Every year, Verizon publishes a Data Breach Investigation Report (DBIR). The Verizon DBIR is one of the most comprehensive reports illustrating REAL security incidents and breaches, not just hypothetical "this could happen" warnings. The 2025 Report - the 18th annual report! - was published on April 23, 2025 and as usual, its full of inciteful information for both small business AND enterprise. To generate the report, the Verizon DBIR team analyzed 22,053 real-world security incidents, of which 12,195 were confirmed data breaches.
What is The Difference Between a Cybersecurity Incident and a Breach?
Incident: A security issue that affects how safe or available your information is - like something that disrupts access or puts data at risk. An accident affects the integrity, confidentiality, or availability of data.
Breach: A more serious type of incident where data actually gets into the wrong hands. For example, a cyberattack that slows down your systems (like a DDoS attack) is usually just an incident, because no data is stolen. But that doesn’t mean it’s not a big deal - it still needs attention.
Cybersecurity’s Silent Threat: Human Mistakes
Breaches involving some sort of human error continue to be at the top of the list with human involvement at 60%.
Most data breaches still involve people making mistakes. This usually can occur when you click a malicious link, sharing a password, or visiting a risky website. According to the 2025 Verizon Data Breach Report, 60% of breaches had some kind of human involvement.
Even as attackers become more automated, simple human actions are often what let them in.
Empowering Employees to Recognize and Resist Cyber Threats
That’s why regular cybersecurity awareness training is so important. It helps your team spot threats before they become disasters.
The bottom line? Your cybersecurity is only as strong as your people. Train them well.
At Ekaru, we try to give local businesses a fighting chance against cyber crime, and a structured cybersecurity awareness program is core to this. All of our cybersecurity recommendations are based on the NIST Cybersecurity Framework, with further clarification from the CIS Controls. You don't have to go this alone.
Cybersecurity awareness training falls under “Protect” in the NIST Framework. It’s about making sure everyone - from frontline staff to executives - is trained to spot threats and follow safe practices.
Here's what the NIST cybersecurity framework specifics for Training and Awareness:
- Awareness and Training (PR.AT): The organization’s personnel are provided with cybersecurity awareness and training so that they can perform their cybersecurity-related tasks
- PR.AT-01: Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind
- PR.AT-02: Individuals in specialized roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind.
Cybersecurity Regulations: Why Training Is No Longer Optional
Does your organization need to comply to HIPAA, CMMC, FTC Safeguards, SEC regulations? They all have a foundation in the NIST Cybersecurity framework. The more your employees know about cyber scams, the less likely they will fall for them. The better your security awareness culture, the more likely someone will speak up if they suspect something is wrong.
Do you want to qualify for Cyber Insurance? You will not be approved without a cybersecurity awareness program.
Why Do Cyber Insurance Companies Require Cybersecurity Awareness Training?
Because people are often the biggest risk. Most cyberattacks - like phishing emails or scams - only succeed when someone clicks the wrong link or shares sensitive information by mistake.
Cyber insurance companies know this, so they require training to reduce the chances of a breach happening in the first place.
Just like a car insurance company wants you to wear a seatbelt, cyber insurers want your team to be prepared and alert. Awareness training helps your employees spot threats early and avoid costly mistakes, making your business safer and your insurance less risky.
🔐 What Makes a Great Cybersecurity Awareness Program?
A great cybersecurity awareness program goes WAY beyond checking a compliance box - it creates a culture of security where every employee is alert, informed, and empowered to protect the organization.
Here’s what sets the best programs apart:
-
Relevant: Focuses on real-world threats employees actually face, like phishing, password hygiene, and social engineering.
-
Ongoing: Not a once-a-year video - great programs offer regular, bite-sized training to keep awareness fresh.
-
Engaging: Uses interactive content, quizzes, and even gamification to make learning stick.
-
Measurable: Tracks participation and progress so you know it’s working - and where to improve.
-
Customized: Tailored to your industry, risk level, and employee roles (not one-size-fits-all).
-
Action-Oriented: Empowers employees with clear steps on what to do if they suspect something is wrong.
The best programs turn your people from your biggest risk into your first line of defense. Think of your team as your Human Firewall! ... and a shameless plug - Ekaru offers a great cybersecurity awareness platform. If you just need a training program and you already have an inhouse IT team - connect with us to learn more.
Schedule a security assessment with us today to see how we can help you implement proven cybersecurity practices that keep your data protected and your business moving forward.
About the author:
Ann Westerheim, PhD is the Founder and President of Ekaru, a Technology Service Provider of cybersecurity and IT services for small and medium businesses in the greater Boston area. Ann is an accomplished technology innovator and leader with three engineering degrees from MIT. She has twenty years of high tech experience in research, advanced development, product development, and as an entrepreneur. Her career has spanned a vast range of technology endeavors including research in thin film semiconductors and superconductors, microprocessor fabrication, development of early Internet medical applications, and now focusing on the application of technology in business. She has an avid focus on the "last mile" of technology and decreasing the digital divide.