Security Awareness Training 2020: Lessons from Hacks

A multi-million dollar ransom. A bitcoin scam hijacking the world's biggest social media accounts. A healthcare network brought to a standstill. These 2020 headlines weren't just a nightmare; they came with massive financial and reputational costs. The common thread wasn't a zero-day exploit, but a much older vulnerability: human behavior. Attackers proved manipulating an employee is often the most direct path to a company's crown jewels. This forced a hard look at security awareness training 2020 programs. Are they truly focused on hack risk prevention, or just checking a box?

The COVID-19 pandemic created a playground for bad actors to capitalize on vulnerabilities— particularly, praying on unsure work-from-homers and the newly found security gaps that came with a sudden shift to remote operations. 

Hackers game of choice on the coronavirus jungle gym? Targeted social engineering schemes. But while some companies fell for the employee-focused scams, their lessons serve as a blessing for others— empowering us to learn from their mistakes.

Let’s take a look at three big hacks in 2020 and discover how the cyber bullies played dirty. With an understanding of how they did it and the right resources for your team, we’ve got the secret to strengthening your security in 2021.

Understanding the Core of the Problem: Human Risk

To build a stronger security posture, we first have to get honest about where the real vulnerability lies. It’s not just about firewalls or endpoint detection anymore. The most sophisticated attacks often bypass technology entirely and target the one element that can’t be patched with a software update: your people. This is the core of human risk. According to Proofpoint, "Human error is the main reason cyber-attacks succeed. Even the best technology can't stop an employee from clicking a bad link." This reality shifts the focus from a purely technical defense to a more holistic strategy that understands and manages the human element as a critical part of your security infrastructure.

Managing this risk isn't about assigning blame; it's about gaining visibility into behaviors and predicting where the next incident is likely to occur. Traditional approaches often stop at awareness, but a true Human Risk Management strategy goes further. It involves analyzing real-world signals to understand risk trajectories and acting on them before they lead to a breach. By identifying the patterns and precursors to risky behavior, security teams can move from a reactive stance of "detect and respond" to a proactive model of "predict and prevent," effectively neutralizing threats before they materialize and turning a potential liability into a strong line of defense.

The Pervasive Impact of Human Error

Human error isn’t a fringe issue; it's the central battlefield for cybersecurity. When an employee clicks a malicious link, reuses a compromised password, or falls for a convincing phishing scam, they are not just making a simple mistake. They are inadvertently opening a door for attackers to walk right into your network. This is why even organizations with massive security budgets and cutting-edge tools still experience breaches. The technical defenses are necessary, but they are incomplete without addressing the human factor. The challenge for security leaders is to quantify this risk and implement programs that do more than just check a compliance box—they need to measurably reduce risky behaviors across the enterprise.

Social Engineering as a Primary Attack Vector

Attackers are masters of manipulation, and they know that exploiting human psychology is often easier than breaking through complex code. The data backs this up decisively, with research from Proofpoint showing that a staggering "98% of all cyber-attacks use social engineering." This means nearly every threat your organization faces has a human component designed to trick, persuade, or intimidate an employee into taking an action that compromises security. These aren't just generic spam emails anymore; they are highly targeted, sophisticated campaigns that prey on trust and urgency. Effectively countering this requires more than just occasional training; it demands a continuous, data-driven approach to building resilience.

The Financial Consequences of a Breach

When a security incident occurs, the consequences extend far beyond the IT department. The financial fallout can be immense, impacting everything from regulatory fines and legal fees to reputational damage and loss of customer trust. According to 2023 data from Elevity IT, "the average cost of a data breach worldwide was $4.35 million," a figure that jumps to an eye-watering "$9.44 million" for breaches in the United States. These numbers provide a clear, board-ready justification for investing in proactive security measures. Every dollar spent on preventing an incident is a fraction of the cost of cleaning one up, making a strong human risk program one of the highest-ROI investments a company can make.

Quantifying the Cost of Security Incidents

Drilling down into specific attack types reveals an even more alarming financial picture. These are not abstract threats; they are direct hits to the bottom line. For instance, Proofpoint reports that vishing, or voice phishing scams, cost companies an average of "$14 million each year." Even more devastating is the long-term impact of business email compromise (BEC), which has drained "over $55 billion" from businesses over the last decade. These figures underscore the urgent need for solutions that can predict and prevent these attacks. By identifying at-risk individuals and autonomously delivering targeted interventions, organizations can stop these financially crippling incidents before they ever happen.

How the Garmin Ransomware Hack Happened

Sport and fitness tech brand Garmin found themselves in hot water over the summer of 2020 when customers were locked out of their applications and tools from a hard hitting hack. With their website down and an influx of confused users, Garmin quickly discovered they were amidst a ransomware exploit. The company would have to pay a hefty $10 million ransom to gain control back to their website, app, and seized files.

After a month of downtime while Garmin noodled on a solution, the GPS company was backed into a corner. Despite the possibility of penalties, Garmin allegedly rallied financial support from another firm to pay the full ransom. 

While they got their access back after fessing up the fee, Garmin is still trying to understand what information could have been compromised during their system lockdown, despite complying to the bad guy’s demands.

Could Awareness Training Have Prevented It?

This ransomware attack limited Garmin’s service providings for weeks, causing instant repercussions with current customers and unpredictable damage to the tech brand’s reputation and future success. 

The reality is, ransomware compromises usually start with a social engineering attack. Hackers often phish employees to gain access to juicy information that could help them breach secure systems. That’s because big name brands usually have top-notch technical security measures, which are hard for cybercriminals to crack. Social engineers often know that with the right pretext they can squeeze important information out of employees, who give them the insights they need to crack passwords or find backdoors in systems— so they can sneak in unnoticed instead of breaking down digital defense.

All of this may have been avoided had Garmin empowered their employees with the right cybersecurity awareness training. With the right insights on what to watch out for, their team could become one of their greatest security assets, instead of a brand’s weakness.

Unpacking the Twitter Bitcoin Hack

Mid July of 2020, many prominent account holders on Twitter simultaneously tweeted unusual Bitcoin-related statuses. From political figureheads like former U.S. President Barack Obama and then Democratic presidential candidate Joe Biden to notable celebrities and large corporations like Apple and Uber, 130 high-profile Twitter accounts posted about a Bitcoin scam.

The tweets promised followers that if they clicked a link and sent a Bitcoin donation, the generous account holder would double the contribution back. Wait, if I give you $1,000, you’ll send me $2,000 back? How could you say no?

Hundreds fell for the scam and donated their money to these hackers’ shared account, but— as you may have guessed— no money was returned like promised. Once word of this mass compromise spread, many account holders were able to take down the fake posts within minutes of posting, but dozens of users had already fallen for the ruse. Luckily blacklisting the links stopped over 1,000 transactions, totaling over $280,000, from being sent, but enough damage was already done.

Why Security Training Was the Missing Piece

Twitter itself revealed that this flashy attack was the result of a mass social engineering exploit, targeting employees who had high permissions to sensitive internal info. While specific details of the attack weren’t revealed, it’s likely employees were either tricked into sharing important info that gave the attackers a doorway in, or Twitter employees accidentally downloaded malware. 

Twitter’s high-access employees may not have fallen for either had they been involved in deep cybersecurity awareness training. Armed with examples of phishing schemes or a better understanding of the tactics hackers use to manipulate employees, their team may not have been fooled by these hackers’ tricks.

How Ransomware Disrupted a Major Hospital Network

Towards the tail end of September 2020, hospital and healthcare companies using Universal Health Services (UHS) software ran into some real problems. Workers across more than 250 hospitals across North America were booted out of their important logins and blocked from getting back in, according to BusinessInsider. To boot, phone lines were compromised and healthcare professionals were left without crucial documentation and communication tools to do their jobs.

All systems were quickly disconnected to prevent further breaches. Staff documented what they could by pen and paper, but most software-reliant operations grinded to a complete halt. At the affected sites, surgeries were postponed and ambulances diverted to other facilities. Chaos ensured for days. 

The compromise was confirmed to be a ransomware attack, like the cyber breach that affected the Garmin case above, where the bad guy locks access to important files until the victim pays a high-dollar ransom. Ransomware attacks on electronic health record (EHR) systems usually average an alarming 15 days of downtime, and UHS was no exception— not getting full functionality back until Oct 12th. While no patient data was compromised in the attack, the disruption was undeniable.

Was This Attack Preventable with Training?

While it was not confirmed how exactly the breach began and the investigation still continues, ransomware attacks are often the result of social engineering scams. In the case of UHS, this Fortune 500 hospital and healthcare services provider had a 400+ facility network, where a goldmine of data was housed. Luckily, it doesn’t appear that hackers were able to access patient information before they were booted out, but the possibility was too close for comfort.

By requiring cybersecurity awareness training for all UHS staff and users of the interface, they could have drastically lowered their chances of falling for a phishing scheme or clever ruse that helped hackers gain the permissions they needed for a system breach.

What Makes Security Awareness Training Actually Work?

Some companies avoid training programs like COVID because they’ve watched it fail time and time again. 

But what if we told you that we’ve cracked the code and know how to get your team invested in cybersecurity awareness training once and for all?

There are new trends for empowering and exciting your team about your security initiative, and we’ve got them packaged with a bow in our 7 Essential Trends Of Human Risk Management for 2021 guide. Give it a read for free, today. 

Key Components of an Effective Program

Comprehensive Risk Coverage Beyond Phishing

An effective program recognizes that cyber threats are much more than just suspicious emails. While phishing is a common entry point, a truly resilient workforce must be prepared for a wider range of risks. This includes sophisticated social engineering tactics, malware threats, unsafe data handling practices, and identity-related risks like credential stuffing. A modern approach to Human Risk Management moves beyond a singular focus on phishing to build a comprehensive defense. It treats security training as a continuous program, not a one-time event, ensuring that the content evolves alongside the threat landscape to keep your team prepared for what attackers will try next.

A Multi-Layered Defense Strategy

Your people are a critical line of defense, but they are just one part of a complete security posture. A strong defensive strategy is built in layers, with each one reinforcing the others. Think of it as having four key components: the Human Layer (your trained and aware employees), the Policy Layer (clear and enforceable security guidelines), the Technology Layer (your security software and hardware), and the Infrastructure Layer (your secure network architecture). When you invest in strengthening the human layer, you make every other layer more effective. A security-aware employee is less likely to click a malicious link that bypasses your tech filters or violate a policy that protects sensitive data.

Best Practices for Program Delivery

Continuous Engagement and Reinforcement

Let’s be honest, no one gets excited about mandatory, boring training modules. The days of long lectures and simple check-the-box quizzes are over. To truly change behavior, training must be engaging, relevant, and continuous. This means using a mix of formats like interactive videos, gamified challenges, and personalized learning paths that speak directly to an employee's specific role and risk profile. The goal is to make security a habit, not a task. By delivering timely, bite-sized content and positive reinforcement, you can build a culture where security is a shared responsibility that everyone feels invested in protecting.

The Importance of Leadership Buy-In

A security awareness program can’t succeed in a vacuum. For a security-first culture to truly take root, it needs visible and active support from company leaders. When executives participate in training, talk about the importance of security in company-wide meetings, and lead by example, it sends a powerful message to the entire organization. This top-down reinforcement demonstrates that security is a core business priority, not just an IT issue. Leadership buy-in encourages employees at all levels to take the initiative seriously, fostering a collective commitment to protecting the company’s assets and reputation from cyber threats.

The Proven Effectiveness of Managing Human Risk

Moving from a reactive security posture to a proactive one requires a fundamental shift in how we view the human element. Instead of seeing employees as the weakest link, a modern Human Risk Management program treats them as a defensible layer that can be strengthened over time. The data supports this approach, showing that consistent, high-quality training doesn't just raise awareness; it measurably reduces risk. By focusing on behavior change and providing employees with the tools they need to identify and report threats, organizations can see a significant and quantifiable reduction in security incidents, turning a potential liability into a powerful asset.

Measurable Reduction in Successful Attacks

The results of a well-executed training program are clear and compelling. Organizations that implement frequent training combined with regular phishing simulations see dramatic improvements in their security posture. For instance, some studies show a 96% improvement in how effectively people can identify and avoid phishing attempts. This isn't just about making people feel more secure; it's about generating board-ready metrics that demonstrate a tangible return on investment. By tracking progress and quantifying the reduction in risky behaviors, you can prove that your security awareness and training program is directly contributing to a stronger, more resilient defense against real-world attacks.

Lowering Employee Susceptibility Over Time

A single training session won't create lasting change, but a sustained program can fundamentally alter an organization's risk profile. Consistent training has been shown to reduce the number of malicious links employees click by up to 40%, with some reports indicating that overall security risks can be cut by as much as 80%. This is because effective programs build security "muscle memory," making safe practices second nature. Over time, employees become more adept at spotting red flags and more confident in reporting potential threats. This gradual, steady improvement in human resilience is the cornerstone of a mature security strategy that gets stronger every day.

Meeting Compliance and Industry-Specific Mandates

In addition to strengthening your defenses, a formal security awareness program is a critical component of meeting regulatory and industry requirements. For many organizations, it’s not just a good idea; it’s the law. Demonstrating that you are actively training your employees on security best practices is essential for avoiding costly fines, preventing damaging data breaches, and maintaining the trust of your customers and partners. A well-documented training program serves as crucial evidence that your organization is taking its security and data protection obligations seriously, providing a clear line of defense during audits and regulatory inquiries.

Adhering to Regulatory Standards

Many data protection laws, such as GDPR in Europe and HIPAA in the healthcare sector, explicitly require organizations to implement ongoing security awareness training for their employees. Failure to comply can result in severe financial penalties and significant reputational damage. An effective training program helps ensure your company meets these legal obligations by educating your team on the proper handling of sensitive information, from personal data to protected health information. This not only helps you avoid violations but also builds a culture of compliance where every employee understands their role in safeguarding data and upholding privacy standards.

Fulfilling Industry-Specific Requirements

Beyond broad regulations, many industries have their own specific security mandates. As seen in the case of the Universal Health Services (UHS) ransomware attack, the healthcare sector has stringent requirements for protecting patient data. A single phishing email can lead to system-wide disruptions, impacting patient care and violating industry standards. By implementing mandatory and robust cybersecurity awareness training for all staff, organizations in critical sectors like healthcare, finance, and energy can drastically lower their vulnerability to attacks. This tailored training ensures that employees are prepared for the specific threats they are most likely to face in their roles.

Building on an Expert Foundation

The most successful security programs are not built from scratch. They are constructed on a foundation of proven methodologies and expert insights from leaders in the cybersecurity field. By leveraging established frameworks and learning from the tactics of real-world attackers, you can create a program that is both strategic and practical. This approach ensures your training is aligned with industry best practices and focused on what truly matters: producing measurable reductions in human risk. An expert-led strategy moves beyond simple awareness to instill the critical thinking skills your team needs to defend against sophisticated and evolving threats.

Leveraging Industry Maturity Models

Leading organizations like the SANS Institute have developed maturity models to help companies assess and advance their security awareness programs. These models provide a clear roadmap for moving from a basic, compliance-focused approach to a mature, risk-based strategy. The ultimate goal, as SANS emphasizes, is to translate security awareness into tangible, measurable reductions in human risk. By aligning your program with an industry-recognized maturity model, you can benchmark your progress, identify areas for improvement, and build a sustainable culture of security that delivers quantifiable results and demonstrates a commitment to excellence in your security operations.

Incorporating Attacker Methodologies

To effectively defend against an adversary, you need to understand how they think and operate. That’s why the most effective training programs incorporate insights from ethical hackers and social engineering experts, like the legendary Kevin Mitnick. Learning from those who have mastered the art of deception provides invaluable lessons for building strong defenses. Training that is grounded in real-world attacker methodologies teaches employees to recognize the psychological manipulation and clever tactics used in social engineering schemes. This approach arms your team not just with knowledge, but with a healthy sense of skepticism and the critical skills needed to identify and thwart attacks before they succeed.

Frequently Asked Questions

Isn't annual security training enough to meet compliance requirements? Meeting compliance is the baseline, not the goal. While annual training might check a box for an audit, the cyber threats discussed in the post don't operate on a yearly schedule. Effective security relies on building a resilient culture, which requires continuous reinforcement. A one-and-done approach doesn't account for the evolving tactics of attackers or the simple fact that people forget things. A truly secure organization moves beyond compliance and focuses on measurably reducing its human risk through ongoing engagement.

My team is full of smart, tech-savvy people. Do they really need this kind of training? Absolutely. Social engineering attacks are not designed to exploit a lack of intelligence; they are designed to exploit human nature. Attackers use urgency, authority, and trust to manipulate even the most careful individuals. The Twitter hack is a perfect example of how attackers targeted employees with privileged access, not just any user. The goal of modern training isn't to make people smarter, but to equip them with the specific skills to recognize and resist these psychological tactics.

How can I justify the cost of a more advanced program to my leadership? The most effective way is to frame it as an investment in risk prevention rather than an expense. You can point to the concrete financial consequences of a breach, like the multi-million dollar figures mentioned for ransomware and business email compromise. A proactive Human Risk Management program provides measurable data showing a reduction in risky behaviors. This allows you to demonstrate a clear return on investment by showing how you are actively preventing incidents that could cost the company millions in damages, fines, and lost reputation.

We already run phishing simulations. Why isn't that sufficient? Phishing simulations are a great tool, but they only address one piece of the puzzle. As the post highlights, human risk extends to malware, improper data handling, credential reuse, and other behaviors that simulations alone don't cover. A comprehensive strategy looks at the full spectrum of potential risks. It uses data to understand where vulnerabilities lie across the entire organization and provides targeted, role-specific guidance to strengthen your defenses against all types of threats, not just suspicious emails.

The attacks in this post are from a few years ago. Are the same methods still a threat? The specific headlines may change, but the underlying attack vector—exploiting human behavior—is timeless. The social engineering tactics used in the Garmin, Twitter, and UHS incidents are still the foundation of most cyberattacks today. Attackers are constantly refining their methods, but the core principles of manipulation remain the same. This is why building a strong, security-aware culture is a sustainable defense that remains effective year after year, regardless of the latest threat.

Key Takeaways

• Treat human behavior as your primary attack surface: High-profile breaches prove that attackers bypass technical defenses by targeting people, making a proactive strategy focused on human risk essential for preventing incidents.
• Shift from compliance training to continuous risk reduction: Effective programs require ongoing engagement and leadership support to measurably change employee behavior and build a resilient security culture, not just check a box.
• Justify security investment with clear business outcomes: A strong human risk management program directly prevents multi-million dollar losses from attacks and ensures you meet critical regulatory mandates like GDPR and HIPAA.

Related Articles

• HRM Solutions: Phishing & Email | Living Security
• The Role of Employee Education in Effective Ransomware Prevention
• How to Factor Human Behavior into Your Risk Management in Cybersecurity
• The Evolution of Cyber Risk Management | Living Security
• How To Train and Protect Your Employees From Future Phishing Attacks