32 Free Cybersecurity Training Resources for SMBs

We've compiled 32 free resources from sources like the Infosec Institute, SANS, the FTC, and more to help you develop and improve on your cybersecurity training program.

According to Ponemon Institute's 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses report, phishing and social engineering attacks were the most common cyber attacks faced by SMBs. Negligent and unknowledgeable employees pose a serious risk to businesses, so it's important to make sure your employees are properly trained in cybersecurity. However, SMBs often struggle with developing cybersecurity awareness training programs due to:

  • Perceived Cost. Implementing or creating an employee security awareness training program doesn’t have to break the bank. There are a variety of free resources around the web to help you develop your program, and tools like Zeguro's employee training solution offer affordable, ongoing security training courses.
  • Time. While there is a time investment needed, especially to develop an iterative, ongoing training program and cybersecurity culture, you can still get started quickly.
  • Lack of Knowledge. There is a shortage of security professionals, and many SMB leaders feel their organizations lack someone with expertise in information security. Thankfully there are a variety of free resources around the web as well as affordable training courses, already built by security experts.

We’ve compiled a list of 32 different resources to help SMBs better prepare their workforces for cybersecurity. Every entry is free (or part of a free trial) and created by professionals in the field of information security. The list is organized in no particular order. We also created a free Cybersecurity Awareness Training Guide you can download to train your employees on best practices for maximum password security, how to identify phishing attacks, and more.

1. Implement a Security Awareness and Training Program

Implement a Security Awareness and Training Program

Organization: Center for Internet Security (CIS)

Twitter: @CISecurity

The Center for Internet Security (CIS) offers 20 “controls” so that organizations can better classify themselves and improve their security. CIS Control 17 teaches the ins and outs of putting a training program into place. All the controls are available to organizations in a single set, but in this particular module, you’ll learn to:

  • Perform a skills gap analysis
  • Train yourself and others to identify attacks
  • Learn good cyber defense habits

2. Cyber Storm

Cyber Storm

Organization: CISA

Twitter: @CISAgov

According to the Department of Homeland Security's website, Cyber Storm “provides the framework for the most extensive government-sponsored cybersecurity exercise of its kind.” This program is meant for both private and governmental organizations to better prepare for cyber issues. Participants will:

  • Practice decision making and coordination with policies and procedures
  • Examine how well an organization is prepared for cyber attacks
  • Implement information sharing practices for security

3. NCSAM Cybersecurity Trivia Game

NCSAM Cybersecurity Trivia Game

Organization: CISA

Twitter: @CISAgov

One of the best ways to train a team is through gamification. The National Initiative for Cybersecurity Careers and Studies (NICCS)put together a trivia game to test your employees' cybersecurity knowledge and engage with them. This trivia can be a good starting point to assess areas of weakness. Both the game and instructions are downloadable on the site.

4. End User Awareness

End User Awareness

Organization: Cybrary

Twitter: @cybraryIT

Cybrary offers a vast number of courses from beginner to advanced. The “End User Awareness” course is an introductory look into cybersecurity. Being aware of potential threats, what they look like, and how to deal with them are very important. This course teaches:

  • Threats through case study examples
  • Measures to maintain privacy on desktop and mobile
  • Tips to prevent cyber issues

5. National Counterintelligence and Security Center (NCSC) Cyber Training Series

Cyber Training Series

Organization: DNI NCSC

Twitter: @ODNIgov

This resource from the NCSC under the Office of the Director of National Intelligence provides three courses designed to raise cyber awareness. The training series covers fundamentals meant for those who are new to the cyber realm as well as dives deeper into the specifics of cyber attacks. You and your team will learn:

  • The anatomy of a hack, including seeing an attack from the hacker’s perspective
  • Examine real attacks to highlight common vulnerabilities
  • Take an in-depth look at five of the most common security threats

6. Fundamentals of Cyber Risk Management Course

Fundamentals of Cyber Risk Management Course

Organization: FedVTE

Twitter: @CISAgov

This FedVTE course is a high-velocity, 6-hour introduction into the fundamentals of cyber risk management. There are more than 30 modules, each split up into small and manageable chunks of time. Most of the short sessions include a downloadable lesson PDF to make it easier for attendees to follow along. Some of the modules include:

  • Standards for Risk Management
  • Considerations for Responding to Risks
  • Incident Response (6 different modules covering phases of response)

7. IS-0906: Workplace Security Awareness

IS-0906: Workplace Security Awareness

Organization: FEMA

Twitter: @FEMA

This course designed by FEMA provides guidance on how to improve workplace security awareness and covers how to identify potential security risks, measures for improving security, and actions your organization can take to respond to security incidents.

8. Cybersecurity for Small Business

Cybersecurity for Small Business

Organization: FTC

Twitter: @FTC

The FTC has put together a number of learning materials on their website to help SMB owners learn the basics for protecting their businesses from cyber attacks. These resources include:

  • Cybersecurity basics
  • Information on various scams and attacks
  • How to have secure remote access

9. FTC's Cybersecurity Quizzes

Cybersecurity Quizzes

Organization: FTC

Twitter: @FTC

There are cybersecurity quizzes to go along with many of the training modules on the FTC website. This is a great way for you and your team to see how well you understand basic cyber attacks and security principles.

10. Introduction to Cyber Security

Introduction to Cyber Security

Organization: Future Learn

Twitter: @FutureLearn

This introduction to the world of cybersecurity is an 8-week course designed to help users understand online security and how to protect their digital lives. It's an accredited course by APMG, IISP and GCHQ. You or your team can join anytime to learn:

  • Basic cybersecurity terminology
  • How to identify malware and how to prevent infections
  • How to apply risk management

11. Security Awareness Tips

Security Awareness Tips

Organization: Gideon T. Rasmussen (Information Security Consultant)

Twitter: @gideonras

Gideon Rasmussen is an Information Security Consultant with past experiences as Chief Information Security Officer (CISO), SVP Risk Control Officer, PCI Compliance Manager, and more. He compiled a bunch of security awareness tips, which cover a variety of topics including:

  • How to destroy sensitive material
  • Backing up data
  • Laptop safety measures

It could be a good idea to print these tips out and post them in common areas of the office or distribute them to your team via email every so often.

12. Cybersecurity Awareness Training

Cybersecurity Awareness Training

Organization: HHS

Twitter: @HHSGov

While designed for the U.S. Department of Health and Human Services, this two-part, interactive training course can be used for other organizations. Part one is the actual training, and the second is the Rules of Behavior (RoB). The purpose of this training is to help users identify the information that needs to be protected, common security threats, and best practices to secure data. The course includes:

  • Assessment prompts to see how you’re doing along the way
  • Full training library for resources during the course and beyond
  • A final test at the end of the course

13. HHS Role Based Training

HHS Role Based Training

Organization: HHS

Twitter: @HHSGov

Along with the Cybersecurity Awareness Training course mentioned above, the HHS also put together some role-based training resources for executives, IT admins, and managers. While the resources are geared towards HHS employees, they still cover relevant material for other organizations. For examply, the resource for executives explains how security impacts the business, including capital planning and investment control and contract oversight.

14. Need to Know 12-Month Program Plan

Need to Know 12-Month Program Plan

Organization: Infosec Institute

Twitter: @Info__Sec

This kit helps you put together a 12-month security awareness and anti-phishing program that keeps employees engaged and informed. The kit includes:

  • Posters and infographics
  • Training modules and assessments
  • Phishing templates and pages

15. Phishing Risk Test

Phishing Risk Test

Organization: Infosec Institute

Twitter: @Info__Sec

Phishing and social engineering attacks are the most common cyber attacks faced by SMBs. Infosec Institute put together this free phishing risk test to help you assess your organization's vulnerability to phishing attacks.

16. Infosec IQ Training and Awareness Content Library

Training and Awareness Content Library

Organization: Infosec Institute

Twitter: @Info__Sec

Infosec Institute's library of industry- and role-based training resources is updated weekly so that you can deliver fresh and relevant cybersecurity training to your employees. Their library contains live action videos, humorous videos, compliance modules, and reinforcement tools such as posters and infographics.

17. WORKed campaign kit

WORKed campaign kit

Organization: Infosec Institute

Twitter: @Info__Sec

Another employee security awareness training resource from the Infosec Institute, this resource is ideal for small and medium businesses on the larger end of the spectrum. The more employees in an organization, the harder initiatives are to drive home. Materials, communication, and persistence are critical for adoption. This campaign kit helps you build a multi-layers security awareness program with humor.

18. Marine Lowlifes Cybersecurity Awareness Campaign Kit

Marine Lowlifes Cybersecurity Awareness Campaign Kit

Organization: Infosec Institute

Twitter: @Info__Sec

Marine Lowlifes is a cheeky play on words. Since the term “phishing” obviously correlates to “fishing,” Infosec Institute has dubbed phishing scammers as “marine lowlifes.” The campaign kit is meant to aid organizations in making their team aware of this common and dangerous threat in the inbox. With this program, you’ll teach your team “how to spot the most dangerous phish lurking in their inboxes.”

19. Security Awareness Toolbox

Security Awareness Toolbox

Organization: Information Warfare Site (IWS)

With over two dozen downloadable PDF and spreadsheet documents, the “Security Awareness Toolbox” is a library of useful information. These documents are compiled from sources all over the web, including the DoD and other expert organizations. While your organization may not need all of them, most of the items are useful. Available resources include:

  • Security awareness benchmarking and metrics
  • How to backup data
  • Monthly quizzes

20. Google Phishing Quiz

Google Phishing Quiz

Organization: Jigsaw | Google

Twitter: @Jigsaw

Carve aside some time when onboarding new employees or during a slower time for your business and have your employees take this phishing quiz. This quiz takes you through a number of scenarios, mostly email-based to train you to identify phishing campaigns

21. Federal Virtual Training Environment (FedVTE)

Federal Virtual Training Environment (FedVTE)

Organization: CISA

Twitter: @CISAgov

The National Initiative for Cybersecurity Careers and Studies (NICCS) is managed by CISA and has put together an entire “on-demand cybersecurity training system.” The course contains over 800 hours of cybersecurity training. Note that this resource is only free to use for government employees and veterans.

22. Building an Information Technology Security Awareness and Training Program

Building an Information Technology Security Awareness and Training Program

Organization: National Institute of Standards and Technology (NIST)

Twitter: @NISTcyber

This publication provides guidance for building an effective cybersecurity awareness and training program and walks you through four key steps in the life cycle of a security awareness program:

  • Awareness and training program design
  • Awareness and training material development
  • Program implementation
  • Post-implementation

23. Achieving Basic Awareness of Information Security Measures

Achieving Basic Awareness of Information Security Measures

Organization: Plural Sight

Twitter: @pluralsight

This beginner level course offers a broad overview of information security and is intended to be foundational. With several hours of instruction, attendees will learn basic tenets of awareness, specific security measures, and different types of vulnerabilities and attacks.

Note: While Plural Sight isn’t a free platform, there is a free trial which provides ample time to complete all course materials.

24. Creating a Security-centric Culture

Creating a Security-centric Culture

Organization: Plural Sight

Twitter: @pluralsight

This offering is intended for management, executive level, and security to give you the tools to create a culture geared toward information security. Not only will you understand the meaning of “security first,” but you’ll also walk away with the tools necessary to embed that practice into your entire company. This course was designed by Troy Hunt, the creator of "Have I Been Pwned."

Note: While Plural Sight isn’t a free platform, there is a free trial which provides ample time to complete all course materials.

25. SANS OUCH! Newsletter

SANS OUCH! Newsletter

Organization: SANS

Twitter: @SANSAwareness

OUCH! Is “the world’s leading, free security awareness newsletter designed for everyone.” Cybersecurity takes everyone and providing this resource to your team is one of the best ways to keep it at the top of their mind. Past issues are available right on the site — all free.

26. SANS Security Awareness Planning Toolkit

SANS Security Awareness Planning Toolkit

Organization: SANS

Twitter: @SANSAwareness

Where do you begin when building a security awareness program? SANS has put together a toolkit full of expert resources to help you plan and maintain an effective security awareness program. The toolkit includes:

  • Articles written by experts
  • Audiocasts
  • Factsheets

27. 2019 Security Awareness Report: The Rising Era of Awareness Training

2019 Security Awareness Report: The Rising Era of Awareness Training

Organization: SANS

Twitter: @SANSAwareness

The SANS Security Awareness Report is designed to help you make data-drive decisions that will mature your security awareness program. The 2019 report has great information, including:

  • A completely reimagined, thoughtfully designed SANS Security Awareness Maturity Model
  • Visually helpful graphs, charts, and diagrams to help you draw valuable conclusions about your very own program
  • Key “action item” breakouts to help your program mature and thrive

28. Security Awareness Blog

Security Awareness Blog

Organization: SANS

Twitter: @SANSAwareness

The annual report mentioned above is a compilation of key data over the course of the previous year. However, SANS also offers a free blog dedicated to the topic of security awareness that is constantly updated (typically on a weekly basis). Here are a few great posts from the blog:

29. Foundations of Cybersecurity

Foundations of Cybersecurity

Organization: Springboard

Twitter: @Springboard

Springboard’s 38-hour “Foundations of Cybersecurity” free course provides foundational concepts for the cybersecurity field, including various types of attacks and how to protect our IT environments through tools and designs. While it may be more advanced than some on your team need, the course has several modules, including:

  • What is cybersecurity?
  • Attackers and attacks
  • Security fundamentals
  • Securing devices

30. Creating a Cyber Aware Employee Culture in Your Business

Creating a Cyber Aware Employee Culture in Your Business

Organization: Stay Safe Online

Twitter: @StaySafeOnline

Watch this webinar, featuring Infosec, the FTC, and the Michigan Small Business Development Center, to learn about best practices and resources for creating a cyber aware culture for your SMB.

31. Stop.Think.Connect. Small Business Resources

Stop.Think.Connect. Small Business Resources

Organization: Stop.Think.Connect.


Stop.Think.Connect. is a global online safety awareness campaign. They put together a list of resources for SMBs. Every one of these documents is a gift for SMBs looking to make sense of this seemingly confusing world. Here’s just a sampling of what’s there:

  • Cybersecurity Planning Guide
  • FCC Small Business Tip Sheet
  • Mobile Security Tip Card

32. Security Awareness Training

Security Awareness Training

Organization: UC Santa Cruz

Sometimes it’s beneficial to see what other organizations are doing to create security awareness. UC Santa Cruz has made their comprehensive training available to the world on a single webpage. Essentially, it’s a compilation of in-house materials and links to beneficial resources for their team.

Zeguro is a cyber safety solution and insurance provider for small to mid-sized businesses (SMBs), offering a comprehensive suite of tools for risk mitigation and compliance, as well as insurance premiums that are tailored to the size, sector and profile of a company.
Learn more →

Start My Free Trial
Ellen Zhang
Written by

Ellen Zhang

Digital Marketing Manager

Enthusiastic and passionate cybersecurity marketer. Short-story writer. Lover of karaoke.

Sign up for the latest news

Oops! Please make sure your email is valid and try again.