How to Resist Evolving Threats with Cybersecurity Awareness Training

Zack Schuler, the Executive Chairman and Founder of NINJIO, explains how companies can resist evolving threats by providing their teams with cybersecurity awareness training. This article originally appeared in Insight Jam, an enterprise IT community that enables human conversation on AI.

October is National Cybersecurity Awareness Month, an ideal time for companies to focus on how they can defend themselves from rapidly evolving cyber threats. From the exploitation of revolutionary new technology like AI to the proliferation of attack vectors, we have entered a new era of cyber risk—and much of this risk is driven by human vulnerabilities.

AI has eliminated the barriers to entry for advanced forms of phishing and other social engineering attacks, and cyber-criminals have never had more powerful resources for manipulating victims. Companies need a proactive approach to cybersecurity awareness training, which will help employees anticipate emerging cyber threats, think critically about their digital behavior, and respond to cyber-attacks. Cybersecurity awareness training must adapt to an ever-shifting cyber threat landscape, and several core principles will help IT and security leaders accelerate this process.

The Need for Action-Oriented Cybersecurity Training

Although cyber-criminals are increasingly using cutting-edge technology like AI to launch attacks, they still rely on their ability to hack into a much older operating system: the human brain. Over two-thirds of data breaches involve human error at some point, while phishing is one of the most common and financially destructive initial attack vectors.

One reason social engineering is such a consistent element of cyber-crime is the universality of psychological susceptibilities such as fear, obedience, and curiosity. Cyber criminals can exploit these emotional traits in countless ways. For example, they can pretend to be superior, demanding immediate access to sensitive materials (obedience), or impersonate authorities such as IRS agents to coerce employees into providing personal information (fear).

Psychological vulnerabilities vary from person to person, which is why personalized training is essential. IT and security teams can build the cybersecurity awareness muscle by engaging employees with content that addresses their unique psychological weaknesses. They can also use tools like simulated phishing to ensure accountability and reinforce what employees learn. Robust training and evaluation will strengthen employees’ defenses and provide an accurate picture of the company’s most urgent vulnerabilities.

Navigating a Shifting Cyber Threat Landscape

The cyber threat landscape is always changing, but it has undergone especially pronounced shifts as generative AI boomed. According to Google, companies should expect generative AI to be increasingly “utilized in phishing, SMS, and other social engineering operations.” Microsoft has found that large language models (LLMs) are being used by cyber-criminal organizations around the world.

Consider the impact of LLMs on social engineering attacks—cyber-criminals are now able to produce targeted and convincing phishing messages at scale, and old red flags are less visible. Employees used to be capable of identifying a phishing email by spotting mistakes such as misspellings or strange syntax, but LLMs allow cyber-criminals to create polished messages that don’t contain these errors.

This means employees must pay closer attention to the tone of messages: is there a sense of urgency? Is the message threatening? Does the sender want them to click on a link or attachment? Employees must be prepared for new cyber-criminal tactics, which means IT leaders must address these tactics proactively.

Securing Sustainable Behavioral Change

While Cybersecurity Awareness Month is just one month of the year, it’s an opportunity for companies to prioritize their long-term cybersecurity. According to Allianz, cyber incidents now comprise the top business risk “across companies of all sizes”—a trend that will likely continue to gain momentum in the coming years.

IBM reports that employee training is the top factor that reduces the cost of data breaches, but too many social engineering attacks are still successful. The best way to ensure that employees are equipped to resist these attacks is to build healthy cybersecurity habits, and this can be done through engaging and personalized training that covers the latest cyber-criminal tactics.

When employees regularly confront these tactics, they will develop an intuitive understanding of how to protect themselves and the company—a mindset shift that enables them to resist the most urgent cyber-attacks today and adapt to the attacks of the future.