Everyone Matters in Staying Safe and Compliant- The Critical Role of Information and Cyber Security Awareness and Training

As founder of Pera Prometheus, I’ve encountered businesses of all sizes, each with varying degrees of security awareness. One common issue I often see is the confusion between Information Security and Cyber Security. While they are closely related, they are not the same thing, in fact Cyber Security is an element of Information Security.  However, there has been a recent trend to use the terms Information Security and Cyber Security interchangeably which can cause confusion and, more worryingly, gives the impression that all information security is a technical procedure and therefore the dominion of IT.  Business’s need to recognise that Information Security is a business issue, not a technical one.

Information Security vs Cyber Security: What’s the Difference?

Information Security is the broader discipline that focuses on protecting all forms of information whether digital, physical, or intellectual property. This includes protecting data from unauthorised access, use, disclosure, disruption, modification, or destruction. It involves frameworks, policies, and best practices to ensure Confidentiality, Integrity, and Availability of information, this is known as the CIA Triad.

Cyber Security, on the other hand, is a subset of Information Security that deals specifically with protecting digital systems, personal devices, networks, and data from cyber threats like hacking, malware, and phishing attacks. Both are essential, but without a robust information security strategy, cyber security efforts will always fall short.

At Pera-Prometheus, security consultants who work with organisations state that customers fall into three broad categories:

1. Implement and follow Security Management Frameworks (SMFs) due to contractual or legislative demands. These businesses often see compliance as a necessity rather than a strategic priority.

2. Businesses adopt a SMF after experiencing a security incident. They have learned the hard way and now understand the importance of security.

3. Organisations who are aware of Information and Cyber security and want to take proactive measures to defend themselves. 

The third group is the one that achieves long-term success. Why? Because security is not just a certificate. It’s a culture, a mindset, and a business enabler. 

Roles and Responsibilities in Information & Cyber Security

For an organisation to achieve optimal Information and Cyber security, it must be well understood and endorsed at a senior board level. Without Leadership buy in, it is highly unlikely that organisational culture will change. Roles and responsibilities start with Senior Management, however, security is everyone’s responsibility.  As a minimum organisations should have designated roles to ensure checks and balances. Some of them are:

• Governance & Compliance: Often a Security Officer or Compliance Manager ensuring legal and regulatory adherence.

• Technical Security: IT and Cyber Security teams managing firewalls, endpoint security, and network defence.

• Incident Response & Risk Management: Teams responsible for handling security breaches and identifying vulnerabilities.

• End-User Responsibility: This is the most critical part. Even the best security framework will fail if employees don’t follow the security procedures.

End users are the first line of defence and, unfortunately, often the weakest link. This is why conducting security awareness training is essential.

The Need for Awareness Training

Many organisations mistakenly believe that security training is a one-time activity, but security threats evolve constantly, requiring continuous education and reinforcement. A robust security awareness programme should be ongoing, engaging, iterative and adapted to real-world risks. Below are some of the reasons that awareness training is needed.

• Human Error is the Biggest Threat – The majority of security breaches occur due to human mistakes, such as weak passwords, phishing scams,  mishandling sensitive data or social engineering.

• Threats are Constantly Evolving – Attackers continually adapt their techniques, making it essential for businesses to keep their employees informed about the latest threats.

• Regulatory and Compliance Requirements – Many industries have legal obligations to ensure staff are adequately trained in cyber security best practices.

• Embedding a Security Culture – Training should not be seen as a compliance exercise but rather a way to integrate security into the organisation’s everyday operations and mindset.

Key Aspects of an Effective Awareness Training Programme

National Cyber Security Centre (NCSC) has provided guidance on staff awareness and training. NCSC states that to be effective any security awareness and training programme needs to be tailored to an organisation and make it a part of creating positive security culture. Some of the key aspects are:

1. Regular and Interactive Training.  A one-off training session is ineffective. Instead, training should be frequent, engaging, and scenario-based, allowing employees to relate to real-world risks.

2. Role-Specific Training.  Different roles face different risks. Executives, IT teams, and general staff all require tailored security awareness education.

3. Simulated Attacks.  Phishing simulations and mock attacks help employees recognise and respond appropriately to security threats.

4. Accessible Learning Formats.  Training should be available in multiple formats, including briefings, online courses, hands-on workshops, and interactive presentations to accommodate different learning styles.

5. Performance Tracking & Continuous Improvement.  Organisations should measure the effectiveness of their training efforts through quizzes, assessments, and security audits to identify areas for improvement.

6. Effective Communication in Security Awareness.  Clear and consistent communication is key to a successful cyber security awareness programme. Security policies alone are not enough. Employees must be well-informed, engaged, and informed of their role in maintaining security.

By fostering a security-aware culture, it creates an environment where employees take ownership of security, not because they must but because they understand the value of their information, both to themselves and their stakeholders.

Types of Awareness and Training Programmes

The effectiveness of training and awareness programmes depends on an organisation’s size, resources, location and many other variables. Since every organisation has unique needs, security training should be customised accordingly. Training should be ongoing and reinforced with annual refreshers and continuous learning through short, digestible updates. Some effective training methods include:

• Briefings & Presentations.  Ideal for leadership buy-in and high-level awareness.

• Online Courses.  Flexible, scalable, and accessible for employees at all levels.

• Simulated Phishing Campaigns.  Test employee resilience against real-world threats.

• Hands-on Workshops.  Engaging activities such as password security training or social engineering awareness.

Legislative Compliance in the UK

The question then arises “Is the awareness and training required by law?”. In short NO but there are several legislative and regulatory frameworks UK organisation must adhere to be compliant and continue to keep compliance. Legislation and guidance changes to adapt with the new emerging technology and associated threat. Hence, why the awareness and training become critical to stay up to date. Some of the key legislation surrounding Information and Cyber security are:

• The General Data Protection Regulation (GDPR).  Ensures personal data protection and imposes severe penalties for non-compliance.

• The UK Data Protection Act 2018.  Complements GDPR and applies to how businesses handle personal data.

• The Network and Information Systems (NIS) Regulations.  Applies to operators of essential services and key digital service providers.

• Cyber Essentials & ISO 27001.  While not legally mandated, these frameworks are widely recognised as industry best practices for security.

Failure to comply with these laws can lead to substantial fines and reputational damage. However, compliance should not be seen as a burden, it should be viewed as an opportunity to strengthen business resilience.

Final Thoughts: Embedding Security as a Business Enabler

Businesses that succeed in security implement security frameworks because they understand the value of protecting their people, their information and their reputation.

If regular security awareness and training is adopted as a proactive strategy rather than a reactive compliance measure, businesses will be far more resilient against evolving threats.

At Pera-Prometheus, our goal is to help businesses implement the right level of policies, processes and procedures which are tailored to their individual needs leading to embracing security as a culture and not just a certificate.