Prioritizing Employee Training in Cybersecurity Awareness

With limited training time, the focus has to be on habits that sit at the intersection of frequency and impact. The behaviors employees perform every day such as clicking links, approving access, or sharing data are where most incidents actually begin. So instead of trying to cover everything, it is more effective to build a few strong decision-making instincts.

The first is pausing and verifying before taking action, especially when something feels urgent or out of pattern. The second is being intentional about access and data sharing, understanding who is asking, what is being requested, and whether it is necessary. The third is recognizing unusual context, such as requests that bypass normal processes or come at odd times.

What makes these habits effective is that they are transferable. They apply equally to email, chat tools, SaaS platforms, and even AI systems. Rather than teaching specific threats, the goal is to help employees recognize situations that deserve a second look.

A finance team once received what looked like a routine message from a senior executive asking for an urgent document related to a vendor payment. The tone, signature, and timing all looked legitimate, and in most cases this type of request would have been processed quickly. However, the organization had recently introduced a simple reminder in their email interface prompting users to double check any request involving financial data or sensitive documents, especially if it created urgency.

Because of that prompt, the employee paused and noticed a small inconsistency in the sender address that would have otherwise been easy to miss. Instead of responding, they reported it. That one action led to the identification of a targeted phishing campaign that was attempting to collect financial documents across multiple teams. The attempt was contained before any data was shared.

What made the difference was not deep technical knowledge or a long training session. It was a simple behavioral trigger at the right moment. Traditional training often happens out of context and fades quickly, but well placed reminders and clear mental models influence decisions in real time.

Ultimately, with limited training time, success comes from reinforcing a few consistent instincts that interrupt risky actions when they matter most. When employees are guided to slow down, question context, and verify intent, they become an effective layer of defense without needing to be security specialists.

As Operations Director across our multiple Aquidneck Island locations, I prioritize teaching employees to manage our individual unit door alarms and surveillance systems first. These habits are the backbone of our facility management and ensure every client’s belongings stay protected within our climate-controlled units.

A simple training shift focused on immediate alarm verification during busy U-Haul rental cycles prevented a real threat when a unit was accidentally left unlatched. Catching that error before the facility shifted to access-only hours ensured the unit remained secure and protected.

This focus on high-impact basics allows our team to maintain a “spotless reputation” while managing logistics like our free local move-ins with Surv! By mastering these security fundamentals, we provide the clean and safe environment that gives our Middletown and Portsmouth customers total confidence.

When training time is limited, I focus on one thing first—recognizing reconnaissance.

Most people think threats just happen. They don’t. Someone almost always looks first, tests something, or comes back more than once.

So we train employees to notice patterns:

Who’s been here before that doesn’t belong?

What vehicle keeps showing up at odd times?

What behavior doesn’t match the environment?

Then we reinforce two things—control access, and report early.

That same mindset is what we’ve built into our platforms—flagging anomalies, tracking patterns, and giving real-time visibility instead of waiting for a report after the fact. That’s how prevention really works.

It’s not about teaching everything—it’s about teaching people what to look for before something happens.

Stay Alert!

Look Around! – criminals try to blend in with the environment.

You Know Your Workplace – better than the criminals and what is normal and what is out of place.

Train Your Teams – to immediately report things that might be suspicious. See something, Say Something.

Know What To Do – in the case of a robbery – Activate Panic alarms, hand over cash. Make your way to a safe room.

Trained many in how to prepare for and respond to civil unrest, resulting in greater protection and security during riots and protests.

At some point we decided that the security training for the new hires would be delivered by our CISO, directly and personally, rather than some other person within the organization. This helped to make security hygiene feel more personal for the new team members, and we could see this by how the Q&A with the CISO at the end of the training showed engagement from them.

Not only was there this qualitative improvement; security metrics related to some areas (i.e., phishing emails) improved since this was started, and the security awareness training participation and results also showed a change between those who got the training from the CISO and those who didn’t.

When you’re dealing with real sites, real people, and real risk, you cut straight to what causes the most incidents. For us, that’s always tailgating. Someone holds a door open for a stranger out of politeness, and suddenly an unauthorized person is inside a building with no record of entry.

That one habit costs businesses more than people realize. So that’s where we start every time.

We keep training tight and practical. No one remembers a three-hour slide deck. But they do remember a quick five-minute brief before a shift that focuses on one thing they’ll actually see that day.

A school we worked with had a real problem with unknown adults walking onto the grounds unchallenged. We introduced our K9 handlers and ran short, consistent briefings with staff about challenging anyone without a visible lanyard. Within two weeks, staff were stopping people at the gate. One of those turned out to be someone with no legitimate reason to be there.

That incident could have gone a very different way. The school had CCTV, but no one was trained to act on what they saw in real time. Training changed that fast.

The tech only works when the people behind it know what to do.

Bottom line: Start with tailgating and challenge culture. Keep training short and repeat it often. People, not cameras, stop most threats before they happen.