Why We Love Security Awareness Training Solutions

Security Awareness Training was a small but vibrant corner of cybersecurity until recently. About 3 years ago, cyber-insurance policies became more widespread (concurrent with a huge increase in ransomware, not surprisingly). Many cyber insurance policies asked in the first year or two if companies were conducting any proactive security awareness training of users, then making this training mandatory when the policies came up for renewal. Insurance actuaries, CISOs, and Managed Service Providers (MSPs) like Onward could see the results clearly: SAT works and would become a lot more widely used in a short amount of time.

Onward has been providing SAT as partners of many of the most widely renowned solutions for over 5 years, and we’ve learned how to help clients choose an SAT solution and what makes the good providers stand out from the rest.



Key features of an effective SAT solution

A huge training library with regular updates

  1. You should not consider any SAT solution with only one series of security content, or all videos that are the same length. Major players in this field provide content of varying lengths that can be delivered in 5, 15, 30, or 60-minute training sessions depending on the level of detail you need.
  2. Your SAT solution should have lots of different training options: webinars, videos, games, brandable content, and more. You don’t know what will be effective with your users until you experiment, and all training methods have diminishing returns. You need to have a lot of choices to keep the training interesting, effective, and short.

Active, targeted Phishing campaigns

  1. Some SAT solutions only provide training. You choose the videos your users watch; they want them and get a certificate. While this may pass the minimum insurance requirement, this is not giving you any actionable information about your risks or how effective your training is.
  2. Good SAT solutions provide a platform to phish your users intentionally and monitor the results. Current events, internal email spoofing, banking emails, and more can be sent by your SAT platform to see what tricks your users into providing their information or responding to a fake email from the CEO.

Phishing reports

  1. Building on feature #2, good reporting must be easy to access and visually useful. The best SAT solutions make cross-referencing effective phishing with vulnerable users to target your training where it’s needed, and reward users who pass phishing tests.

Data-driven automation

  1. The most disappointing result for SAT is seeing clients who implemented it once to pass an insurance requirement, then forget about it. You need an SAT solution that can be configured from the start to be autonomous, with phishing emails that update automatically and continually challenge users.
  2. Automated, targeted training should be easy to set up and monitor for users who fail phishing tests. Reports to management about who is in training (and who is falling behind) should all be automated.

Why we love SAT

Clients frequently ask me what benefits they can expect from security awareness training. This can be difficult to calculate, but I usually conduct something like this:

1.)  In the past year, how many productive hours did your users lose from email-based security incidents? Calculate revenue lost by multiplying the hours by your average revenue per employee

  • Onward’s Managed Services and Managed Security clients have this information already in the customer portal

2.)  How much data was lost to email-based security incidents, and at what cost (reputation, fines, insurance, etc.)?

3.)  Add these costs together – if they are more than your SAT solution, you should purchase and implement SAT


When we implement SAT solutions for our clients, we make sure to set up some SMART goals:

  1. How many users will be phished, at what frequency, and how often tuning should occur (usually every 90 days)
  2. Initial training goals
  3. Retraining parameters (for example: users who fail 2 phishing tests in any quarter)
  4. Rules of engagement: there is an art to phishing your own users. We like to monitor the results and see what is effective, tuning and improving the campaigns continually. Some clients like us to implement whatever we recommend for maximum phishing effectiveness, while others like the campaigns to run autonomously and training to run on a schedule. We set the rules at the outset and ensure clients know what to suspect.
      • This is different for every client because corporate cultures vary. Many firms don’t even tell their users they are being phishing intentionally. In this, we need to know how to respond to service requests about phishing emails, and how hard to press the phishing campaigns. A good working relationship with the SAT administrators is crucial. Onward has vast experience conducting these, and some very skilled operators.

If SAT is implemented correctly for your firm, you should see results like this test group:

Figure 1 

You would expect the Risk Score to go down over time, but this is not the goal. What we see here is the result of skillful administration of the SAT solution to find the firm’s true risk score. If the risk score decreases continually, your campaigns are likely not difficult enough. 

Looking more deeply into the results, our groups all have different results: 

Figure 2

Clearly some groups have higher scores, and some lower. The graphic is from KnowBe4, which is nicely integrated into Microsoft Active Directory to automate user enrollment and conveniently sort users into groups.

With campaigns configured properly, the risk scores overall converge to a True Risk Score.

Something happened in current events in March of 2020 that our test users were susceptible to phishing emails: the COVID-19 outbreak. This presented an opportunity to proactively test our users (internally and at client sites) for their resilience to inevitable scam and phishing emails.

With this information, we can set up clear and targeted training campaigns that automatically enroll anyone who fails a phishing test. This relieves the burden of tracking down users who did their training and who failed the test and takes the guesswork out of your user-based risks.

With so much sensitive information at the hands of users, it’s critical to make sure they have the training they need to stay safe online. A good Security Awareness Training solution is key to ensuring that happens and security doesn’t get pushed to the back burner by your users.

Want to hear more how Onward Technologies could help your organization with security awareness? Learn more!

Just For You: Trending Blogs

Building an Effective and Comprehensive Security Awareness Program

In today's digitally-driven world, the importance of robust security measures cannot be overstated. Cyber threats are constantly evolving, making it essential for organizations to prioritize security awareness among their employees and stakeholders. Building an...

Understanding the Difference Between MSP and MSSP

In today's fast-paced digital landscape, businesses must ensure their IT infrastructure is both efficient and secure. This is where Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) come into play. While these terms may seem similar, they...

5 Game-Changing Reasons to Outsource Your Help Desk

As businesses grow and expand, it can become increasingly challenging to manage all the tasks and responsibilities that come with running a successful operation. One area that can be particularly difficult to handle is the help desk. Customers expect fast and...

‘Tis the Season for Cybercriminals

Welcome to the season of joy, festivities, and a touch of digital vigilance! As we deck the halls and spread cheer, it's essential to safeguard our online presence from potential cyber grinches. In our interconnected world, where holiday shopping, virtual gatherings,...

Does Your Firm Pass This Cybersecurity Audit Question?

I want to cover an interesting question I saw on a recent cybersecurity audit. The audit came from one of the largest commercial insurance firms in the world, and the law firm who represents this firm is Onward’s client. Does your organization conduct continuous...

Three Facets of Security to Focus On

When it comes to a business’ cybersecurity, there is no magic bullet to solve every problem. No miracle cure, no panacea, no Staples “that was easy” button. Instead, you need to deploy various means of protecting your operations. Let’s discuss how your business’...

What Business Managers Should Know About Their IT Environments 

What should non-technical managers know about their networks?  I work with many non-IT managers who are responsible for oversight of the IT department. These are smart people with training and experience who make smart decisions about IT when given good information....

Chrome Adds Color Coded Tabs and We’re So Thankful

Google Chrome is adding a cool feature over the next week or so (it may already have been released for you). The next feature is sure to make a big difference for some and will be non-descript for others. Let’s unpack colorful tabs in Google Chrome.   Adding More...

Don’t Let Scammers Scare You with COVID-19 

Slava Ruderman, President - Onward The COVID-19 pandemic has resulted in a great number of people working from home. While this is good for public health, it may unfortunately lead your employees toward a laxer view of cybersecurity. Cybercriminals are sure to take...