Skip to main content

«  View All Posts

Security | Consulting

3 Components You Need in a Cybersecurity Training Program

March 15th, 2022 | 7 min. read

Print/Save as PDF

People are the driving force behind your business and its success. Without your employees, you wouldn’t be able to provide the services your customers depend on. Companies with Employee Stock Ownership Programs (ESOP) need to pay special attention to their employees, as they have a vested interest in its success. ESOPs start with people, and your cybersecurity program should have an emphasis on them as well.  

When the term “cybersecurity” shows up, people automatically think of having anti-virus software and ensuring you have a firewall in place. The last line of defense between your business and hackers is your employees 

According to a study done by Stanford University and Tessian, approximately 88% of all data breaches are caused by employee error. Hackers have been getting better at creating legitimate phishing emails, and employees might not have the tools to see a threat. Cybersecurity is much more than hardware and software; it’s about giving your employees the education they need to prevent cybercrimes from happening.  

The Department of Labor’s cybersecurity best practices recommend having annual cybersecurity training for your employee-owners.

Here is how you start.

Understanding the Parts of Cybersecurity Training

Three parts make up a solid foundation for a cybersecurity training program: Training, Testing, and Accountability.  

1. Training 

It wouldn’t be fair for a teacher to give their students an exam on something they have never learned before. Before you start testing your employees, it’s important to show them what they need to be on the lookout for.  

It’s important to note that you should NOT develop your own training content.

Cybersecurity practices change constantly, so any content you create will be out of date very fast. Third-party cybersecurity training programs keep their content relevant and ensure that it is up to date. They can also help reduce the administration and reporting overhead related to training and testing your employees.


Cybersecurity training starts with baseline training, which every employee that has access to technology will need to undergoBaseline training covers essential cybersecurity information that employees need to know to stay safe and keep your company safe. New employees should receive baseline training as a required component of the onboarding process. Existing employees should receive additional training at least every six months. Continued training is critical as technology and tactics used by hackers are constantly evolving. 

Additionally, you should establish a Cybersecurity Workforce (CWF) program. This program identifies jobs and roles within your company that require more training from a cybersecurity standpoint. Employees who work with regulated data or privacy concerns will need a higher level of testing. Key roles with technology and access to personal private information, like finance, executives and managers, HR/payroll, system administrators, and software developers, need to be included in the CWF program.  

Employee roles and the training required for them need to be reviewed and adjusted annually. When doing your annual review of roles, there might be new roles, or you could get rid of roles that are no longer being used. If an employee’s role needs to be adjusted, they will need to be assigned any additional training that is necessary. 

Analyzing your team, defining CWF roles and training can be daunting Guide Star can help you work through standing up and managing your CWF program.    

2. Testing 

Now that your employees have undergone training, it’s time to put their skills to the test. Employees should receive at a minimum a quarterly centrally administered phishing email simulation test. The good news is that most reputable third party training platforms will provide mechanisms for testing, tracking, and reporting.

What is phishing? According to the Federal Trade Commission, phishing is defined as scammers using email or text messages to trick you into giving them your personal information. Phishing emails can look like a legitimate email from your bank, online retailers like Amazon, or even your company’s HR or payroll department. Research done by Trend Micro revealed that 91% of cyberattacks begin with spear phishing, which is phishing that uses personalized information to target. 


The best tests need to be a real-world simulation of an actual phishing attack. You won’t get quality results from giving your employees easy tests. Be sure to challenge their new cybersecurity toolset! 

Before you begin testing, your company needs to give employees the ability to escalate an attack, real or fake, to your IT department. Some programs include a phishing alert add-on to your email client that employees can use to report attacks. 

After your initial testing is complete, you need to evaluate the results and set goals for improvement. You will need to decide how you want your company to measure cybersecurity success.

What percentage of failures do you deem acceptable? A 100% success rate won’t be feasible, so set a goal that is attainable and bound to a finite timeline.  

Once you implement testing, the data you receive needs to be transparent. Managers must know who on their team isn’t doing well, so they can understand how to help them. Executives and your board will need to see any trends that are concerning, such as a high volume of failed tests in a specific area of your business. 

Finally, don’t be discouraged. Many companies will see a 30% to 50% failure rate when they first begin testing. 

Integrate safe cybersecurity practices into your culture, keep training your employees, and continue testing. Your failure rate will decrease with time.

3. Accountability guide-star_classroom_cybersecurity_training

Your employees are human, so expect some failed phish tests. Holding your employees accountable for training and testing when they fail is not the same as punishing them for a bad test.  Most employees will eventually learn from their mistakes if they are supported by management and provided with additional opportunities for training.

Accountability should not be punitive; it’s about making sure that the training program is working. Part of this is ensuring that training and testing are done in a timely manner, no exceptions. Every employee, from your newest hire to the CEO, needs to complete training on time.  

If an executive or board member doesn’t think your new training program is necessary, try to leverage the competitive spirit that drives them. Compare each division’s success rates to each other and make it a competition to see which team is the best at cybersecurity! 

As a leader, engrain cybersecurity safety into your company’s culture. Your employees look to you for guidance and support. Setting a goal and being transparent with them will help them understand why it is valuable to them as owners.  

How should managers and supervisors handle a failed test? If an employee fails a test or multiple tests, they shouldn’t worry about getting fired. As a manager, it means getting that employee extra training, meeting with them to understand what they’re having trouble with and assigning them personalized training. 

How Can Guide Star Help? 

Building a cybersecurity training program can be a big task, but Guide Star has the resources to guide you every step of the way.  

Guide Star can help you assess which third party toolset fits best for your organization. Once you choose a toolset, our experts can assist in administering both training and testing for your employees, as well as the reporting you need.

If you don’t know how to begin creating, defining, and assigning cybersecurity workforce roles, we can help with that, too! 

Not there yet? Here are the 4 steps of creating a cybersecurity program.