Nearly 60% of breaches involve the human element — employees clicking malicious links, falling for social engineering, or mishandling sensitive data. In many cases, staff also become the initial entry point for attackers, long before any technical vulnerability is exploited.

Security tools can reduce these risks, but without employee awareness, no organisation can achieve full protection. Training is usually assigned to information security specialists — yet many are unsure how to structure it effectively.

What should a training programme include to make it truly meaningful? Sergio Bertoni, Leading Analyst at SearchInform explains. 

We at SearchInform train several tens of thousands of people every year — government employees, corporate staff across many industries, and teams working with personal and sensitive data. Ultimately, it is their vigilance that can disrupt an attacker’s plans. Here are the key observations I’ve gathered while designing courses over the years. 

What to Teach 

Social engineering has frightened everyone so much in recent years that many security specialists focus almost exclusively on this topic. The results can be impressive — companies report significant reductions in successful phishing clicks after systematic training.

But phishing and other social engineering tactics represent only part of the problem. What about the rest?

Weak passwords, reusing corporate passwords in personal accounts, the absence of multi-factor authentication, careless handling of corporate data — these remain constant sources of risk.

Here is the minimum we teach — and what should be included in any effective training programme:

• Social engineering techniques — from email manipulation to deepfakes.
• Security rules for remote work and business travel — SSL, VPN, secure communication and data exchange outside the office.
• Password hygiene and MFA — what a strong password looks like, where to store it, why human-created passwords are predictable.
• Digital hygiene online — behaviour on social media, public services, third-party resources.
• Rules for handling corporate information — what constitutes confidential data, ownership rights, responsibility for disclosure.

Training Formats

There are many approaches to teaching security awareness: lectures, games, workshops, simulations. Modern platforms enable both offline and remote training, and many free tools exist for building interactive courses, including ready-to-use templates.

Examples include:

• Game-based learning: custom IS games, quizzes, quests, vendor-provided materials.
• Simulated attacks: tools like GoPhish.
• Distance learning: Moodle, Google Forms, and similar platforms.

Despite this, the most common corporate practice remains a simple instruction session followed by “sign the logbook”. This is barely effective even for fire safety — let alone such an abstract area as information security.

Employees rarely believe that data protection affects them personally. That’s why any format you choose must include at least elements of gamification or hands-on training.

What makes the strongest impression, based on my experience:

• Demonstrating how quickly passwords can be cracked.
• Performing real-time OSINT searches on volunteers from the audience.
• Making a phone call with a spoofed caller ID.
• Showing how easily a person’s voice or face can be cloned.

How to Make Training Effective

Even a well-designed course can fail if a few critical mistakes are made. Here are the most common ones.

1. Teaching memorisation instead of principles

Many programmes teach people to recognise specific signs of an attack rather than understand how attacks work.

For example, employees may be told:

“Green padlock = safe”,

“Correct sender address = legitimate”.

Attackers evolve faster than training materials do. Users must understand the anatomy of an attack and its motives. Then they will notice risks even when surface-level signs look normal.

For phishing, for instance, users should be trained to identify fraud based on a set of indicators, such as:

• misspelled domain names
• unusual or inconsistent content
• fake (imitated) functionality
• online payment as the only option
• no physical address or pickup options

2. Training too rarely — or too frequently

Security drills should take place at least annually when they involve large-scale exercises.

More routine activities — e.g., anti-phishing tests or lectures covering new attack techniques — should occur once per quarter.

Too-frequent training is counterproductive: employees begin to expect it, recognise repetitive scenarios, and stop responding thoughtfully. Their vigilance fades, and training becomes background noise.

3. No one cares about the results

What should be done with employees who repeatedly fail tests or ignore policies?

This is not entirely up to the security specialist — but before training begins, management must define:

• motivation for those who follow the rules
• consequences for those who consistently disregard training and policies

Without accountability, the value of training drops significantly.

4. Not adapting to the audience

Security specialists are not professional teachers — but teaching adults does not require pedagogical training. It requires understanding how adults learn.

Key principles of adult learning:

• Employees should participate in planning and evaluating their learning.
• Training must be practical and experience-based.
• Adults want to learn what is directly relevant to their work or personal life.
• The goal of training should be solving real problems, not simply absorbing information.

It is much easier to design training when you understand who is in your group — job roles, age, experience level. This helps tailor examples, scenarios, and recommendations to their world.

If manual assessment is not possible, tools like ProfileCenter can automatically classify employees by behavioural types and help predict how they handle information risks.

Universal tools also help:

• Good public speaking skills to engage the audience emotionally and logically
• Attraction techniques — building credibility so employees trust your message

Conclusion

Training alone is not a silver bullet. Awareness does not guarantee that an employee will never open a malicious attachment, nor does knowledge of liability fully prevent intentional leaks.

However, good "digital hygiene" significantly reduces the number of incidents.

If you are building a course from scratch, you can start with existing templates — but you must enrich them with practical examples, real cases, and scenarios relatable to your audience. Most importantly, establish a trusting connection with employees — otherwise the training will fall flat.

If your company lacks internal resources to conduct training, you can request a free training session from us — we will be happy to help.

ABOUT SEARCHINFORM

SearchInform is an information security and risk management product vendor as well as an MSS provider. The company's clients are more than 4000 companies in 20+ countries. Today, the team has products and services for comprehensive protection against insider threats at all levels of corporate information systems: FileAuditor (the DCAP class solution); DLP system with extended functionality; Risk Monitor (advanced platform for internal threat mitigation); SIEM system, IS outsourcing service.