Cybersecurity is a team effort. Most people have heard the adage, “there’s no ‘I’ in ‘team’,” but many companies struggle to create a workplace rallying cry when it comes to information security. Every organization has different needs, both from budget and compliance standpoints. Like every other aspect of cybersecurity, no “one size fits all” resource for cybersecurity training exists. Finding the right fit for your organization can be difficult, but this compilation can act as a starting point.
Free cybersecurity training resources
Small businesses need to train their employees, but they often have limited resources. These nine free security awareness training options in alphabetical order can help fill that gap.
1. Cofense sample lesson
Cofense is a company providing solutions for phishing awareness, detection, response, and intelligence. The company offers a downloadable free course focused on safe web surfing, securing websites, and avoiding malicious sites and links. The course includes materials and a quiz that can be used to do quick phishing training and document results.
2. CompTIA security awareness training
CompTIA, a technology trade association, has a whole webpage dedicated to various security awareness training topics. Although the resources do not include quizzes, they do incorporate some role-based videos, such as the one for executives and finance employees. Topics discussed include:
- Security awareness training for Employees
- Password best practices
- Identifying fake websites and phishing emails
- Detecting phishing emails
- Tips for cybersecurity with network segmentation
- Device policies and security advice for executives
- Security advice for executives and finance employees
- How to create an incident response plan
3. Cyber Explore: The Fundamental of Cyber
Created by The National Counterintelligence and Security Center, Cyber Explore - The Fundamentals is a set of three free modules that give an overview that includes identifying computer components, recognizing attack methodologies, and choosing security protections. While a bit on the technical side, the series offers a plain-language explanatory approach that gives a solid overview for most employees.
4. Department of Health and Human Services security awareness training
The Department of Health and Human Services (HHS) is the regulator in charge of enforcing one of the most stringent data privacy laws, the Health Insurance Portability and Accountability Act (HIPAA). Since the regulation requires healthcare providers and their business associates to document employee training, HHS offers free security awareness and training resources to reduce the burden on small practices and other organizations. Its materials include:
- Cybersecurity awareness training
- Cybersecurity essentials training
- Phishing training
- Information security for IT administrators
- Role-based training for executives and managers
5. Department of Defense (DoD) Cyber Exchange
The DoD Cyber Exchange offers seven online courses and thirteen aids to help organizations looking for free training modules. The site also incorporates “Cyber Sam,” a page devoted to cybersecurity awareness cartoons featuring
Non-military organizations can benefit from the following online courses:
- Cyber Awareness Challenge
- Social Networking and Your Online Identity
- Identifying and Safeguarding Personally Identifiable Information (PII)
- Phishing Awareness
6. Federal Virtual Training Environment (FedVTE)
Created by the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), FedVTE offers six hours of free online courses with downloadable lesson PDFs. The categories include:
- Fundamentals of cyber risk management
- Risk management framework
- Critical assets and operations
- Threats and vulnerabilities
- Risk analysis and mitigation
- Security controls
- Mitigation strategy maintenance
- Response and recovery
7. Defense Counterintelligence and Security Agency (CDSE)
The CDSE is a federal agency whose mission is to secure the United States government’s workforce, ensure contractor integrity, and protect technologies, services, and supply chains. As part of this mission, the agency’s CDSE training website has a multitude of free resources available to promote cybersecurity awareness, including:
- Case studies
- Job aids
- Security awareness games
- Security posters
- Security shorts
- Security training videos
8. Mailfence Email security and privacy awareness course
Mailfence, a service providing end-to-end encrypted email, has a free content-based security and privacy awareness course. Set up as a three-part series, the course discusses:
- Data protection
- Device protection
- Securing email accounts
- Password hygiene
- Social engineering
- Email privacy
- Online privacy
- Virtual machine
9. SANS Security awareness work-from-home deployment kit
Established in 1989, SANS Institute is one of the cybersecurity industry’s most respected certification organizations. In March 2020, SANS started offering its Security Awareness Work-from-Home Deployment Kit to help companies promote security for their remote workforce. The kit includes:
- Deployment guide
- Tips for working from home securely
- Tips for secure video conferencing
- Information about securing kids online
10. Wizer security awareness simply explained
The security training platform, Wizer, has free and paid subscription options. The free version includes the following:
- Security awareness training videos
- Unlimited number of users
- Progress reports
- Department-specific modules/tracking
Paid cybersecurity training platforms
As organizations scale, the free and freemium options no longer support documentation needs. The following cybersecurity training platforms, in alphabetical order, offer scalable options that a company can use as it grows.
Cybermaniacs brings together cybersecurity, educational theory, social anthropology research, music, and puppets to create an engaging program that teaches rather than trains. The unique learning experience delivers micro-learning modules and leverage educational best practices, so employees internalize cybersecurity and apply their knowledge to keep organizations secure. They offer both a standard package for small to midsize organizations and an enterprise solution with video lessons, gamification, interactive modules, surveys, assessments, and autonomous learning opportunities.
12. Defendify Cybersecurity Platform
Targeted to small businesses, Defendify’s cybersecurity monitoring platform also provides training materials. Its offerings include a phishing simulation tool, awareness training videos, awareness poster library, and classroom training tool. The Awareness Training Videos are less than five minutes each. The platform sends them directly to employees, delivering new content each month, addressing current issues so that employees can stay up-to-date on evolving threats.
13. Global Learning Systems (GLS) Human Firewall 2.0 Training
GLS offers both turn-key and customizable packages so customers can choose the best training program for their employees. Customers can choose to focus on either Cybersecurity Awareness or Anti-Phishing Awareness, then build their program from there. Once a company selects a Foundation block, GLS offers three different packages: an Essential plan with one foundation block and three building blocks, a Standard plan with two foundation blocks and six building blocks, and a Comprehensive plan with four foundation and twelve building blocks.
14. Inspired eLearning
This cybersecurity training platform takes a “Security First” approach to its offerings and provides three different plans. The Select, Preferred, and Elite plans differ in the number of courses and micro-videos the customer can use. Select customers get four courses and two micro-videos. Preferred customers get fourteen courses and eight micro-videos. Elite customers get twenty-five courses and nineteen micro-videos. All modules include:
- Unlimited email phishing simulations
- Off-the-shelf translations
- Monthly “Tips and Tricks” newsletter
- Customizable content
- Automated program execution
- Cybersecurity Quotient Assessment (CyQTM)
- Curated security awareness programs
- Security awareness marketing collateral
- Phish hook email button
- StatZenTM advanced reporting
- SCORM downloads
- Level 1 - Security Awareness Training Courses
15. Infosec Institute
Infosec Institute’s Infosec IQ platform focuses on aligning cybersecurity training with mission-critical compliance requirements. The platform offers modules in more than thirty-four languages, creating localized training and phishing simulations to reach a global audience. It supports various compliance mandates, including:
- Payment Card Industry Data Security Standard (PCI DSS)
- Family Educational Rights and Privacy Act (FERPA)
- European Union General Data Protection Regulation (GDPR)
- Gramm-Leach-Bliley Act (GLBA) and SOX
- Criminal Justice Information Services (CJIS)
- California Consumer Privacy Act (CCPA)
16. IT Governance
IT Governance’s offerings for cybersecurity training align with mission-critical compliance mandates. The training options include live online training courses, self-paced online training courses, combination training courses, training aids, and e-learning training courses. The cybersecurity training modules offered are:
- California Privacy Rights Act (CPRA)
- EU GDPR
- ISO 27001
- PCI DSS
The KnowBe4 platform provides the type of Learning Management Software (LMS) experience that enterprise entities and their employees recognize. The training modules align with standard compliance mandates, including the Sarbanes-Oxley Act (SOX) and HIPAA. Training modules offer video content between fifteen and thirty minutes long and assessments so that companies can collect and analyze audit documentation.
MediaPRO’s Paradigm takes the fear, uncertainty, and doubt (FUD) messages out of cybersecurity training. Leveraging research that shows this approach fails, the platform eliminates technical jargon and ubiquitous hacker-in-a-hoodie imagery, focusing on shorter modules with a mobile-first design. Its training packs can either be generalized or regulation specific, offering the following modules:
- Security awareness
- Privacy awareness
- Phishing simulator
19. Security Mentor
The Security Mentor platform offers online security awareness training using ten-minute lessons, with each focused on a single topic so that companies can run more frequent yet less burdensome training schedules. The PhishDefense phishing simulator uses phishing tests then identifies and trains at-risk users. As part of its compliance tracking module, it automates security policy dissemination, documenting when employees read and attest to reading them to ensure compliance with laws and industry standards. Its policy compliance tracking capability is unique in the space, providing employees access to security policies, and tracking their interactions.
20. Teach Privacy
Despite the name, Teach Privacy offers both privacy and data security courses on its cloud-based “TalentLMS.” Training courses focus on mission-critical privacy compliance mandates, such as HIPAA, FERPA, and Financial Privacy. Still, the Advanced Courses selections dig deeper into the foundation of common and tort law, expanding into areas like the FTC. Training topics include:
- Privacy Shield
- Data Security
- Privacy by design
- Vendor management
21. ThreatAdvice Educate
NXTsoft’s ThreatAdvice complements its suite of data connectivity, security, and optimization solutions. The ThreatAdvice Educate Company Threat Plan provides a high-level risk overview across both an organization’s systems and workforce. It offers a policies and procedures library to help customers establish new policies or update old ones. The offering includes quarterly phishing simulations, which get translated into employee risk level scorecards along with micro-learning video courses.
22. Webroot Security Awareness Training
This Software-as-a-Service (SaaS) platform focuses on small to mid-sized businesses (SMBs) and managed service providers (MSPs). The console natively integrates with Microsoft Azure AD to streamline user onboarding and training update needs. Webroot Security Awareness Training makes it easy to automate scheduling so that SMBs and MSPs with limited resources can more effectively deploy multiple training sessions throughout the year to strengthen employee security awareness.
Phishing-focused cybersecurity training and simulations
Cybercriminals increasingly use phishing attacks as a way to steal credentials as part of their attacks. For organizations looking to create phishing-focused cybersecurity training with simulations at their core, the following, in alphabetical order, might fit the bill.
Hoxhunt is not an LMS, but it provides simulated phishing campaigns, using a gamified approach to metrics. Hoxhunt sends personalized, fake phishing campaigns that mimic real-life attacks. It enables employees to review their performance and compare it with their peers. The plugin button used to report phishing emails triggers feedback when used, letting people know whether the email was a simulation or the real thing.
Mimecast’s phishing simulation is part of the company’s more extensive security awareness platform offering. The tool includes templates that match commonly used phishing themes, including package tracking, fake promotions, and password resets to match real-world attack methodologies. It derives a risk score by combining phishing attack simulation scores, tutorial models, and testing sources.
PhishingBox is not an LMS but natively integrates with many of the most-used platforms, including SmartU, Canvas, and Moodle. It offers single company and multi-client subscriptions that come with the Phishing Simulator, Phishing Awareness Training, campaigns, reports, integrations, and support. The awareness training module includes:
- Built-in training content
- Learning management (LMS integrations)
- Training page creation
- Tired training and a coursework module
- Non-campaign training invites
26. Proofpoint Security Awareness Training
Proofpoint offers anti-phishing and enterprise packages so that organizations can scale their training programs as they grow. The anti-phishing package includes a simulated phishing attack, phishing email report button, LMS installation, security awareness materials, program materials, analyzer threat protection, and Active Directory (AD) syncing capabilities. The enterprise package includes everything in the anti-phishing package plus the Defence Works module, TeachPrivacy module, assessments, and a USB simulation module. Additionally, its platform incorporates a Very Attacked People report that identifies users that click on known malicious content and that malicious actors target.
27. Sophos Phish Threat
To complement its extensive suite of cybersecurity products that run the gamut from endpoint protection to cloud cost optimization and security services, Sophos also has Phish Threat. The enterprise-ready solution integrates with the Sophos Central security console, automating Phish Threat emails through a web browser. It also includes sixty training modules addressing the most relevant phishing threats and is available in ten different languages.
DevOps cybersecurity training options
Cybersecurity awareness training creates a culture of security that acts as an organization’s best defense against cybercriminals. However, for organizations involved in product development, your DevOps teams need to learn how to code securely as part of the Secure Development Lifecycle (SDLC).
28. Checkmarx Codebashing
Codebashing helps companies meet compliance requirements, such as PCI DSS, and covers the OWASP Top 10 Vulnerabilities. It focuses on ten major programming languages and frameworks, including Java, Kotlin, Swift, Ruby, and Python. Additionally, it supports twenty-three common vulnerabilities such as SQL injection and insecure TLS validation.
HackEDU boasts an offensive approach and provides interactive content to help meet compliance mandates, including PCI DSS, NIST 800-53, SOC, and HIPAA/HITRUST. They cover the OWASP Top 10 web vulnerabilities with over 115 topics available. They include everything from encryption best practices to sensitive data exposure and offer advanced lessons such as remote code execution and SQL injection with SQLMap. They also provide sandboxes with public vulnerabilities so coders can learn real-world offensive and defensive techniques. Their gamification uses a Capture the Flag (CTF) approach, leveraging competition as a way to engage developers.
30. Immersive Labs
Immersive Labs believe in equipping DevOps teams, exercising minds, and proving expertise as its approach to DevOps cybersecurity training. Its “human cyber readiness” platform takes a gamified approach to training, delivering on-demand content, and compliance reporting metrics. Its threat content developers partner with leading threat intelligence companies to build and deploy relevant content based on the continuously evolving threat landscape. It offers lab environments for offensive security, defensive security, application security, cyber crisis simulation, and security awareness.
31. Secure Code Warrior
Secure Code Warrior takes an approach to developer training rooted in educational best practices. Their scaffolded approach to learning starts with basics then gives developers the ability to apply that knowledge in reality-based simulations. They cover fifty languages and frameworks, including API, mobile, and web applications. They also offer native integrations with services like Jira and Github to incorporate coders' learning into their daily job duties. They also provide automation for compliance tasks, such as scheduling training sessions, pointing users to post-training assessments, and sending reminders.
SecureFlag offers three levels of the platform. The Community level is mostly free, providing a self-hosted open-source platform aligned with seven programming languages, learning paths, tournaments, and labs generated by the community. The Business offering is a SaaS platform with eleven programming languages available, premium labs, learning paths, SSO integration, metrics, APIs, and customer support. The Enterprise offering incorporates sixteen programming languages/technologies, including everything in the Business module plus custom labs, custom learning paths, customer support for organizing tournaments, and a dedicated Customer Success Manager.
33. Security Innovation
Security Innovation offers three learning models. SecureBuild is intended for software/system developers, engineers, architects, scrum masters, and product managers, aligning with security requirements and the OWASP Top 10. SecureOps focuses on operations, IT, network teams, support teams, analysts, and DevOps, training them on data security policies, system hardening, and access control. SecureDefend provides training for information security professionals, penetration testers, red teams, DevOps teams, and IT teams, offering training modules around penetration testing, vulnerability scanning, and complex systems compliance.
34. Veracode Security Labs
Veracode’s Security Labs enhance their other application analysis and governance products by aligning developer training to their suite of solutions. They offer hands-on training labs where developers can explore real-world threat scenarios. Customers can choose their organization’s programming language for a practical and optimized approach to training. The platform’s compliance reporting offers automation features such as deadlines, reminders, and progress reports to help companies meet ongoing security training requirements.
SecurityScorecard supports cybersecurity training programs
Creating a culture of security starts with cybersecurity training, but you also need solutions that weave security into the fabric of your organization. SecurityScorecard’s security ratings platform provides easy-to-understand A-F ratings that give you a way to support your employees’ information security awareness.
Many customers share their security rating with employees, giving them visibility into their daily activities’ impact on the organization’s security posture. With SecurityScorecard’s security ratings platform, you can tie training modules directly to company cybersecurity outcomes, reinforcing the value of awareness and creating a culture of security across the enterprise.