According to an InfoScales report, 95% of successful cyberattacks have human error as the leading cause \u2013 most notably company employees falling for phishing scams. This is an important observation as cybersecurity efforts often intuitively focus largely on strengthening the technical controls in an organization to prevent data leakage, willful exfiltration and systems intrusion, for example.\nThe fact that human error, rather social engineering, is a major component leveraged by attackers in carrying out a successful breach signifies that employees\u2019 careful attitude towards handling data and computer systems is prudent to ensuring the organization\u2019s success with regards to security.\nHere are the five ways in which your organization can realize the benefits of implementing a hands-on information security awareness program for non-technical and technical employees alike.\n1. Deter phishing and vishing attacks by a massive amount\nNo matter how strong your organization\u2019s security controls, firewalls and email endpoint scanners are, the efforts won\u2019t go far if an unsuspecting employee clicks on a malicious link in an email and enters their credentials on a phishing page, effectively enabling an attacker to \u201chijack\u201d the corporate systems with the same privileges as the employee\u2019s. A hands-on program training employees to be able to distinguish legitimate emails and phone calls from suspicious ones, such as a call from the \u201cCEO\u201d asking for a highly sensitive payroll spreadsheet of all employees, can better equip employees to handle unexpected situations and requests to which they may otherwise fall prey out of hesitation.\nTechnical solutions offered by third parties exist, for example in the form of Microsoft Outlook integrated plugins which let employees report a suspicious looking email directly to the company\u2019s \u201cphishing mailbox\u201d for review by internal security personnel. If done properly even by one vigilant employee, the 24\/7 Security Operations Center (SOC) unit of an organization can immediately \u201cpull\u201d every such copy of the suspicious email from mailboxes of all other employees before they even get to it in the morning.\nWith a comprehensive hands-on training, the high probability of an employee reporting a phishing email greatly supersedes the risk of even one na\u00efve employee falling for it.\n2. Remain compliant with regards to information handling\nWhen your employees are better equipped with knowledge to handle sensitive information, your organization naturally becomes more compliant with requirements commonly demanded by privacy legislation, such as HIPAA, GDPR and EU-centric laws such as those around \u201cgeo-blocking\u201d \u2013 this one especially applies to software developers and information security professionals who may not realize how blocking traffic from certain regions to deter DDoS attacks can actually be in violation of the law.\nTaking measures to educate your employees about different aspects of security can spontaneously foster a culture in which team members, for example, do not share sensitive information informally over IMs or other insecure channels, and where IT professionals design and manage systems ensuring no laws are being violated in doing so.\n3. Strengthen physical perimeters security\nSecurity is a multifaceted concept and as the saying goes, is \u201conly as strong as the weakest link.\u201d No matter the extensiveness, all digital forms of security measures are futile if a malicious actor is able to gain physical access to your servers and critical systems to fiddle with them.\nWhile access controls exists, such as RFID-powered door locks and \u201cno re-entry\u201d emergency exits, social engineering remains a major unaddressed culprit here. It is not too difficult to imagine a scenario where an imposter who is standing right by an office building entrance simply follows a legitimate employee who is authorized to gain access to the building, a practice known as piggybacking or tailgating.\nSometimes a person may not be paying attention as to who is \u201ctailgating\u201d them, while other times it may be seen customary to \u201chold the door\u201d for someone out of politeness, even for a stranger. And just how many times do legitimate employees genuinely forget to carry their ID badges with them? An imposter could easily make such an excuse to the person they are tailgating, if asked.\nThis seemingly harmless custom has the potential to have significant consequences. What if this imposter is able to then gain physical access to just one computer system and plug in a USB drive in an attempt to exfiltrate data? Or perhaps, the imposter is an investigator hired by a competitor to merely survey the workplace and take photos.\nTo prevent such scenarios, having strict company policies in place along with proper information assurance trainings ensure the message on how employees should handle \u201cawkward\u201d social situations is communicated throughout the company.\n4. Minimize the risk arising from breaches and negative publicity\nEducated and security aware employees are less likely to fall for social engineering attacks which would lead to a data breach. This alone extends to protection of valuable assets, minimizing the leak of intellectual property, and protecting brand reputation as a whole. Companies taking proactive measures to get ahead of malicious attackers lurking in cyberspace may also appeal to the investors and build increased trust with the general public. Conversely, the opposite is also true. Companies hacked recently have experienced their fair share of troubles attracting new clients.\n5. Protect employee personal information\nGiven the news headlines are frequently about the customers who are affected negatively by security breaches, it is commonly assumed that the \u2018personal information\u2019 to be protected at any cost is that of the customers and business associates. This is not always true, however. As noted with the well-documented Sony data breach, it was the employee data which was compromised for which the company agreed paying up to $8 million in compensation. A mainstream \u201ccustomer\u201d of the studios buying film tickets was not directly impacted by the breach.\nDespite being an unfortunate occurrence, cases like this help reinforcing a security mindset as they help demonstrating to your organization\u2019s employees that following cybersecurity best practices benefits everyone including the employees themselves.\nIn conclusion, a cybersecurity awareness program for employees when designed properly as opposed to a mere \u201cdrill exercise\u201d can benefit your company\u2019s employees, culture, reputation and save a lot of hassle that may arise in future, with the growing number of threats and attacks in cyberspace.