Cyber security awareness training can be considered as a quick win. i.e. It can remove a LOT of cyber security risk, and it's generally very cost effective. From a business perspective, it makes good sense to ensure that you have identified all your risks, and then determine which of those risks you actually need to address. Put them in an appropriate order to address, and get started!
But don't think that awareness training is the silver bullet of risk management. Sure people can stop a lot of threats, but back them up with good processes, and technology that is constantly protecting against cyber criminals, and also hopefully identifying if you have a breach. The concept of doing multiple things (e.g. using people, processes and technology) to mitigate risks is called 'defense in depth', and it's a great way to really safeguard your business from cyber criminals.
For example:
- People: Teach them to watch out for Microsoft Office 'macro documents' (e.g. .docm, .xlsm, .pptm), because these documents contain macro code that could potentially be written by a criminal.
- Processes: Ensure that all macro documents are stored and run from a sanctioned location, and that externally recieve macro documents are checked on an isolated computer (i.e. not attached to the network).
- Technology: Use anti-malware software that monitors how macro documents run (e.g. are they opening potentially damaging processes).
So sure, maybe start with cyber security awareness training if you're serious about reducing cyber risk, but if you only concentrate on people you will have vulnerabilities around processes and technology, and that's probably where you will be breached.