Investing in people
Why training is the best defence against cybersecurity and data threats

cyber risk

Data security and cyber threats are a major concern for businesses of all sizes, as they can lead to the loss of intellectual property or confidential customer data. As technology advances, so too do the methods criminals use to try and gain unlawful access to sensitive information.

Investing in your team is one of the best ways to stay ahead of the threat and keep your organisation safe. In this guide, we’ll explore how training employees on cybersecurity and data protection protocols allows organisations to build a secure line of defence.

Chapter 1

An introduction to cybersecurity at work

Cybersecurity is the protection of devices, services and data from cyber attacks. Everyone who’s connected to the internet needs cybersecurity, because attackers will look for common vulnerabilities rather than targeting a specific person or organisation.

Circuit board

Six common cybersecurity categories


Application security

Quality application, software and device makers think about security while they’re still designing a product.


Disaster recovery


End-user education


Information security

Data protection.


Network security


Operational security

Addresses the way cybersecurity decisions and procedures are handled.

Why is it important?

It can be difficult to run your business without legitimate cybersecurity protections, especially if you specialise in e-commerce or have a strong online presence. The way cyber attacks are carried out is becoming more sophisticated, which requires staying on top of the tactics attackers might use and guarding your business against them.

And the costs of a cybersecurity breach are high. There are two levels of fines for breaching General Data Protection Regulations (GDPR):

Lower level

Fines of up to £8.7 million under UK GDPR, €10 million under EU GDPR, or 2% of annual global turnover under both.

Higher level

Fines of up to £17.5 million under UK GDPR, €20 million under EU GDPR, or 4% of annual global turnover under both.

Additionally, the UK government’s Cyber Security Breaches Survey 2023 found:

  • 32% of businesses reported breaches from the previous 12 months
  • These figures were higher for medium and large businesses (59% and 69% respectively)
  • The cost of the most disruptive cybersecurity breach was £1,100 on average, rising to £4,960 for medium and large businesses.

The reputational damages can also be significant, affecting your bottom line well after the breach has been fixed. Customers will look elsewhere if they feel their security has been compromised – 60% of small companies close within six months of being hacked.

Despite this, the number of businesses prioritising cybersecurity is falling, according to the most recent UK government data: 68% of businesses said cybersecurity was a high priority in 2023, compared to 80% in 2022. UK organisations also have a relatively low spend on security: 11.3% of the IT budget (compared to 15.6% for the highest-scoring nation, Brazil).

Your board will want assurance that the business is as protected as it can be, and reducing the risk of a cyber attack goes a long way. One way to do this is by ensuring your employees are as informed as possible about the consequences of cyber attacks and how to guard against them.

Illuminated connections

60% of small companies close within six months of being hacked

Cybersecurity risks

There are many types of cybersecurity risks that you and your team need to be aware of. Most of them involve collecting data like financial details or personal information, in order to commit fraud.



In cybersecurity, a backdoor is a method a cyber attacker uses to get around the usual security measures and gain access to a device. Once they’ve done this, they may use this access to steal data or install harmful software.



Threat actors will then use your business’s resources to mine cryptocurrency. Cryptojacking programs may be installed on a device or added to web pages using code. You need a lot of computers and electricity to mine cryptocurrency, so by cryptojacking the attackers are gaining rewards without the cost — at the expense of your organisation.


DDoS attacks

DDoS stands for distributed denial of service. Attackers try to disrupt normal traffic by overwhelming the server, service, or network with more traffic than it can handle. This means that people who are genuinely trying to access your website or service cannot.


DNS (domain name system) poisoning

Also known as DNS cache poisoning or DNS spoofing, threat actors use this technique to redirect traffic to malicious websites that may look like carbon copies of your own. Once on one of these sites, users are prompted to share sensitive information like bank details.



Threat actors use formjacking to add malicious code to online forms, often payment forms, so as to collect user data.


The term ‘malware’ covers any sort of malicious software that harms a device, service or network, usually with the aim of collecting data. Types of malware include:

Adware displays unwanted adverts.

Fileless malware uses legitimate tools, programs and apps to carry out a cybersecurity attack. This makes it difficult to detect.

Ransomware installs itself onto your device, encrypts your data, then demands a ransom (usually to be paid in cryptocurrency) in exchange for the return of your data.

Scareware creates fake warnings that appear, encouraging users to buy or download a harmful application.

Worms use security weaknesses to copy themselves from device to device.

Trojans trick users into downloading and opening a harmful app. These apps can steal data, spy on the user, and crash devices.

Viruses are normally delivered via email attachments. Once you open the attachment, the virus infects your device.

Spyware is installed on a device without the user knowing. It sends personal information to the threat actor.

A man looking at an open laptop

Chapter 2

Training your employees

The faster a cyber attack is identified, the less money you lose. In 2022, the average time taken to identify and resolve a data breach was 277 days — approximately nine months. But organisations can save huge amounts of money if they take less than 200 days to resolve things. That’s why training people is so important.

Introducing cybersecurity awareness

Your cybersecurity will be stronger if everyone in the company knows exactly what your protections and procedures are, so aim for clarity from the beginning.

Think about the most effective way to carry out training and communicate your message. You may need to use multiple methods — a live presentation in front of everyone that’s recorded then shared, either in an email, a video on the intranet or in a document that people can bookmark and refer to as needed.

Use simple language that everyone can understand. Technical jargon can be confusing for those who aren’t familiar with cybersecurity terms.

Provide context that’s relevant to your audience. Talk about how cybersecurity threats can affect them as well as the organisation. This gives everyone a personal stake in your cybersecurity plans and means they’re more likely to exercise caution.

The components of cybersecurity training

Cybersecurity spans a whole range of topics, so cover as many as possible to ensure your employees get comprehensive training.

Awareness of the risks

We’ve already mentioned how having a personal stake in your cybersecurity plans can encourage people to be more proactive. Another thing that can help is making them aware of how serious the risks are. The financial and personal costs of an attack are high, and knowing this can encourage greater vigilance.

Identifying suspicious activity

Prevention is better than cure, so it’s vital to educate your people about the signs of a potential cyber attack:

  • Programs or apps they don’t recognise appearing on their devices
  • Pop-ups they don’t recognise appearing on their devices
  • Warnings of an infection, with a link to buy something to ‘fix’ it
  • New browser tabs or extensions that they didn’t add, or the browser redirecting them to sites they didn’t want to visit
  • The device slowing down without an apparent reason
  • Losing control of the keyboard or mouse
  • Having trouble starting up or shutting down the device

The more of these problems a device has, the more likely it is to be infected with malware. Have a policy in place that requires people to report these signs as soon as they spot them.


Understanding the different types of cybersecurity protection available can be daunting, but arming everyone in your organisation with the knowledge needed to protect your organisation from malicious activity can save you money and spare you a great deal of stress and frustration.

Antivirus software

Often the first step for many in their cybersecurity protections, antivirus software protects laptops and computers from viruses and malware. It works by detecting malicious code, then deleting it before it causes any damage.

Some laptops and computers include antivirus software as standard, though you may have to switch it on manually.

Make sure everyone knows what antivirus software your organisation installs on its devices as standard, as well as the types of communication to expect. A common tactic used by threat actors is to use emails or pop-ups claiming to be from well-known antivirus software providers, encouraging users to make a payment or click on a link.

Large organisations will often have a dedicated IT team to take care of antivirus software and the associated admin. If you run a small or medium-sized business, it might be up to each individual to keep the software updated, with guidance from you. Either way, make it clear what policies are in place so everyone knows what to do.

A photo of an email service on a laptop device

A common tactic used by threat actors is to use emails or pop-ups claiming to be from well-known antivirus software providers

Strong passwords

A strong password can be the difference between an attempted cybersecurity breach succeeding or failing, so password protection should be prioritised in the training your organisation provides. Consider the following recommendations.

Advise your employees on what makes a password more secure

As a rule, passwords should:

  • Include a mix of lower and uppercase letters, numbers, and special characters.
  • Not include words or numbers that are easy to guess. A survey by NCSC found that 23.2 million breached accounts used ‘123456’ as the password.
  • Not be used for multiple accounts. Threat actors may use a method called ‘credential stuffing,’ whereby they use the details from one breached account to access others.
Update passwords regularly

Experts recommend changing them every few months. This limits the amount of time a threat actor can access an account if it were to be compromised.

Ask your employees to use a password manager

They generate different, secure passwords for each account and store them safely. Strong passwords can take time to think of and be near impossible to remember; a password manager will make logging in easy while still ensuring everyone is protected.

Make two-factor authentication compulsory

Make two-factor authentication compulsory for all your organisation’s email addresses and other important accounts. While it can take a little longer to log in, there are good reasons why it’s important:

  • Email accounts are a hub of information — personal, professional and financial.
  • If criminals gain access to employee email accounts, they can use this information to scam people, affecting your organisation’s financial position and reputation.
  • Even if a threat actor is able to guess your password, they still won’t be able to log into an email account if they don’t have access to the associated mobile number.

Device care

All the programs and apps you use as part of your business efforts must be protected, but don’t forget the devices themselves. They can be a way into your organisation, and you wouldn’t let just anyone in.

Encourage responsible device ownership by:

Having an IT policy that clearly sets out rules and expectations

For example, are people based on-site allowed to take their devices home? If your people are hybrid or remote, are they allowed to use the organisation’s devices for personal reasons, or solely for the requirements of their roles?

Keeping devices updated with the latest software and applications

Software updates fix the vulnerabilities found in older versions — vulnerabilities that threat actors will look for and exploit — and help to better protect data.

Running a scan with their antivirus software

Advise people to run a scan with their antivirus software if they become suspicious that a device may have been infected.

Raising awareness of the risk of theft and loss

We’ve all heard horror stories about people losing laptops and USBs, or having them stolen. Ask people not to leave devices unattended and unlocked, especially when they’re commuting or travelling.

Limiting the number of applications people can have on their devices

Ensure no one can install anything on your organisation’s devices without the approval and assistance of a system administrator.

Backing up data

Cyber criminals can infect data storage devices like hard drives, USB drives and memory cards as well as smartphones and laptops. More portable devices that are likely to be shared between employees are at greater risk, as it can be difficult to keep track of what information they contain, who has used them and when.

Reduce the chance of a cyber attack by:

  • Limiting your use of portable storage devices so that most people in your organisation don’t need to use them.
  • Permitting the use of approved portable storage devices only, and making sure they aren’t permanently connected to the device that holds the original data.
  • Installing antivirus software on all devices.
  • Backing up data using different methods, such as cloud storage, hard drives, and email.

Phishing scams

In a phishing attack, a scammer sends an email asking for sensitive (often financial) information, or sends links to harmful websites. As the name implies, a phishing attack is usually random, but there are variations that target specific people for specific reasons (these are known as ‘spear phishing’ and ‘whaling’ attacks).

While in the past phishing attacks were normally easy to spot, scammers have gotten savvier and it can sometimes be tricky to identify them. Some emails may include branding from businesses which are legitimate household names, such as banks, and ask for personal information (legitimate banks don’t do this).

You can combat this by making it clear to people what they would and wouldn’t ordinarily be asked for over email. This means odd requests, such as money transfers, are likely to stick out more and be reported. Encourage people to speak out if they think something might not be right — thanks to the rise of AI and deep fakes, even the smallest doubt is worth investigating.

Making people aware of the many ways in which their email communications can be compromised should be a key component of your overall cybersecurity strategy.

A portable storage device

Limit your use of portable storage devices so that most people in your organisation don’t need to use them

A remote meeting online hosted on a laptop in the background

Chapter 3

Ways to train your employees

E-learning courses

In today’s more flexible working environment, e-learning courses are an ideal option for organisations with people working remotely. Everyone will have access to exactly the same learning materials and can complete the course at their own pace (though it’s worth setting a realistic deadline to make sure everyone gets it done).

E-learning courses will normally include:

  • A library of content users can engage with, such as presentations, videos, infographics and guides.
  • Real-life examples of cyber attack scenarios.
  • Tests and assignments, so users can see their knowledge gaps and progress.
  • Reports for IT managers, so that users’ progress can be tracked and areas for improvement identified and needs for further protection acted on.
A person looking at a laptop and making notes

Everyone will have access to exactly the same learning materials and can complete the course at their own pace

In-person training

You may decide to hire professionals to train your employees, or attend an off-site training day. While this costs more than doing it yourself, it also equips your team with the most up-to-date information and strategies, all while explaining technical terms in a way that everyone can understand.

One benefit of doing cybersecurity training in person is that you and your team can engage in discussions and group exercises, which can lead to a deeper understanding of why breaches happen and what you can all do to prevent them.

Books and guides

While books and guides aren’t a substitute for comprehensive training, they can help to provide people with context around the subject of cybersecurity. You can find general overviews, or if there’s a particular element that people are struggling with, you can find a book about that.

An open laptop

Chapter 4

Maintaining best practices

Onboarding new employees

Making cybersecurity part of your onboarding process ensures that it’s an element of the organisation’s culture from the beginning. Introduce all your cybersecurity policies so new starters have the same knowledge as the rest of the team, and encourage them to come forward if they notice something that doesn’t look right. Taking cybersecurity into account will just become part of their routine.

Stealth testing

Wondering how you can test your team’s knowledge of their training without actually putting them at risk? Try stealth tests, whereby mock threats are sent out to see how people would react in a real situation. The results will show you how effective your training has been and identify areas for improvement.

The easiest way to do this is by simulating a phishing attack. Real phishing emails contain malicious links or downloads, but your test email should contain a safe link, as well as clues that the email isn’t really from the person it claims to be. The link to the site should be one where you can monitor the traffic and IP addresses of visitors, so you can see who clicked the link to visit it.

If you don’t have time to set this up, you can hire a third party to simulate the phishing attack for you.

A stealth test will have the most impact if you follow up afterwards. Let people know about the test and use it as an opportunity to deepen their understanding of cybersecurity risks, rather than scolding anyone who clicked the link. It’s a learning experience.

An email mailbox open on a mobile phone device

Try stealth tests, whereby mock threats are sent out to see how people would react in a real situation

Refresher courses

Cybersecurity training has to be ongoing. The methods cyber attackers use grow more sophisticated as time goes on, and organisations need to stay informed about the latest threats. You can reduce the risk of a security breach by treating cybersecurity training as a form of continuous professional development, with relevant updates so it doesn’t get stale. They’re more likely to retain information this way.

Keep the conversation going

Regular updates can go a long way, so keep cybersecurity at the forefront of everyone’s minds. Follow the trends, and include updates in your organisation’s newsletters and announcements.