Training

Cybersecurity Awareness Month: We need to turn employees into defenders, not liabilities

COMMENTARY: Every October, Cybersecurity Awareness Month reminds us how far we’ve come as defenders—and how far we still have to go. Despite billions spent on tools and infrastructure, 85% of breaches still trace back to human error. That’s a clear signal that traditional awareness efforts haven’t kept pace.

Conventional security awareness training (SAT) often leaves employees disengaged and IT managers struggling to prove impact. Formulaic training models simply aren’t enough. Modern threats demand modern solutions.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

For too many employees, SAT means clicking through outdated videos or skimming quizzes designed to check a compliance box. Many say they find the content repetitive, generic, and disconnected from the real attacks hitting their inboxes.

That disconnect has consequences. Ninety-nine percent of IT leaders in the U.S. and U.K. say their organizations experienced a security incident in the past year because of avoidable user actions. Not only must IT teams remediate those incidents, they’re left with little evidence that the time and money spent on training made any difference.

Instead of aiming for compliance, we need to reorient back to the real goal: changing behavior.

Smarter threats require smarter training

Adversaries now leverage AI to craft highly-personalized phishing and social engineering attacks. Even trained users can struggle to distinguish a convincing fake invoice from the real thing, or a malicious onboarding document from legitimate HR communications.

If attackers are adapting, so must training. AI-enabled approaches can modernize SAT in three ways:

  • Just-in-time coaching: Deliver guidance in the moment of risky behavior—like when an employee clicks a suspicious link. Timely, contextual lessons reinforce the right response and increase knowledge retention.
  • Personalization by role, risk, and behavior: Different teams face different threats. Finance may need focused training on wire fraud tactics, while developers benefit from secure coding guidance. AI makes it possible to tailor training to each role and risk profile, making it more relevant and engaging.
  • Automation for scale: Building, delivering, and tracking training manually consumes significant resources. AI can automate phishing simulations, assign modules based on risk, and streamline reporting—freeing awareness teams to focus on strategy instead of administration.

AI isn’t a silver bullet: but it’s a force multiplier. With thoughtful oversight, it helps security teams scale their programs, reclaim time, and better protect their workforce.

Nearly every organization has suffered an incident caused by avoidable user action. This Cybersecurity Awareness Month, security leaders should ask: has our training kept pace with adversaries?

To truly reduce human risk, SAT must evolve. We need to make it continuous, contextual, and grounded in real-world threats. The goal isn’t just awareness—it’s enablement.

Moving forward, security awareness training must turn employees into defenders, not liabilities.

Mick Leach, Field CISO, Abnormal AI

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds