The first-ever National Cybersecurity Awareness Month took place two decades ago — a time when most people had never heard of Facebook and more than a third of Americans didn’t even have internet access. Today, over 97% of Americans are online and digital literacy has become integral to how we work and interact. Rapidly emerging technology like AI is fundamentally reshaping the workplace and the economy, a process that could usher in a new era of productivity and creativity, but which also presents urgent cybersecurity risks.

Cybersecurity has never been a higher priority for companies than it is right now. As more of our activities have migrated online, cybercriminals have relentlessly exploited this digital transition. Cyberattacks are increasingly frequent, and they’re capable of inflicting more severe financial, operational and reputational damage. This is why cybersecurity investments are on the rise, a trend that will continue to gain momentum.

Security leaders need to know which strategies and resources will put their budgets to the best possible use. For example, at a time when over two-thirds of data breaches involve a human element and phishing is the attack vector behind a substantial proportion of cyberattacks, cybersecurity awareness training is critical. New technologies like AI have made social engineering even more effective — a reminder that employees need adaptive training programs that help them identify and resist the latest cybercriminal tactics.

Cybersecurity awareness training must evolve to meet the challenges of a shifting cyberthreat landscape. Awareness Month is an excellent time for CISOs and other security leaders to assess their approach to employee training and determine whether it’s overdue for an update.

Cybersecurity Awareness Training for the Real World

Effective cybersecurity awareness training is always oriented toward securing sustainable behavioral change, which is why it must be as relevant, engaging and actionable as possible. Security leaders are responsible for implementing training programs that cover real-world cybercriminal tactics, such as the use of AI to compose compelling and error-free phishing messages. For example, employees can no longer rely on red flags like spelling, syntax and grammatical errors — they must instead be capable of identifying forms of manipulation like a sense of urgency and coercive or threatening language.

Social engineering attacks rely on many forms of psychological manipulation, which are often targeted to exploit employees’ unique vulnerabilities. This is also enabled by AI — as Microsoft reports, cybercriminal organizations are using AI for reconnaissance to identify specific vulnerabilities. This is one of the reasons training should be personalized on the basis of employees’ specific psychological vulnerabilities, learning styles and behavioral patterns. Personalization won’t just address employees’ unique weaknesses and build upon their strengths — it will also keep them more engaged, which improves information retention.

Accountability is a key aspect of real-world cybersecurity awareness training. CISOs and other security leaders can evaluate employees’ state of cyber-readiness with assessments such as simulated phishing, and they can use the data generated by these assessments to refine employees’ personalized training. This process enables security leaders to establish individual behavioral profiles for all employees, which will help them customize training and track performance across the organization.

Why Proactive Cybersecurity Awareness is Vital

Gartner projects that global spending on information security will reach $212 billion by 2025, a 15% increase from this year. Over three-quarters of business and technology executives expect their cyber budgets to rise in the coming year. It’s essential for CISOs and other security leaders to help their companies allocate these surging budgets effectively, and cybersecurity awareness training has long proven to be a sound investment.

According to IBM, employee training is the single largest factor that mitigates the cost of a data breach, outranking AI insights, identity and access management, encryption and many other major cybersecurity resources. While this is encouraging, it’s also a reminder that social engineering continues to be the weapon of choice for many cybercriminals — particularly as AI tools like large language models (LLMs) and deepfakes make deception and manipulation easier than ever. While cybersecurity awareness training can thwart many of these attacks, phishing and other types of social engineering are still far too effective.

While employee training is a top investment immediately following a data breach, it shouldn’t take a successful cyberattack to spur security leaders into action. Proactive cybersecurity awareness is crucial, particularly as the costs of cyberattacks continue to surge. CISOs and other security leaders are responsible for monitoring the evolving cyberthreat landscape and preparing employees for a wide range of potential cyberattacks — from LLM-generated phishing to supply chain infiltration (which has been a growing problem in recent years) to physical security breaches such as device theft.

The best way to ensure that cybersecurity awareness training is proactive is to show employees how to think critically about all of their digital communications and behavior. This means inculcating a set of healthy cybersecurity behaviors — such as verifying the authenticity of all communications, analyzing the content and tone of messages and reporting all suspicious activity — and reinforcing those behaviors until they become second nature.

Building a Culture of Cybersecurity

Companies have never faced a more diverse and destructive array of cyberthreats. IBM reports that the average cost of a data breach reached $4.88 million in 2024 — an all-time high after the largest year-over-year increase since the COVID-19 pandemic. While cutting-edge technology like AI has played a role in helping security teams detect potential threats, it has also created entirely new vulnerabilities. Over two-thirds of security leaders say generative AI has increased their attack surface over the past year, and Microsoft warns that AI will inaugurate a “new era of phishing schemes.”

It’s no wonder that the 2024 Allianz Risk Barometer found that cyber incidents constitute the “top global business risk — for the first time by a clear margin — and across all company sizes.” The cyberthreats companies confront are constantly evolving, which is why cybersecurity awareness training programs must be adaptive. For example, training must account for AI-powered phishing attacks by emphasizing the psychological weaknesses these attacks exploit and demonstrating how conventional methods of detection (like identifying errors) are no longer effective. AI has eliminated barriers to entry for cybercriminals around the world, as it enables them to produce high-quality and targeted phishing messages at scale — regardless of their native languages or level of technical skill.

CISOs and other security leaders can help employees resist these evolving threats by reinforcing core cybersecurity principles, such as verify before you trust. This concept helps employees recognize that social engineering attacks are becoming more sophisticated and urges them to think critically about the provenance of communications they receive — especially when sensitive data or access issues are involved. Some cybercriminals even use deepfakes to launch advanced multi-layer cyberattacks — employees call to confirm the authenticity of a request and end up talking to an AI-generated interlocutor instead of a real human being.

We have entered a new era of cyberthreats, and employees must be equipped to defend the company from more cunning and effective attacks than ever. By instilling cybersecurity principles at every level of the organization, CISOs and other security leaders will establish a healthy culture of cybersecurity.