Security awareness training, also referred to as security training, is a requirement across some of the major IT compliance frameworks. Completing security awareness training may be the only time a non-IT user is reminded of IT threats and what they can do to keep themselves and their place of work safe from bad actors. Since humans can be the first line of defense, it’s critical to continue reminding users within an organization about changes in the threat landscape. This blog will walk through the importance of training, especially in the world of artificial intelligence (AI), and consider who should be involved in training, the frequency of training, and the consequences of users not completing training, which can include missing evidence.
Security Training Topics that Need Modernization
The topics below represent two common entry points for attackers, and both look different than they did even a few years ago.
Phishing
Security awareness training should be built around the risks and experiences that users are more likely to encounter during day-to-day operations. Phishing usually sits at the top. The training should include example phishing emails, which are becoming incredibly convincing because of AI. No longer do we have the grammar issues, inconsistent fonts, and stories (remember the emails we all received from a Nigerian prince asking for money?) that we’ve come to expect. Current-day phishing emails are elegant, accurate, and unfortunately, incredibly convincing.
Remote Access
Since 2020, the workplace looks different, and the security training needs to reflect that. Users are accessing their company’s networks remotely, and with that come risks. Current-day training needs to include the importance of using a virtual private network (VPN) and the risks of using public WiFi without a VPN. An attacker on the same public Wi-Fi can see what your machine is querying and can use that information to develop a phishing page or SMS text customized to your location. I would also include the importance of privacy screens when working outside your home and office. I, for one, have seen too many screens with company-specific information when sitting next to someone on an airplane.

Expanding the Training to Include AI
AI has become a threat and a tool, and both elements need to be addressed in the security awareness training. Organizations should define AI and show the location of the organization’s AI policy. Make sure that users know how to reference the policy at a later point in time.
An AI policy and the security training should include:
- The tools that are approved for use
- The data that can and cannot be entered into an AI tool. How is customer data, source code, and PII supposed to be handled when using AI tools? Explicit safeguards are required to inform users what data is restricted from being submitted into AI tools.
- The consequences for stepping outside procedural guardrails. Consequences can impact employment status and company reputation if internal information is disclosed outside of the organization.
- The importance of using company-managed, licensed AI tools rather than free versions.
- This bullet point is especially important to emphasize because free versions of large language models (LLMs) use submitted data to further train their models, meaning anything entered, including proprietary information, could resurface elsewhere. This is a risk for a business because internal information ends up outside the organization’s control. The most likely source of this occurring is with developers if they are submitting source code into an unlicensed AI tool.
Who Is Required to Complete Security Awareness Training?
Deciding who should be included in security awareness training should be based on a risk assessment of the organization. Cost can come into question as training may be a pay-per-license. While it is a valid concern to take cost into question, every person with access to systems or client data should be considered. This includes full-time and part-time employees, contractors, and any third parties that may have system access. The risk is not limited to people with the highest level of access. Anyone with a company email address can be targeted by a phishing campaign, and a single successful attack on a low-access account can still be an entry point into the environment.
How Often Should You Do Security Awareness Training?
Frequency is another decision left to the company’s own risk tolerance. Some companies run monthly campaigns that rotate through different topics, while others run an annual training that covers multiple topics at once. Both approaches can satisfy audit requirements if the frequency is documented and consistently followed.
Consequences of Not Completing Trainings
Facilitating security awareness trainings have many benefits; there are a variety of consequences for not completing them…or not completing them properly.
When trainings scope out users, there is a risk of those users being uninformed of day-to-day risks that can put the environment at risk. When users are unaware of the current threats in the industry, it is irresponsible to assume they will know how to handle the threats when encountered.
If security awareness training includes all users but there’s no evidence, such as logs, to support that completion, the control can still result in a deficiency. We’ve seen companies migrate to a new security awareness training tool in the middle of the audit period, have no evidence of who performed the training under the previous tool, and did not require the users to re-complete the training under the new tool. This series of events may also result in a deficiency if one of these users is part of the audit sample.

Audit Compliance for Security Awareness Training
Trainings are relevant to many types of audits: SOC 2 (CC1.4), ISO 27001 (Annex A 6.3), PCI (Req. 12.6), HIPAA (§164.308(a)(5)), and even the EU AI Act Article 4 AI literacy requirement. While the intent and outcome of the training are critical, it is a good idea that your training has audit trails for testing the operating effectiveness of relevant controls. Your auditor will want to know how your security awareness training controls are designed and what the frequency is with which it is occurring.
The frequency will determine how many samples of training the auditors will select. Curricula will need to be inspected by the auditors to determine the topics that are covered and to assess their relevancy. For the sampled users that are in scope for the training, the auditors will inspect evidence of them completing the training. This can be in the form of a certificate or, if using a security tool platform, a report that generates the “date completed”. Auditors will also look at the timeliness of when the users completed the training.
Security training should occur for new hires and existing employees. These trainings can be the same training or may be unique elements. Regardless, tracking the completion of training should follow the same process.
Building a Security Awareness Program That Holds Up to Scrutiny
The security awareness training is a cyclical exercise, and as AI continues to expand, training programs need to evolve alongside it. Building a program that covers the fundamentals, expands into AI-specific risks, includes the right scope of users, and is tracked in a way that holds up to audit scrutiny will put an organization in a strong position, both operationally and from a compliance standpoint.
If you have questions about your security awareness training program controls, or if you are interested in pursuing a SOC 2 audit, ISO, HIPAA audit, or PCI engagement, feel free to reach out to Linford&Co.
