wareness Training for more IT-Security in SMEs

Monday morning, 8:34 AM: An email from “IT Support” lands in the accounting inbox with the subject “Important System Update.” Five minutes later, the entire ERP system is encrypted. What sounds like a rare incident happens more often than you think – especially in small and medium-sized enterprises (SMEs), where time is tight and trust is high.

One single click – and the entire company network comes to a halt. Whether through a deceptively real phishing email, an infected website, or a stolen password: the most common cause of IT security incidents in SMEs is not a technical vulnerability, but human behaviour. That’s exactly why Security Awareness Training isn’t a nice-to-have – it’s a must.

Security awareness is a team effort – with responsibility at the top

Technology matters – but without risk awareness, it’s ineffective. If only the IT team understands defence measures, that’s not enough. A sustainable cybersecurity strategy for SMEs requires informed employees – and leaders who lead by example.

What does an effective security awareness program include?

A well-designed awareness training for employees teaches:

• Identifying threats such as phishing, social engineering, fake apps
• Safe behaviour in everyday work: password management, handling of devices and data
• Emergency response skills: What to do after clicking a malicious link or when data loss is suspected

Organising awareness training: How to do it right

Mandatory or voluntary?

Awareness training should be a fixed part of onboarding and ongoing learning. Being transparent about the purpose increases acceptance: it’s about protection – for both the organisation and its people.

How often?

At least annually, but ideally with small, quarterly impulses: micro-trainings, mini-quizzes, phishing simulations, and IT security tips via the intranet. This keeps security top of mind.

Which formats?

• Live workshops/webinars (e.g. recognising phishing, analysing real cases)
• E-learnings & videos (flexible, great for repetition)
• A combination of both (blended learning)
• Reference materials and guides (e.g. internal wiki, emergency plan)

Strengthening awareness in everyday work:

Awareness can be easily integrated into daily routines: for example, share a “phishing email of the week” in the team chat to analyse together. Show short 60-second videos during coffee breaks that explain common security risks. Create mini quizzes with a playful element – maybe even with small prizes. Also important is a culture that treats reporting as helpful, not shameful. That’s how you build an environment where awareness can thrive.

Remote or on-site?

Both work – what matters is that the format fits your team. Hybrid setups offer maximum flexibility, especially for decentralised organisations.

Emergency protocols – also for non-tech staff

All employees should know what to do during an IT incident: Who is the first point of contact? What steps need to be taken? A simple, clearly worded emergency plan – visible and regularly rehearsed – can be crucial in an emergency.

Tip: Simulate an incident and discuss as a team how to respond – without blame.

Who’s responsible for the awareness program?

A good awareness program doesn’t require huge resources – but it does need structure. Whether it’s led by IT, HR or supported externally: the key is to embed cybersecurity in the company culture – with clear responsibilities.

Cybersecurity starts with people – not software

If your team knows how to recognise risks and respond confidently, you’re already ahead. Information security in a business depends on knowledge, consistency and the willingness to act.

Implemented properly, awareness not only reduces risk – it builds trust, minimises downtime, and strengthens your organisation’s professionalism.

The first step? Just get started – with clear communication, the right formats, and a healthy dose of practicality. And if you need support, we’re happy to help. Just get in touch and let’s talk about what works best for your team.