The grim reality of today’s IT security threats and the risks they create are no secret. Many organizations have invested in new security tools and services to beef up their defenses. Unfortunately, the best technology in the world can’t always compensate for the biggest security weakness that continues to put organizations at risk – a lack of security awareness.

In fact, a recent report from a major IT security vendor found that just 1 percent of the targeted attacks observed in 2017 used a vulnerability to access corporate networks. Rather than using sophisticated techniques to find and exploit vulnerabilities, hackers trick human targets into doing the heavy lifting for them. For example, hackers can simply find out who has access to the data and assets they want and send them a phishing email.

Phishing is a form of social engineering in which the attacker sends an email posing as a legitimate person or entity – a bank, the IRS, the recipient’s boss, etc. The phishing email will contain official logos and appear very realistic, so the recipient will be more likely to do what the hacker wants. That typically involves downloading a malicious file or clicking a link to a malicious website, which exposes valuable information such as user credentials or bank account numbers.

Although today’s advanced security mechanisms attempt to warn users about phishing attacks, success rates haven’t gone down. Hackers have become better at fooling victims with customized scams, and human targets are still very careless when it comes to handling questionable content, ignoring security warnings and sharing sensitive data.

Organizations of all sizes need to raise their game when it comes to security awareness training. If you simply hand employees a dated security manual or require them to watch videos with little accountability, you’re increasing the risk of a data breach and regulatory compliance issues.

A single employee who fails to follow proper procedures, whether intentionally or unintentionally, can undermine an organization’s security and compliance efforts. In the case of compliance, formal security awareness training is a requirement for the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA) and other regulations.

Organizations can make security awareness training more effective by showing employees real-world examples of phishing emails and other hacking techniques. Show them the specific warning signs of a scam, from unfamiliar sender email addresses to suspicious requests for information. Make training interesting, engaging and interactive. Instead of lecturing, show employees the tools used by hackers. Let them use these tools so they can put themselves in the shoes of hackers.

Training is more effective when integrated into a culture that prioritizes IT security. That means you need senior executives to drive positive change, lead by example and actively participate in security awareness training. Also, make it clear that security isn’t the sole responsibility of IT. The success of complex phishing attacks shows that IT security must be a shared responsibility among all employees. Finally, use security awareness training to set goals, celebrates successes and build morale, recognizing that mistakes will occasionally happen.

Investments in security tools and services are important, but inadequate security awareness training will prevent you from maximizing the return on those investments. Adopt a security awareness culture and use formal, ongoing training to reinforce that culture and minimize risk.