Introduction
Security awareness has become the backbone of modern cybersecurity strategies.
Yes, I said it.
While sophisticated technology is essential, it’s people who form the frontline defence against cyber threats and, the greatest opportunity for risk-reduction moving forward.
In this piece, we’ll examine how the last few years have reshaped security awareness, take a forward-looking view of what lies ahead, and discuss how organizational leaders must adapt to these changes to ensure their companies stay ahead of the curve.
Cybersecurity landscape changes
COVID-19
The last years have brought seismic shifts in security awareness, largely driven by global events and evolving threats. The COVID-19 pandemic, for example, dramatically altered the way we work. The rapid pivot to remote work expanded attack surfaces, with employees accessing corporate systems from home on often less-secure personal devices and networks. Cybercriminals wasted no time, launching phishing campaigns tailored to pandemic fears and vulnerabilities. Organisations scrambled to revise their security training, new modules on securing home networks, identifying pandemic-related scams, and safely using personal devices for work.
Ransomware
At the same time, cyberattacks themselves have grown more targeted and sophisticated. Ransomware attacks have skyrocketed, and phishing campaigns have become alarmingly convincing. These developments underscore a stark reality highlighted in the SANS 2024 Security Awareness Report: social engineering remains the top human risk organisations are most concerned about. This has put immense pressure on organisations to not only enhance their defences but also improve the way they educate and prepare their workforce.
Compliance
Adding to the urgency, governments and regulators have raised the stakes with stricter requirements around cybersecurity. European legislation such as the GDPR, Network and Information Security directive (NIS2) and the soon-to-be-implemented Digital Operational Resilience Act (DORA) emphasise the importance of well-trained employees. For businesses, this isn’t just about avoiding fines; it’s about demonstrating to regulators, customers, and stakeholders that they take cybersecurity seriously and manage risk appropriately.
Fortunately, advances in training technology have made these challenges more manageable. Interactive e-learning platforms, gamified modules, and even virtual reality-based scenarios have breathed new life into security awareness. AI is also stepping in to personalize training, ensuring that employees receive lessons tailored to their individual weaknesses and risk levels.
Persona based security awareness training
Cybersecurity trends
Artificial Intelligence (AI)
Looking forward, it’s clear that security awareness will continue to evolve rapidly, shaped by both technological advances and an ever-shifting threat landscape. The integration of artificial intelligence is set to play a pivotal role, offering the potential to transform training from a static, one-size-fits-all approach to a dynamic, tailored experience. Imagine systems that monitor risky behaviours, like clicking on suspicious links, and automatically trigger specific training to address the issue. And the opposite also works. Imagine identifying risky behaviours in your security awareness training program and feeding that information to security systems to improve monitoring. This would add predictive capabilities to your defences ensures that security awareness adapts in real time to emerging risks.
Creating and fostering Security Culture
But technology alone isn’t the answer. The next big shift will be a deeper focus on fostering a culture of security across organisations. This means moving beyond annual training sessions to make cybersecurity a natural part of everyone’s daily responsibilities. This requires a firm commitment from Human Resources (HR) and we’ll see their involvement in security awareness programs continue to grow as the industry matures. When security is woven into the fabric of an organization, employees not only feel empowered to recognize and report threats, but behaving securely will become the norm over time, creating a powerful first line of defence.
But it’s not only HR’s involvement that will grow. In marketing, a persona-based approach is a tried-and-true strategy used to tailor messages and campaigns to specific audience segments. Personas represent hypothetical archetypes of customers, created based on data such as demographics, behaviours, and preferences. This same approach can be applied to security awareness, and in combination with a multi-channel approach ensures that security awareness messages reach employees where they are most likely to engage. This is where Internal Communications teams will help organisations create targeted, relatable, and effective programs that resonate with employees and foster a strong security culture.
Measuring impact
As the lines between personal and professional lives blur, particularly with remote and hybrid work models, the scope of security awareness is also set to expand. Organisations will increasingly recognize that vulnerabilities in employees’ personal digital habits can spill over into workplace risks. Training programs will start addressing this overlap, equipping employees with skills and knowledge they can apply both at work and at home.
This expansion will be accompanied by a stronger push to measure the impact of training. For years, security awareness programs have struggled to prove their effectiveness, relying on vague metrics like “completion rates.” In the coming years, businesses will demand more concrete data, not only to ensure increasing compliance requirements (e.g., NIS) but also to demonstrate the impact of the program on business risk (ROI) and simply to drive continuous improvement.
Executive involvement
These upcoming changes place significant demands on organizational leaders. To keep pace, CISOs and the broader C-suite must lead the charge. A critical first step is demonstrating their commitment to security awareness. When executives visibly support and participate in these programs, it sends a strong message to the entire workforce about their importance whilst setting clear priorities for all layers of management.
Resource allocation is another key area. Security awareness requires investment—not just in the latest tools and training platforms, but also in the teams responsible for running and improving these programs. Leaders must view this as a long-term commitment rather than a short-term expense.
Equally important is the need to embed security into the organization’s culture. This goes beyond compliance checkboxes. It’s about making security awareness an integral part of every employee’s role, whether they work in IT, HR, or marketing. Collaboration across departments will be crucial to achieving this, ensuring that security messaging resonates at every level of the organization.
As organisations prepare for the future, it’s also vital for leaders to adopt a forward-thinking mindset. Cybersecurity threats are constantly evolving, and so must the strategies to address them. By staying ahead of trends and focusing on continuous improvement, organisations can transform security awareness from a reactive effort into a proactive and strategic advantage.
A quick look back to the early days of security awarenessThe journey of security awareness began with simple needs: securing physical access to computers and limiting unauthorized data access. As technology grew more interconnected in the 1980s, the risks multiplied. Events like the Morris Worm, one of the first internet-based attacks, showcased vulnerabilities in these new systems. These high-profile incidents spurred governments to introduce laws, like the Computer Fraud and Abuse Act, to curb the growing threat. |