Security Awareness: How to get the best ROI

Make your colleagues the strongest security link in your business.

Written by Chelsea Jarvie

Chelsea is the Director of Neon Circle and a cyber security consultant. Chelsea is passionate about driving forward modern security practices and pragmatism and is experienced in building risk-centric and efficient operations. Chelsea is a STEM ambassador, an experienced conference speaker and judge for Scottish Cyber Awards. She was named as a "Woman of the Future" by Equate Scotland in their "Leading Women of Scotland" Publication and chosen as Code First Girls: One to Watch 2017.

May 6, 2020

Why do I need a security awareness programme?

With phishing at an all-time high, staff security awareness training is essential for all businesses, no matter the size or sector. However, many companies still insist on boring online training once a year. Security awareness programmes tend to be under invested, under resourced and seriously underestimated when it comes to their ability to reduce the risk of a successful cyber-attack.

Security awareness training is compulsory for some accreditations such as ISO 27001, but in many cases, it is a tick box exercise and gives the business almost no protection. Investing in an engaging and interesting security awareness programme can pay dividends for your business so that is why we have shared some top tips to help you get the best ROI.

1. Always answer the “why?”

Answer the question on everyone’s mind, “why should I care?” by equipping your staff with the tools and knowledge they need to keep themselves and their family safe outside of the workplace. Give them context and real-life examples showing why we need to demonstrate certain security behaviours. If staff can spot a phishing email at home, they can spot one in work. If staff know how to create strong passwords at home, they know how to create strong passwords at work. Ensuring the messages are relevant to your target audience (i.e. your colleagues) will help make them easy to understand and ultimately drive the good security behaviours you want to see.

Security awareness training merges IT with psychology, marketing and communications and that makes it exciting. But it also takes a special skill set to get it right, you need to think like a user, question each word you write and always ask, why should the user care about this?

2. Get rid of the one and done model

An eLearning module once a year is not good enough. They tend to be around 30 minutes long in a click through style which is incredibly boring. It is difficult to pack in all the knowledge someone needs to keep the business safe from cyber threats, all year long into a 30-minute module. We have all done them and its time of your life you will never get back.

Why not split your annual course up? Do them twice a year, each quarter or even every month. Do not let your staff forget about cyber threats until they are due their annual refresher training. Contact us if you would like more information on our security awareness eLearning products.

3. Provide at least weekly security comms

This may sound like a lot, especially if you are a small team but posting regular intranet or internal social media articles keeps security in the forefront of our colleague’s minds.  We all know the phrase “out of sight, out of mind”.  That being said, comms with no purpose is not good. These messages must link back to the point we made at the start, they need to be relevant and teach colleagues how to keep themselves safe from emerging cyber security threats. We can help you supplement your security awareness programme with expertly written resources and content so get in touch if you want to know more.

4. Roll out a phishing simulation programme

Develop a regular phishing programme whereby you send all colleagues a test phishing email and measure their response. Testing how your colleagues respond to a phishing email is not aimed to catch them out but instead learn how to improve your security awareness programme. Everyone benefits, staff learn to think twice before opening an attachment or clicking a suspicious link, and the security team get vital metrics to help guide their awareness programme.

5. Metrics are your friend

Although it can be tricky to measure the impact of a culture and behavioural change programme, there are lots of ways you can measure the impact of your security awareness programme. Phishing metrics are the obvious and most common metric as well as eLearning metrics. However, what about your engagement levels through the intranet or yammer? The amount of questions your security team receive? The number of incidents reported by staff? There are many ways to report the progress made which will allow you to see trends over a 12-18-month period. Metrics can help you pivot your programme to respond to emerging awareness gaps, or when you need extra budget.


Your security awareness programme must be relevant, regularly communicated and measured.

This will help ensure the investment you make to train your colleagues on security best practice will help reduce  the risk all businesses carry of a successful cyber attack caused by human error.

In the security world we talk about staff being the “weakest link” and in many cases they continue to be where security awareness training is not good enough.  Work towards making your staff the strongest link with these top tips.

If you want help transforming your security culture or building a security awareness strategy then we would love to hear from you.


Neon Circle can help you make staff your strongest security asset and not the weakest link

You may also like…