Loading module...
Loading module...
GSA-01
Understand why every employee is a security target, how attackers operate, and how your daily actions map to the NIST CSF 2.0 and SOC 2 compliance requirements.
General Security Awareness Training
Estimated Time: 10 minutes
By the end of this module, you will be able to:
Let's start with an uncomfortable truth: attackers don't hack servers first. They hack people.
In 2025, 68% of all confirmed data breaches involved a human element. Someone clicked a link they shouldn't have, reused a password, accidentally shared a file with the wrong person, or simply didn't recognize that the "urgent email from the CEO" was a fake. In breach after breach, the root cause wasn't a failure of firewalls or encryption. It was a moment of inattention from a normal person doing their normal job.
Here's another number worth sitting with: when researchers tested phishing simulations on real employees, the median time from receiving a phishing email to clicking the malicious link was 21 seconds. Not 21 minutes. Twenty-one seconds. And the median time to enter credentials on the fake page after clicking? Seven more seconds. That's 28 seconds from "new email" to compromised account.
This isn't because people are careless or unintelligent. It's because these attacks are specifically engineered to exploit how humans process information under time pressure. Attackers study human psychology the way a lockpick studies locks. This course teaches you to see what they see so you can stop being the easiest way in.
Security incidents aren't abstract. They have price tags, and those price tags can be existential, especially for companies our size.
The global average cost of a data breach in 2025 was $4.44 million. That number includes forensic investigation, legal fees, regulatory fines, customer notification, credit monitoring for affected individuals and the silent killer: lost business from customers who no longer trust you with their data.
For companies with fewer than 500 employees, the average breach cost was $3.31 million. That's lower than the global average but devastating relative to revenue. Research consistently shows that roughly 60% of small businesses that suffer a major cyberattack close their doors within six months. Not because the attack itself was catastrophic, but because the combination of remediation costs, lost customer confidence and operational disruption becomes unsurvivable.
Your company's customers trust you with their data. That trust is the foundation of every contract, every renewal, every expansion deal. A breach doesn't just cost money. It costs the relationships that make the business viable.
To protect yourself and your company, it helps to understand how the other side operates. Attackers don't randomly scan the internet hoping to get lucky. (Well, some do, but the dangerous ones don't.) They follow a process, and understanding that process is your first line of defense.
Step 1: Reconnaissance. Before an attacker sends a single email, they research the target. They look at your company's website, LinkedIn profiles, job postings (which reveal what technologies you use), social media, press releases and even your employees' public posts. A job listing that says "Must have experience with Salesforce, AWS, and Jira" just told an attacker three systems they can impersonate in a phishing email. A LinkedIn post celebrating a new VP of Engineering just told them who to impersonate or target.
Step 2: Initial Access. Armed with that research, attackers craft their approach. The three most common entry points in 2025 were:
Notice something? Two of the top three attack vectors target people, not technology. That's not a coincidence. It's a strategy. People are more complex than software, but they're also more predictable in certain ways. And unlike a firewall, you can't patch a human with a software update. You have to train them.
Step 3: Lateral Movement. Once inside, attackers rarely stop at the first account they compromise. They explore, looking for higher-privilege accounts, sensitive data stores and paths to their actual objective. The marketing coordinator's email account might not seem valuable, but if it gives the attacker access to internal chat, org charts and shared drives, it becomes a launchpad for everything else.
Step 4: Objective. What attackers want varies. Some want data to sell. Some want to deploy ransomware and demand payment. Some want to lurk silently and steal intellectual property over months. But virtually all of them entered through a human being who didn't realize what was happening.
The average time from initial breach to detection in 2025 was 181 days. That's six months of an attacker inside your systems before anyone noticed. The additional time to contain the breach averaged another 60 days. Eight months, start to finish.
Every module in this course addresses a specific stage of this playbook. Social engineering and phishing target Steps 1 and 2. Access control and authentication make Step 3 harder. Incident reporting shortens that 181-day detection window. You're not just checking a compliance box. You're learning how to make an attacker's job significantly harder at every stage.
Your company's security program isn't ad hoc. It's built on a framework developed by the National Institute of Standards and Technology (NIST), the U.S. government agency responsible for technology standards. The NIST Cybersecurity Framework 2.0, released in February 2024 and now used by organizations worldwide, organizes cybersecurity into six core functions:
Govern: Establish and maintain your organization's cybersecurity strategy, expectations and policies. This is the "who's responsible and what are the rules" function. It's new in CSF 2.0 and reflects a critical insight: cybersecurity isn't just an IT problem. It requires leadership, clear roles and organizational commitment.
Identify: Understand your environment. What systems do you have? What data do they hold? What are the risks? You can't protect what you don't know about.
Protect: Put safeguards in place. This includes access controls, encryption, security training (that's this course) and data protection measures.
Detect: Monitor for suspicious activity. The faster you detect an intrusion, the less damage it causes. Remember that 181-day detection average? Organizations that detect breaches quickly through their own internal teams, rather than learning about them from an attacker's ransom note, spend significantly less on remediation.
Respond: When something goes wrong, act fast. Have a plan. Know who to call. Contain the damage. Communicate clearly.
Recover: Get back to normal operations. Restore systems, learn from what happened and improve defenses so it doesn't happen again.
These six functions aren't sequential steps. They operate continuously and in parallel. Your company is always identifying new risks, always protecting systems, always monitoring for threats. Think of them as six lenses through which every security decision gets evaluated.
You don't need to memorize these functions or become a NIST expert. But understanding this mental model helps you see where your daily actions fit into the bigger picture. When you report a suspicious email, you're contributing to Detect. When you use your password manager, you're contributing to Protect. When you follow the data handling policy, you're supporting Govern. Security isn't something that happens in a server room. It happens at your desk, in your inbox and on your phone.
You've probably heard the term "SOC 2" around the office. Here's what it actually means and why it directly involves you.
SOC 2 (Service Organization Control 2) is a security auditing framework developed by the American Institute of Certified Public Accountants (AICPA). It's not a law. Nobody goes to jail for not having SOC 2. But in practice, it's become table stakes for any SaaS company that handles customer data. Your customers, and your customers' customers, want assurance that their data is protected. A SOC 2 report provides that assurance through independent, third-party verification.
A SOC 2 audit evaluates your company against five Trust Services Criteria:
Security is the baseline. It's included in every SOC 2 audit. The other four are included when relevant to your company's commitments.
Within the SOC 2 framework, Common Criteria 2.2 (CC 2.2) specifically requires that your organization "communicate information to improve security knowledge and awareness and to model appropriate security behaviors to personnel through a security awareness training program."
That's this course.
CC 2.2 doesn't just mean "have some training available." Auditors look for specific evidence:
When you complete this course and its quizzes, you're generating exactly the evidence your auditor needs. This isn't busywork. It's documentation that protects the company's ability to serve its customers and close new business. Many enterprise customers won't sign a contract without seeing a current SOC 2 report, and that report can't exist without evidence that training like this was completed.
One of the most important concepts in modern security is shared responsibility. Security isn't one team's job. It's distributed across everyone who touches the organization's systems, data and processes.
Here's how that breaks down in practice:
The security/IT team is responsible for building and maintaining the infrastructure: firewalls, intrusion detection, endpoint protection, access management systems, incident response procedures and the overall security architecture. They create the guardrails.
Leadership is responsible for setting the tone, funding security initiatives, establishing policies and making security a genuine organizational priority rather than an afterthought. The new Govern function in NIST CSF 2.0 exists specifically because security requires top-down commitment.
Every employee is responsible for operating within those guardrails: following policies, recognizing threats, reporting suspicious activity, handling data correctly and making security-conscious decisions in their daily work. You are the last line of defense and often the first point of attack.
No security team, no matter how well-funded or talented, can protect an organization where employees routinely click phishing links, share passwords or paste sensitive data into unauthorized tools. The technical controls and the human behaviors have to work together. That's what shared responsibility means.
Over the next eight modules, you'll learn to think like an attacker. Not to become one, but to recognize their techniques before they work on you. Here's the roadmap:
Module 2: Social Engineering & Phishing. How attackers manipulate people, what modern phishing looks like in the age of AI, and how to detect and report it.
Module 3: Passwords & Authentication. How passwords actually get cracked, why password managers matter, and how multi-factor authentication works (including how attackers try to beat it).
Module 4: Data Classification & Handling. Not all data is created equal. Learn what types of data you handle, the rules for each, and how to avoid accidental exposure.
Module 5: Access Control & Least Privilege. Why you should only have the access you need, how permission creep creates risk, and what happens when offboarding goes wrong.
Module 6: Safe Browsing & Secure Work Habits. Malicious links, QR code attacks, public Wi-Fi risks, device security and the shadow IT problem.
Module 7: Vendor & Third-Party Risk. The apps and services you connect to your work accounts create supply chain risk. Learn to evaluate before you adopt.
Module 8: AI Tools & Security. AI assistants are powerful, but pasting the wrong data into the wrong tool can constitute a data breach. Learn the rules for safe AI use.
Module 9: Incident Reporting & Response. When something goes wrong, or might be going wrong, speed matters. Learn what to report, how to report it, and why a no-blame culture makes everyone safer.
Next up: Module 2, Social Engineering & Phishing, where we'll break down exactly how attackers manipulate human psychology and how AI is making those attacks dramatically more convincing.
Module Version: 1.0
Last Updated: March 2026
Framework References: NIST Cybersecurity Framework 2.0, SOC 2 Trust Services Criteria (CC 2.2)
Data Sources: IBM/Ponemon Cost of a Data Breach Report 2025, Verizon Data Breach Investigations Report 2025