Security Awareness Training – Helpful, But Not the Silver Bullet
When it comes to cybersecurity, most businesses have been through some form of security awareness training. It’s a staple of many security programs, covering key topics like:
Avoiding suspicious links and attachments.
Using strong, unique passwords (or passphrases).
Enabling multi-factor authentication (MFA).
Spotting and reporting phishing or social engineering attempts.
These sessions are well-intentioned, and in theory, they make perfect sense. If your employees are educated on security basics, they’ll be better prepared to avoid the kinds of attacks that are most likely to target them.
But here’s the problem: Security awareness training alone doesn’t work as well as we’re often led to believe.
The Promise of Awareness Training – And Its Limitations
The idealised vision of security awareness training is compelling. Train your people to think like an extension of your security team, and you’ll significantly reduce the risk of successful attacks. After all, social engineering is a component of the vast majority of cyberattacks. If your people can recognise and resist phishing and other scams, your organization should be far safer, right?
Unfortunately, the reality doesn’t quite match up. Here’s why:
People Are Busy Doing Their Jobs.
Security is rarely the primary focus for employees in finance, law, or any other SME. They’re busy serving clients, meeting deadlines, and keeping operations running. Even with the best training, most people won’t dedicate the time and energy to spotting every potential threat.Social Engineering Works—Because It’s Sophisticated.
Most people imagine a phishing email as an obvious scam: a poorly written message with a dubious link or attachment. But modern attackers are far more nuanced. From perfectly crafted emails to convincing phone calls or even fake websites, their tactics often outmatch the skills taught in basic awareness training.
That doesn’t mean awareness training is worthless. It has its place—but it shouldn’t be the cornerstone of your security program.
A Better Approach: Build a Strong Foundation
Instead of relying on people to be your first line of defense, assume that someone, somewhere will make a mistake. Whether it’s clicking a malicious link, sharing sensitive information, or using a weak password, human error is inevitable.
Your goal should be to build systems and controls that minimise the impact of those mistakes. Here’s how to get started:
1. Strengthen Endpoint Protection
Basic antivirus is no longer enough. Deploy strong Endpoint Detection and Response (EDR) solutions to detect, block, and respond to threats in real time.
2. Enforce Multi-Factor Authentication (MFA)
Make MFA mandatory across all your systems, and where possible, combine it with Single-Sign-On (SSO) for ease of use. This single step can dramatically reduce the risk of account compromise.
3. Restrict Unnecessary Tools and Features
Attackers often exploit tools like PowerShell or WScript that aren’t widely used by your team. Disable or tightly control these features to reduce your attack surface.
4. Implement Firewalls and Web Filtering
Blocking access to known malicious sites and filtering suspicious traffic can stop many attacks before they even reach your team.
5. Monitor and Respond to Suspicious Activity
Use tools that provide visibility into unusual behavior, such as logins from unexpected locations or sudden file access spikes. Early detection can make all the difference.
Why These Steps Matter
None of these measures are flashy, and most operate quietly in the background—but they’re incredibly effective. When configured correctly, they:
Reduce the likelihood of successful attacks.
Minimize the damage when mistakes happen.
Allow your team to focus on their work, not play amateur security analyst.
These controls don’t have to break the bank or create friction for your employees. Many are simple configurations of tools you may already have.
Awareness Training: The Icing, Not the Cake
Does this mean awareness training is a waste of time? Absolutely not. Security awareness sessions can help your team develop a baseline understanding of risks and foster a culture of caution. But it’s not enough on its own.
Think of training as the icing on the cake—a useful addition, but only when the foundational layers of your security program are solid.
What’s Your Next Step?
Start by evaluating your current security measures. Are you overly reliant on awareness training while overlooking technical controls? If so, focus your efforts on building a stronger foundation.
Once that’s in place, awareness training can add value without carrying the weight of your entire program.
Do you have a favorite security control that’s been a game-changer for your business? Let us know—we’re always keen to hear what’s working for other SMEs!