legitimate site is hijacked by cybercriminals who then insert malicious code into it. Some sites, called drive-by attack sites, don’t even require the victim to click a download link or interact in any way — just visiting the site is enough to infect a system that’s improperly secured.

Malicious websites may also imitate trusted websites in order to trick users into entering their login credentials, allowing criminals to gain access to victims’ accounts.

USB attacks

Removable media such as USB drives can easily be used as a vector for malicious code. In some cases, a criminal might gain physical access to an organization’s devices; more usually, attackers will leave infected USB sticks where unwitting staff members can find them.

It is trivial for an attacker to acquire a USB drive adorned with the logo of the target organization, or another trusted entity such as a client or regular supplier, and leave it near the premises where it will be picked up. They’re relying on curious or helpful staff members to plug the USB drive into one of the computers on an organization’s network to check its contents. Once connected, the infected drive can deposit its payload of malware.

Note that any device capable of storing data can be used for this kind of attack, including MP3 players, digital cameras and smartphones. One recent example is Sogu, a USB-assisted cyber-espionage campaign that targets multiple industries.

All of these attacks can be devastating for an organization. You can minimize the odds of being hit by an attack like this with proper security awareness training for employees and business owners. When an organization’s personnel are aware of the risks and how to avoid them, they go from being a point of failure to a human firewall.

And the list goes on

The above mentioned cyber threats are some of the most prevalent, but cybercriminals have a lot of methods to steal valuable data. As time progresses, their methods improve and are harder to notice for the untrained eye. Especially with AI on the rise, the different types of cyber threats seem limitless.

The different types of security awareness training

There are multiple ways to train your employees. Below, we’ll go through some of the most-used.

Yearly courses

Many organizations still rely on annual training courses to prepare their staff to deal with cyber threats. Yearly security awareness training for employees has two main problems. Firstly, the digital threat landscape is constantly changing. New threats arise all the time, not just once a year, so annual training rapidly becomes outdated.

Secondly, people simply don’t retain information for a full year. Even the most attentive learner won’t remember everything they’ve learned for more than a few months. This knowledge decay means that staff’s knowledge will inevitably become less comprehensive over time, making them less effective at avoiding risks.

In-class training

In-class training does have some advantages over other teaching methods. It creates a distraction-free environment where learners can focus on the specific topics that they need to understand and internalize. In-class training does have significant downsides, however. Learners need to be pulled away from other activities, meaning that they either fall behind on work tasks or give up their free time.

In-class training also enforces a one-size-fits-all model onto students, with some learners feeling bored or unchallenged and others left confused by new topics.

Traditional e-learning

Traditional e-learning attempts to replicate in-class learning in a remote environment. Classes are delivered over a platform like Canvas or Moodle, using slides and other media. There are usually lectures, either pre-recorded or delivered live by an instructor. While traditional e-learning is more flexible and scalable than in-class learning, it has some of the same drawbacks. Learning tends to be passive, with limited interactivity and sub-par engagement or retention.

Gamified training

Gamified security awareness training offered by providers like Guardey is a modern solution. It’s similar to the approach taken by language learning apps like Duolingo. Instead of being presented with a great deal of information once a year, or as discrete classes with limited interaction, learners receive a steady flow of short, easily digestible trainings.

With Guardey, users get a weekly challenge that takes them about 3 minutes to complete. During a challenge, they learn about cyber threats such as phishing, malware, weak passwords, and AI. By performing well during challenges, they can score points for the organization’s leaderboard. Friendly competition among colleagues has proven to keep users engaged.

By gamifying the learning experience, users get intrinsically motivated to keep showing up. Whether that’s to get to the top spot of the leaderboard, continue their hot streaks of consecutive weeks played, or simply to improve their own high score.

How to get your organization on board with security awareness training

You’ve decided that gamified learning is the ideal solution for your organization’s security training needs. You’ve found some great products that fit all of your requirements. Now comes the tough part: persuading your organization to adopt a new training solution.

People may be reluctant to take the plunge into gamified security training for several reasons. You’ll need to answer a lot of questions. What is security awareness? How does it benefit the organization? People who’ve already endured a yearly cybersecurity class might feel that they don’t have anything to gain from ongoing training. Managers and executives may believe that their staff are too sharp to be taken in by a phishing email or a mysterious flash drive in the parking lot. Here are some ideas that can help persuade people and get them on board.

Organize a security awareness week: a fun and engaging security awareness event can help get people excited about cybersecurity and eager to know more.

Conduct a spear phishing simulation: A realistic spear phishing simulation that targets key individuals can help to demonstrate that anyone in your organization might be vulnerable.

Recruit a guest speaker: An expert speaker can help bring people around to your point of view more effectively than abstract information. This could be a victim of cybercrime, a security expert, or even an ethical “white hat” hacker.

How Dutch organizations are training security awareness

Here are some examples of Dutch organizations who have successfully implemented security awareness training for their employees.

EyeOn

EyeOn is a forecasting and planning specialist, helping international companies to manage supply chain challenges. EyeOn is responsible for a great deal of their client companies’ data, which needs to be handled securely. They adopted a gamified cybersecurity training solution to make sure that their staff were up to the challenge and to align their security with ISO27001 certification requirements.

They introduced the new training program among employees with what they called a security awareness week. “We started every day with an interview of 15 minutes and called that the safety catch-up. Every day had a specific theme. The first one was called ‘from desk to destination’. This was all about security measures during traveling, such as using a safety screen, storing your laptop safely, and so on. Another theme was all about confidential data, which is what we called ‘how to not get in trouble with the SEC.”

Priore

Priore offers accountancy and tax advisory services. With the responsibility for clients’ sensitive financial information, cybersecurity is vital to them. Priore wanted to maintain a high level of security awareness among its staff at all times. That’s why they switched from a yearly cybersecurity course to a solution that delivered ongoing learning: Guardey.

“80% of the organization immediately started actively engaging after the first introductory email. After a month or two, everybody apart from 1 or 2 people was using Guardey every week. This was all due to intrinsic motivation and understanding the importance of security awareness. There are no incentives like a monthly prize or anything, so we can still try that if participation happens to slow down.”

Konot

KONOT is an educational foundation, providing education through 22 Dutch primary schools. The organization needed a security awareness training solution that would align them with GDPR. Having already been the target of multiple failed cyberattacks, KONOT needed a training product that would keep its staff informed and aware at all times. They adopted Guardey to offer ongoing training and evaluation to ensure consistent security awareness.

KONOT has recently rolled out Guardey, and the first feedback is now coming in from the users. “The first feedback that we have received is enthusiastic. Guardey made them real competitive, which is a good sign,” says Martijn. “It’s very accessible, which I appreciate. A small few were less excited about the concept of training awareness before we started, but we will evaluate with them soon.” Frieda continues: “I’m not a gamer at all, but I also noticed I kept taking on new challenges. It’s really easy to get through the questions.”

Delta Wines

Delta Wines is a wine wholesaler. When their insurance provider emphasized the importance of security awareness training and the forthcoming NIS2 directive, Delta Wines’ CEO took action. To get everyone on board, a phishing simulation was conducted that provided a valuable wake-up call to many people. After many staff were taken in by the convincing email, they were very receptive to additional training.

“We’re getting a lot of positive feedback. A lot of employees immediately start playing the new weekly challenge once they receive the email that it’s ready. Some of them are seriously disappointed when they get a question wrong. It has started multiple internal discussions about security, which is great.”

Gezamenlijke Brandweer Amsterdam

Gezamenlijke Brandweer Amsterdam (United Fire Department Amsterdam) is a major fire department, tasked with incident response in an industrial area of Amsterdam. If a fire department falls victim to a cyberattack, the results could be catastrophic. The department also needed to comply with NIS2 requirements. Team lead Raymond Pikee wanted a recurring training solution that would be fun and engaging.

In the leaderboard, the firefighters can see how well they are doing compared to colleagues, which boosts the internal competition. “We’re a competitive bunch, so that’s a nice touch. These gamification elements make it fun to play Guardey, which also helps us to remember the information.”

How to start implementing security awareness training

Now that you understand the basics of security awareness training, you can start researching a training provider that best fits your wishes.

At Guardey, we offer gamified security awareness training that is focused on keeping users engaged throughout long time periods. By using a leaderboard, achievements, hot streaks, and other gamification elements, users get a sense of friendly competition which boosts participation.