External and insider cyber threats are evolving. Externally, cybercriminals are increasingly adopting AI-enabled tools, which enable them to manipulate human behavior more effectively. Their tactics are more personalized and convincing, making traditional cybersecurity measures insufficient. Similarly, insider threats are becoming more significant as workers access sensitive data and AI tools continue to evolve. Organizations must improve cybersecurity technology and employees’ cybersecurity awareness to combat this trend.
AI tools have altered the landscape of cyber risk by rendering former countermeasures obsolete. Large language models can now generate phishing emails with perfect grammar and personalization, and AI tools allow novice cybercriminals to replicate highly effective cyber-attack campaigns. For example, a cybercriminal may utilize LLM-generated messages and a botnet to send thousands of personalized attacks to targeted victims in a fraction of the time it would take humans to do so. AI can scan a company’s website, social media employee profiles, news articles, and public databases to gather details about employees, operations, and organizational structure. With a well-crafted prompt, an AI-generated email could refer to real projects or address someone with obscure details of their life, typically reserved for people close to them. These methods can make these emails indistinguishable from legitimate communications. Moreover, red flags like bad grammar or odd phrasing have been largely eliminated by LLMs, making old cues that employees were trained to look out for obsolete. Beyond written content, synthetic voice and video technologies enable deepfakes that impersonate trusted figures. For example, a UK company fell victim to a CEO voice impersonation scheme, losing $250,000
In addition to outsider threats from cybercriminals, insider threats also pose a significant risk. The term “insider threat” often evokes ideas of corporate espionage or even real spies, but the most common insider is often humdrum. Employees frequently choose to disregard organizational data privacy and security policies in favor of faster and easier options that disregard security concerns. A common example is employees who send work-related files through personal email. Personal email accounts usually have a lower security threshold and violate organizational data retention and backup procedures. This behavior may lead to legal compliance risk and increased vulnerability from cybercriminals. Similarly, employees who download unauthorized software may compromise their devices and the systems to which they are connected. These seemingly innocuous mistakes can result in organizational system compromise.
Insider threats are also growing due to employees’ access to sensitive data in out-of-the-office environments. Hybrid and remote work can reduce oversight and promote the use of personal devices for professional tasks. Finally, although not a new concern, departing employees can also pose security risks. Whether out of anger, resentment, or opportunism, some may take sensitive files with them, delete records, or attempt to damage systems on their way out.
This points to an urgent fact: employee training must evolve alongside cybersecurity risks.
Modern Training Is the Front Line of Defense
The quality and structure of employee training are critical to a robust cybersecurity program. A key stone principle of cybersecurity is that it is not just an IT issue—HR and other organizational leaders play a crucial role in fostering a security-aware business. This means going beyond legal and technical compliance by also focusing on awareness programs that promote human behavioral change. An effective employee training program helps people internalize secure practices as part of their daily routines.
Leaders can implement these modern training practices:
- Realistic and Practical Learning
- Real-world scenarios: Training should reflect the types of threats that employees will likely encounter. For instance, phishing emails that look realistic, vishing attempts, or risky behaviors such as using a personal email for work purposes.
- Interactive content: Games, quizzes, and branching scenario exercises help users engage with the material and apply their knowledge, leading to more durable behavior changes.
- Focus on relatable content: While entertaining content may improve engagement, overly dramatic or stylized training might fail to prepare employees for practical decision-making. Realism is more effective than entertainment.
- Real-world scenarios: Training should reflect the types of threats that employees will likely encounter. For instance, phishing emails that look realistic, vishing attempts, or risky behaviors such as using a personal email for work purposes.
- Simulated Experiential Learning
- One of the most effective tools for internalizing cybersecurity practices is simulation. By periodically sending mock phishing attacks, organizations can test employee awareness and measure progress over time. These simulations provide low-stakes opportunities for failure and learning, often sparking essential conversations among teams about how to handle suspicious messages. Over time, simulations help normalize cautious behavior, such as verifying requests through a second channel or reporting unusual messages immediately
- Microlearning
- Supplementing foundational learning, microlearning delivers frequent, short lessons. This format respects employees’ time while reinforcing key concepts regularly enough to make them stick. A two-minute module every month is likely to influence behavior and maintain learned practices. Microburst learning also enables companies to remain agile, introducing new topics and adapting to emerging threats.
A secure cybersecurity environment involves employee behavior and awareness as much as it involves secure networks and robust security credentials. As threats grow more personalized and deceptive with the use of AI-enabled technologies, human interaction is both the greatest vulnerability and line of defense. To combat this challenge, HR, IT, and leadership teams must work together to build a security-conscious culture in which employees aren’t just informed but equipped to act. Training should be viewed not as a compliance task but as a strategic investment in the organization’s resilience.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.