Security Awareness Training Topics: When it comes to information and cyber security, organisations are now acknowledging that security is not just about box ticking but is a concerted effort to create a secure culture. Though, security awareness training isn’t always the most straightforward topic to teach.

One reason for cyber and information security training becoming a workplace necessity is the rate at which security threats have evolved. The increased availability and sophistication of malware and phishing attack tools means cyber criminals and hackers have never been more capable of getting their hands on your data.

In 2018, 72% of large businesses identified breaches or attacks, as well as 31% of small businesses. With the average cost to a business now soaring to over four thousand pounds, a 27% increase from the previous year, it’s clear that information security is now paramount to any business. But:

Whilst the cost and impact of cyber security attacks continues to rise, it may be shocking for some to learn that  77% of all UK workers have never received any form of information security training from their employer. Perhaps taking this information into consideration, we can understand how the costs of these phishing attacks continues to increase.

Security Awareness Training Topics to Cover with Employees

Though we all know some of the basics of security awareness, it’s important that these fundamental topics are both taught and absorbed by employees, not only for ‘in the office’ but at home too. Protecting you and your organisation relies on the confidentiality, integrity and availability (CIA) of your data and information.

Password Security

Just about every system, network and device that we now value requires passwords. Undoubtedly there are plenty among us that sometimes struggle to remember all of these credentials, which leads to one of the main practices that weakens our information and password security.

The multiple use of passwords essentially reduces all your accounts security down to that of the weakest. As databases are continuously being attacked, it’s advised to use novel passwords for each account.

Another basic rule of password creation (if you’re not using a password generator) is to use 4 unrelated words. Though it may sound simple, just think of the amount of possible combinations. As well as this, multi-factor authentication should also be used for sensitive accounts.


Malicious software can make its way onto our device and into our networks in many ways, though phishing emails are usually malware’s way in. By clicking on suspicious links, users can be directed to unsecure websites. Opening malicious files and attachments can do untold damage to your systems and data.

Malware can come in many forms, including spyware (collection sensitive information), adware (clogs your device up with advertisements) and ransomware (taking your data hostage in exchange for cryptocurrency). Defended against by anti-virus software, as well as with vigilance and training, malware can cause an extraordinary amount of damage to any organisation’s network.

Mobile Devices

Mobile devices often represent such a significant security risk, in large part because they are indeed mobile. With so much sensitive and confidential information stored within our devices, the potential for unauthorised access can be a big cyber security threat, inside and outside the office.

Ensuring users and employees have their devices password protected and adequately encrypted guarantees that any sensitive information cannot be passed into the hands of malicious actors. Also, if employees are dealing with particularly sensitive information, remote wiping features should be considered, just in case of the device being lost or stolen.


Though Wi-Fi can seem safe and convenient, Wi-Fi can pose a substantial risk to information security and information confidentiality; particularly public networks.

With relatively simple, off the shelf software, attackers can easily intercept data transferred to public networks by means of what is known as a ‘man-in-the-middle’ attack. If a network is not secure (i.e. not password protected) then the chances of that network being safe to use, is very low.

If your employees absolutely have to make use of public Wi-Fi networks, ensure that your organisation has a VPN solution in place. This will allow users to transfer data securely through an ‘encryption tunnel’.

Social Engineering

Social engineering attacks should be considered a must for any security awareness training, and are utilised by malicious parties, hackers and criminals in a vast majority of information security attacks.

Ranging in their approach, social engineering attacks all rely on the manipulation of individuals in order to extract information that allows the attacker to profit. This can include phishing emails, quid-pro-quo exchanges and even physical forms of manipulation, such as tailgating.

For a true information secure culture, beyond having the necessary policies and procedures in place, every member of an organisation needs to be trained to understand the ways they can be susceptible to social engineering attacks.


Encryption is something we all rely on, whether it’s the data being transferred across our networks, the information we input into websites or apps, and even securing the contents of our phones and devices. As a form of cryptography, encryption is a process that obscures information from non-authorised parties and allows you and your employees to communicate via confidential channels. 

With the advent of the General Data Protection Regulation (GDPR), organisations are increasingly responsible for making sure the personal information that they hold on customers and individuals is properly stored and secured; the main method of doing so, being encryption. For employees to be security aware, the fundamental methods of encryption must be understood.

Backing Up Data

As encryption will help to ensure the confidentiality of information, the practices of backing up will guarantee that your data will remain available, even after an attack. Security awareness isn’t just about stopping attacks, it’s also about safeguarding information in the eventuality of an attack happening.

We’ve all been in the position of having accidently deleted or lost a document. At its best, this can be very frustrating; at its worst, the loss of data can be catastrophic to an organisation. In building a security aware culture, employees should be trained to understand this topic as a part of routine, with their individual responsibilities directly outlined.

Spear Phishing

Spear phishing attacks are a variation of the standard phishing attack. As a refined and targeted attack, spear phishers will take a much more nuanced and sophisticated approach than just sending out thousands of emails. Rather than relying on scale, phishing attacks of this sort will often consist of a small number of carefully crafted, and specially created malicious emails.

Again, designed to fool users into handing over information, attackers will intercept invoices, payment requests and extremely sensitive communications that earn them a big reward. Far more difficult to stop, a well-crafted spear phishing attack can fool even the most seasoned of users into making a very costly mistake.

Spear phishing attacks exemplify the need for robust information security awareness training, and the vulnerability that a non-secure culture facilitates.

Sensitive Information

Many of us are constantly dealing with sensitive information of one kind or another. Sensitive information can be business secrets, intellectual property or even personal medical data, each of which may be subject to different regulations, though all require a security aware mentality to properly protect.

Confidentiality is essential to any business, and without the proper information security training, employees are bound to make mistakes.

There are many ways an organisation can protect its sensitive information. Methods such will require some level of access control, to make sure the availability of the information is restricted to only authorised parties. Though most important to this topic, is identifying the types of information your organisation is handling, and what your responsibilities are.