Best practices

4 reasons you need to get information security training right (& how to do it)

Information security awareness training - eFront Blog

They say that passwords are like underwear: we don’t let others see them, we change them often, and we shouldn’t share them with strangers1. But why do we have passwords in the first place? Simple. To protect our data, one of the most valuable commodities in the 21st century.

Knowing how important information is to your business and its employees, you’re determined to keep it safe. So you want to learn everything there is to know about training your employees on information security awareness. You’ve come to the right place!

Let’s start at the beginning, by explaining what ‘information security’ means.

What is information security?

Before you can understand what information security is, you need to understand what it isn’t. Many people confuse information security with cybersecurity. In reality, information security is just one part of cybersecurity.

Information security is specifically aimed at guarding, well, information. This includes personal employee data, client and/or partner data, company records and documents, strategic information, research reports, trade secrets, and financial details.

With this in mind, we can define information security as the processes and practices for protecting company and employee information from manipulation, destruction or inspection. If this sounds important, it’s because it is, which is why every company needs information security awareness training.

How does information security awareness training benefit your organization?

Protecting sensitive information might seem like an IT responsibility, but it’s actually a team effort. Imagine your company information sitting safely inside a sphere made of thousands of links; these are your employees. It only takes one weak link (or one employee) to expose the whole company’s information to theft or manipulation.

This is why each and every employee needs to understand why information is important, and how to keep it safe and secure. In other words, they need information security awareness training. Here are some of the other reasons your company needs this training.

1. Improve employees’ digital (security) literacy

In 2018, over half a billion personal records were stolen. In 2020, the total cost of data breaches is expected to reach $150 million! Perhaps the scariest part, though, is that over 90% of these breaches are due to – wait for it – human error! As employees are indeed humans, improving their information security literacy is a must.

Information technology security awareness training educates employees about common scams, like email attachments containing malware, and phishing emails that request personal information. With this kind of security literacy, your employees will be less likely to fall into data breach traps.

2. Follow the recommendations of the ISO/IEC 27001

If you’re adhering to the ISO/IEC 27001, then IT security awareness training for employees is already on your to-do list. This is an international security standard for information risk management, and it can be used as a basis for formal compliance assessment. This is particularly important if you’re in a high-risk industry, like finance or healthcare.

Training your staff on information security means that they’ll be more likely to follow the policies and procedures set out by the ISO/IEC 27001 standard. Plus, your company will be one step closer to being compliant, and might even avoid a hefty fine or lawsuit.

3. Protect your company’s reputation

Your brand is important. But how strong is it if your company is lacking reputation? Reputation is another reason the importance of security awareness training is huge. Think about it. If your information gets into the wrong hands, customers could lose confidence in your brand.

So, what can we learn from that? The more employees know about protecting information, the less likely you are to see damaging headlines about your company in the news.

4. Save time and money by preventing information leaks

Research has found that it takes more than 8 months and an average of $3.92 million to recover from a data breach. That’s a lot of time and cash, which makes this one of the most compelling reasons for information security awareness training.

Having a strong information security policy, supported by online security awareness training, means less risk of an untimely breach. This way you save time, money, and a whole lot of panicking.

Information security awareness training - eFront Blog

What does information security awareness training look like?

Now that you know what information security is, and why employee information security awareness training is important, let’s get to the how.

You can structure your training as a module within a larger cybersecurity training program for employees, or you can have this as a stand-alone course. Either way, there are a few essential topics that you’ll need to include.

Let’s dive in.

The importance of information security

To change employee behaviors, you must first change their attitudes. So, it’s always a good idea to start your training with an introduction to information security. Explain what it is, why it matters, and the important role that each and every employee plays in keeping data safe.

This topic will help to build a safety-first mindset, where all employees prioritize information security and practice safe daily habits. After all, your staff is your strongest layer of defense against security threats.

Avoiding email scams

Unless you’ve just discovered the internet, you’ve probably received a phoney email before. And your employees will, too. Emails from seemingly reputable senders that ask for personal information are a common form of phishing (not the fun type). Other emails contain malicious malware in the form of links or attachments.

Your employees need to know how to identify suspicious emails – and when they do, not to respond to them, click their links or download their attachments. These simple behaviors will protect your employees’ information, but could also keep company data and funds safe.

Keeping login details safe

Many companies have recently discovered Single sign-on. One username and password to log into multiple accounts sure is convenient, but it also puts your information at risk. For example, if an employee’s Google login details are stolen, the thief might be able to log into company databases and accounts.

So, employees need to understand how to set strong passwords, and the importance of keeping their usernames and passwords confidential. Teaching your staff το protect their passwords is like locking the doors (tightly!) to your company’s information.

According to eFront’s CISO, Victor Kritakis, the safest way is to use a “password manager”. Such a tool fills in random strong passwords for each website and keeps all of them stored in one place. This way, you don’t have to type them every time you log in.

Practicing safe internet habits

The internet is a big, scary place. We often can’t see when there’s something sinister lurking as we browse through Amazon, log in to our banking, or download music. There’s a good chance that your employees aren’t aware of the dangers of using free Wi-Fi, or installing a free app.

That’s why it’s so critical that employees understand safe internet habits: to protect your company network against hackers. This includes using secure Wi-Fi and websites, disabling pop-up windows, and avoiding any software downloads that aren’t pre-approved by the IT department.

Managing sensitive data

There are many types of data in every company, including client contracts, customer profiles, employee banking details and strategic plans – just to name a few. Some data is highly sensitive and confidential, some isn’t. Your employees need to know the difference.

This is why your training should show employees how to identify high-risk data, and then how to manage it carefully and safely. Managing your digital and paper-based information properly is key to preventing data leaks.

Being aware of physical security

While most security threats happen on digital devices, employees should still be aware of their physical environments. After all, not all thieves are cybercriminals. There are still good old-fashioned thieves today that use their eyes and hands to steal information.

So, train employees to keep a tidy desk. This makes it easier for them to spot if something goes missing, like documents or USBs. They should also lock their devices, and be aware of strangers around them that could be looking at their screens or desks.


Information is one of the most valuable assets in the digital age, and keeping it safe from pesky cybercriminals is a challenge the whole company must face together. The good news is that you’re all set to start training your employees in information security. Peace of mind is just around the corner!


  1. ‘Top 27 Cyber Security Quotes’, August 24, 2018, SecurityFirst,

Improve your employee, partner and customer training with our enterprise-ready learning management system. Book a demo now and see why our diverse portfolio of customers consistently give us 5 stars (out of 5!)

Book a demo