We've compiled 32 free resources from sources like the Infosec Institute, SANS, the FTC, and more to help you develop and improve on your cybersecurity training program.
According to Ponemon Institute's 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses report, phishing and social engineering attacks were the most common cyber attacks faced by SMBs. Negligent and unknowledgeable employees pose a serious risk to businesses, so it's important to make sure your employees are properly trained in cybersecurity. However, SMBs often struggle with developing cybersecurity awareness training programs due to:
We’ve compiled a list of 32 different resources to help SMBs better prepare their workforces for cybersecurity. Every entry is free (or part of a free trial) and created by professionals in the field of information security. The list is organized in no particular order. We also created a free Cybersecurity Awareness Training Guide you can download to train your employees on best practices for maximum password security, how to identify phishing attacks, and more.
Organization: Center for Internet Security (CIS)
Twitter: @CISecurity
The Center for Internet Security (CIS) offers 20 “controls” so that organizations can better classify themselves and improve their security. CIS Control 17 teaches the ins and outs of putting a training program into place. All the controls are available to organizations in a single set, but in this particular module, you’ll learn to:
Organization: CISA
Twitter: @CISAgov
According to the Department of Homeland Security's website, Cyber Storm “provides the framework for the most extensive government-sponsored cybersecurity exercise of its kind.” This program is meant for both private and governmental organizations to better prepare for cyber issues. Participants will:
Organization: CISA
Twitter: @CISAgov
One of the best ways to train a team is through gamification. The National Initiative for Cybersecurity Careers and Studies (NICCS)put together a trivia game to test your employees' cybersecurity knowledge and engage with them. This trivia can be a good starting point to assess areas of weakness. Both the game and instructions are downloadable on the site.
Organization: Cybrary
Twitter: @cybraryIT
Cybrary offers a vast number of courses from beginner to advanced. The “End User Awareness” course is an introductory look into cybersecurity. Being aware of potential threats, what they look like, and how to deal with them are very important. This course teaches:
Organization: DNI NCSC
Twitter: @ODNIgov
This resource from the NCSC under the Office of the Director of National Intelligence provides three courses designed to raise cyber awareness. The training series covers fundamentals meant for those who are new to the cyber realm as well as dives deeper into the specifics of cyber attacks. You and your team will learn:
Organization: FedVTE
Twitter: @CISAgov
This FedVTE course is a high-velocity, 6-hour introduction into the fundamentals of cyber risk management. There are more than 30 modules, each split up into small and manageable chunks of time. Most of the short sessions include a downloadable lesson PDF to make it easier for attendees to follow along. Some of the modules include:
Organization: FEMA
Twitter: @FEMA
This course designed by FEMA provides guidance on how to improve workplace security awareness and covers how to identify potential security risks, measures for improving security, and actions your organization can take to respond to security incidents.
Organization: FTC
Twitter: @FTC
The FTC has put together a number of learning materials on their website to help SMB owners learn the basics for protecting their businesses from cyber attacks. These resources include:
Organization: FTC
Twitter: @FTC
There are cybersecurity quizzes to go along with many of the training modules on the FTC website. This is a great way for you and your team to see how well you understand basic cyber attacks and security principles.
Organization: Future Learn
Twitter: @FutureLearn
This introduction to the world of cybersecurity is an 8-week course designed to help users understand online security and how to protect their digital lives. It's an accredited course by APMG, IISP and GCHQ. You or your team can join anytime to learn:
Organization: Gideon T. Rasmussen (Information Security Consultant)
Twitter: @gideonras
Gideon Rasmussen is an Information Security Consultant with past experiences as Chief Information Security Officer (CISO), SVP Risk Control Officer, PCI Compliance Manager, and more. He compiled a bunch of security awareness tips, which cover a variety of topics including:
It could be a good idea to print these tips out and post them in common areas of the office or distribute them to your team via email every so often.
Organization: HHS
Twitter: @HHSGov
While designed for the U.S. Department of Health and Human Services, this two-part, interactive training course can be used for other organizations. Part one is the actual training, and the second is the Rules of Behavior (RoB). The purpose of this training is to help users identify the information that needs to be protected, common security threats, and best practices to secure data. The course includes:
Organization: HHS
Twitter: @HHSGov
Along with the Cybersecurity Awareness Training course mentioned above, the HHS also put together some role-based training resources for executives, IT admins, and managers. While the resources are geared towards HHS employees, they still cover relevant material for other organizations. For examply, the resource for executives explains how security impacts the business, including capital planning and investment control and contract oversight.
Organization: Infosec Institute
Twitter: @Info__Sec
This kit helps you put together a 12-month security awareness and anti-phishing program that keeps employees engaged and informed. The kit includes:
Organization: Infosec Institute
Twitter: @Info__Sec
Phishing and social engineering attacks are the most common cyber attacks faced by SMBs. Infosec Institute put together this free phishing risk test to help you assess your organization's vulnerability to phishing attacks.
Organization: Infosec Institute
Twitter: @Info__Sec
Infosec Institute's library of industry- and role-based training resources is updated weekly so that you can deliver fresh and relevant cybersecurity training to your employees. Their library contains live action videos, humorous videos, compliance modules, and reinforcement tools such as posters and infographics.
Organization: Infosec Institute
Twitter: @Info__Sec
Another employee security awareness training resource from the Infosec Institute, this resource is ideal for small and medium businesses on the larger end of the spectrum. The more employees in an organization, the harder initiatives are to drive home. Materials, communication, and persistence are critical for adoption. This campaign kit helps you build a multi-layers security awareness program with humor.
Organization: Infosec Institute
Twitter: @Info__Sec
Marine Lowlifes is a cheeky play on words. Since the term “phishing” obviously correlates to “fishing,” Infosec Institute has dubbed phishing scammers as “marine lowlifes.” The campaign kit is meant to aid organizations in making their team aware of this common and dangerous threat in the inbox. With this program, you’ll teach your team “how to spot the most dangerous phish lurking in their inboxes.”
Organization: Information Warfare Site (IWS)
With over two dozen downloadable PDF and spreadsheet documents, the “Security Awareness Toolbox” is a library of useful information. These documents are compiled from sources all over the web, including the DoD and other expert organizations. While your organization may not need all of them, most of the items are useful. Available resources include:
Organization: Jigsaw | Google
Twitter: @Jigsaw
Carve aside some time when onboarding new employees or during a slower time for your business and have your employees take this phishing quiz. This quiz takes you through a number of scenarios, mostly email-based to train you to identify phishing campaigns
Organization: CISA
Twitter: @CISAgov
The National Initiative for Cybersecurity Careers and Studies (NICCS) is managed by CISA and has put together an entire “on-demand cybersecurity training system.” The course contains over 800 hours of cybersecurity training. Note that this resource is only free to use for government employees and veterans.
Organization: National Institute of Standards and Technology (NIST)
Twitter: @NISTcyber
This publication provides guidance for building an effective cybersecurity awareness and training program and walks you through four key steps in the life cycle of a security awareness program:
Organization: Plural Sight
Twitter: @pluralsight
This beginner level course offers a broad overview of information security and is intended to be foundational. With several hours of instruction, attendees will learn basic tenets of awareness, specific security measures, and different types of vulnerabilities and attacks.
Note: While Plural Sight isn’t a free platform, there is a free trial which provides ample time to complete all course materials.
Organization: Plural Sight
Twitter: @pluralsight
This offering is intended for management, executive level, and security to give you the tools to create a culture geared toward information security. Not only will you understand the meaning of “security first,” but you’ll also walk away with the tools necessary to embed that practice into your entire company. This course was designed by Troy Hunt, the creator of "Have I Been Pwned."
Note: While Plural Sight isn’t a free platform, there is a free trial which provides ample time to complete all course materials.
Organization: SANS
Twitter: @SANSAwareness
OUCH! Is “the world’s leading, free security awareness newsletter designed for everyone.” Cybersecurity takes everyone and providing this resource to your team is one of the best ways to keep it at the top of their mind. Past issues are available right on the site — all free.
Organization: SANS
Twitter: @SANSAwareness
Where do you begin when building a security awareness program? SANS has put together a toolkit full of expert resources to help you plan and maintain an effective security awareness program. The toolkit includes:
Organization: SANS
Twitter: @SANSAwareness
The SANS Security Awareness Report is designed to help you make data-drive decisions that will mature your security awareness program. The 2019 report has great information, including:
Organization: SANS
Twitter: @SANSAwareness
The annual report mentioned above is a compilation of key data over the course of the previous year. However, SANS also offers a free blog dedicated to the topic of security awareness that is constantly updated (typically on a weekly basis). Here are a few great posts from the blog:
Organization: Springboard
Twitter: @Springboard
Springboard’s 38-hour “Foundations of Cybersecurity” free course provides foundational concepts for the cybersecurity field, including various types of attacks and how to protect our IT environments through tools and designs. While it may be more advanced than some on your team need, the course has several modules, including:
Organization: Stay Safe Online
Twitter: @StaySafeOnline
Watch this webinar, featuring Infosec, the FTC, and the Michigan Small Business Development Center, to learn about best practices and resources for creating a cyber aware culture for your SMB.
Organization: Stop.Think.Connect.
Twitter: @STOPTHNKCONNECT
Stop.Think.Connect. is a global online safety awareness campaign. They put together a list of resources for SMBs. Every one of these documents is a gift for SMBs looking to make sense of this seemingly confusing world. Here’s just a sampling of what’s there:
Organization: UC Santa Cruz
Sometimes it’s beneficial to see what other organizations are doing to create security awareness. UC Santa Cruz has made their comprehensive training available to the world on a single webpage. Essentially, it’s a compilation of in-house materials and links to beneficial resources for their team.
Zeguro is a cyber safety solution and insurance provider for small to mid-sized businesses (SMBs), offering a comprehensive suite of tools for risk mitigation and compliance, as well as insurance premiums that are tailored to the size, sector and profile of a company.
Learn more →
Our cybersecurity solution includes a security training module with monthly, user-tailored courses focusing on the weakest areas of knowledge first.
Start My Free TrialDigital Marketing Manager
Enthusiastic and passionate cybersecurity marketer. Short-story writer. Lover of karaoke.