Cybersecurity is one of those fields where success is measured by the absence of incidents – and when incidents do happen, they are increasingly disastrous. Figures from IBM indicate that in 2023, the global average cost of a data breach was US$4.45 million – up from US$3.9 million in 2020, and still increasing.

Yet even today, not many organisations seem to have high levels of cybersecurity awareness, nor are they willing to invest in it. Fortinet's 2023 security awareness and training survey found that 56% of IT and cybersecurity leaders feel that employees still lack the knowledge or awareness to keep company assets safe; IBM's 2023 Cost of a Data Breach Report found that 57% of organisations were more inclined to just pass the cost of cyber attacks on to customers rather than to invest in better security.

That's unsurprising. Budgets are pinched, talent is expensive and hard to find, and organisations that haven't really felt the pain of a cyber attack may not be inclined to put resources into cybersecurity. But can we do something anyway?

The answer is to train the workforce

It's possible to boost cyber defenses simply by making employees more aware of good practices. This is particularly important because most cyber attacks target employees. Data from the same Fortinet survey found that 81% of cyber attacks in 2023 were phishing attacks: emails or text messages that tried to convince employees to give their credentials to fake websites, download and install malware, or even give information or money directly to scammers and other attackers.

So is there an inexpensive way of training employees in cyber awareness, and making it stick? There are multiple ways, in fact. Cybersecurity providers recommend regularly testing employees' awareness by confronting them with real-time, real-life 'threats' that give them immediate feedback on how accurate their responses are. Here are four such easy tests.

Send your own 'phishing' emails

Are your employees prone to opening and clicking on anything and everything? Create your own dodgy links and suspicious websites, and then send your own messages and emails to the employee database encouraging them to open those links and log in. And if they fall for it, they get a message that they have been fooled. Harmless, but memorable, and easy to set up with some automation.

Set up your own malware traps

Do your employees install all kinds of random apps and programs? Do the same thing as the phishing emails: create your own dodgy software that locks the employee's computer, blast it out to the employee database, and see who falls for it. When they have to bring their IT assets in to be unlocked and get a scolding for installing suspicious material, however harmless, the lesson will stick.

Send reminders during high-risk seasons

Cyber attacks soar during festive seasons, like the upcoming Holi holiday. Set up automated reminders to your employees to remind them not to blindly open greeting mails or click on suspicious links. You can track the open and read rate of these messages to get an idea of whether people are actually paying attention.

Test people with social engineering

If your IT team is savvy and has some time to spare, they can use generative AI to create fake personas – someone from another department, a vendor, or a customer – and see if these fake personas can fool people into giving away information they should be keeping confidential. This is particularly important, because many cyber criminals today are already using generative AI to scam unwitting victims. By carrying out your own internal 'scam', you enlighten employees to the possibility of such a trick being pulled on them.

Why do these methods work?

Very simply, the above tests reinforce employees' awareness of cybersecurity and make them unwilling to get it wrong, in a harmless manner. Such tests play upon psychological research that emotional experiences can improve learning, memory, and attention. If someone is surprised and embarrassed by getting an message scolding them for risky or stupid behaviour, they will remember not to do it again just as effectively as if they had actually lost money to that behaviour – and without having felt the pain of the financial loss.

These tests also communicate the organisation's expectations around security, more clearly than any written policy or one-off employee training would. They generate data that helps the organisation better understand how savvy the workforce is and how to better train them.

So if you are strapped for resources and unable to hire the cybersecurity talent you need, this is the next best step: a simple, low-cost method of teaching employees to reduce the risk they present to your organisation.