Duane Nicol, Senior Product Manager Awareness Training, Mimecast

During his time at Mimecast, Duane Nicol has experienced some of the largest and most exciting shifts and trends in the cyber security landscape and has become a passionate advocate for cybersecurity Awareness Training. Duane, now the Product Manager for Mimecast’s Awareness Training product, shares insights with the market on employee behavior, and looks to increase engagement and the overall investment an employee undertakes within security and general IT. With this extensive career in cybersecurity, Duane has a proven understanding of risk within the enterprise and continues to drive measurable value, derived from dealing with internationally recognized groups spanning the healthcare, finance and technology verticals.


The number of critical cyber incidents is growing steadily, and the hackers’ and fraudsters’ methods are becoming more and more sophisticated. While phishing emails were once easy to spot, this is no longer the case. Cybersecurity awareness training is one of the most effective means of counteracting any type of phishing attack, be it via email or collaboration tools, or attempts at social engineering. However, according to Mimecast’s recent State of Email Security report, this only happens on an ongoing basis at 23% of the organizations surveyed.

Communicating the added value of training

To get the most out of a cybersecurity awareness program, the training and its context must be embedded throughout the organization. This type of training is too non-committal in many organizations. It is only seen as a tick box, a compliance exercise, at best. Often, employees simply lack a tangible context for why ongoing training in this area is important. Communication plays an incredibly central role in this. Employees need to know not only that clicking on a potentially harmful link can have fatal consequences but why, and how it fits into their daily responsibilities.

Simultaneously, organizations should encourage employees to report suspicious emails regardless of whether or not they are correct or it not being part of pre-planned test. Engaging employees at all levels in this process is critical to a cybersecurity training program’s success.

Cybersecurity awareness must be incorporated into corporate policy

It is crucial that companies integrate security awareness training into their human resources policies. Mistakes happen and phishing is designed to trick humans. Organizations should encourage employees to come forward quickly if they think they have made a mistake, creating a safe space and, crucially, not giving potential malicious actors a head start inside a company’s system.

Cybersecurity awareness training as a job requirement

The job posting should make it clear that cybersecurity awareness training is part of every job within the company – from the receptionist to the CEO. Much like a driver’s license is mandatory to drive a car.

As an employer, isn’t it quite normal to set certain requirements for employees? Completing of cybersecurity awareness training should be including in all job descriptions and in all performance reviews. What’s more, safe online behavior is a skill that can be transferred to employees’ personal lives, that family and friends can also benefit from.

Cyber security is teamwork

A company’s cyber defenses are only fully functional if all employees contribute. It is easier to make new employees aware from the very beginning that IT security training is part of their job than to bring senior colleagues on board at a later stage. Again, it must be clearly communicated that it takes the entire team to protect the company from cyberattacks. Training programs are more likely to be accepted and adopted if those responsible openly report on the positive results and clearly demonstrate the progress that the company as a whole has already made thanks to the efforts of each individual. This can be as simple as a weekly dashboard update on the decreasing number of ‘dangerous’ clicks and increased reported emails. A sort of friendly competition between departments provides additional motivation for employees.

Tonality is key

Anyone who always feels ‘suspected’ of unintentionally harming rather than benefiting their company in their daily work will soon start to feel resentful and not perform at their best. The way around this, when communicating about cybersecurity awareness training, is to adjust how it is communicated. Subtle adjustments in language use, for example, can work wonders and ensure that the topic of cybersecurity awareness is better received within the company. Employees who are addressed as “cyber citizens” rather than “end users” in training sessions find it easier to establish cyber secure behavior as a continuous learning process in their mindset. And not just as employees in the office, but everywhere and at all times.

Joint responsibility for safety

Cybersecurity awareness training as a continuous component of a multi-layered cyber defense is just as important as, for example, staying compliant with local legal obligations. The best results can only be achieved if every employee understands and internalizes the importance of this type of training. With the right HR policies and program initiatives, companies can ensure that responsibility rests equally with everyone – a big win for any company in terms of cyber resilience.

Content Disclaimer

Related Articles