Like clockwork, this time of year brings a bevy of articles in the infosec community ruminating on what the new year will bring.Most predictions I\u2019ve read focus on the technical side of the equation. New ways for cybercriminals to launch malware, for example, or the bogeyman of the Internet of Thing (IoT) being used to gain access to home and office networks.One forward-looking article, though, approached it differently. Attorney Michael Overly\u2019s piece on CSO Online took a more proactive \u201cresolutions to make\u201d angle, touching on the importance of employee awareness training specifically: \u201cIn the coming year, think of quality, not quantity, of training.\u201dI couldn\u2019t agree more with this sentiment. With this as inspiration, I\u2019d like to look at some employee security and privacy awareness trends we expect this year.Small-to-medium sized awarenessOwners and operators of small-to-medium sized businesses (SMB) should not be surprised that cybercriminals have them squarely in the crosshairs. According to the 2017 Verizon Data Breach Investigations Report, 61% of all cyberattacks target small business. SMBs handle sensitive client data no less valuable than that of larger companies, and often don\u2019t have the dedicated resources to repel cyberattacks. Most often, this means little or no time spent on security and privacy awareness.However, we expect the focus on repeated and engaging security and privacy awareness efforts to trickle down to the SMB space in 2018 as they realize their size does not make them immune to cyberattack. Stale, once-a-year training on these topics could prove costlier to SMB employees, who likely have more varied demands on their attention than employees at larger companies where roles may be more siloed. I speak from experience here, working for a company with fewer than 100 full-time employees. The responsibilities my colleagues regularly take on are myriad, requiring security and privacy awareness education that gets and keeps their attention.\u00a0Fortunately, SMBs are not alone in keeping their sensitive data out of the hands of bad guys. We\u2019re glad to see nonprofit organizations such as the National Cyber Security Alliance (NCSA) take up the mantle in this space with their \u201cCyber Secure My Business\u201d initiative, launched just this year (full disclosure: my company is a proud sponsor of this program). The initiative provides free resources, including webinars, infographics, and fact sheets, to educate SMB owners about the importance of sound cybersecurity posture.Know more about what\u2019s not knownIf it\u2019s the case that more and smaller businesses will take up the cause of educating employees about security and privacy, we hope it\u2019s also the case that they will educate them about the real risks that they face. The era of throwing a one-size-fits-all training program at employees who are already stretched too thin will hopefully be coming to an end.More and more, we expect to see cybersecurity educators using old tech (like simple assessments) and new tech (like machine-learning driven behavioral analytics) to identify precisely where employees are weak, and then to target short, meaningful training and communication directly to those users. It\u2019s high time we got smarter about how we delivered training to end users, and this may well be the year that we see meaningful advances in this area.The GDPR reckoningMay 25, 2018, has likely been circled on the calendars of data privacy professionals for years. On that date, the sweeping General Data Protection Regulation (GDPR) will come into effect and cement a variety of regulations any organization handling the data of EU citizens must abide by. These include new requirements for data collection and breach notifications, a mandatory Data Protection Officer (DPO), and privacy awareness training for employees handling data.Even as the date approaches, near-weekly headlines continue to show most organizations may not be ready. A survey of 500 cybersecurity professionals in companies in the U.S. and Europe released just last week revealed that 57% of professionals are concerned about GDPR compliance.This article is far from the first 2018 predictions piece to include mention of the GDPR, but we would like to offer a more positive spin. Rather than a stick, the GDPR should be thought of as a carrot that organizations can use to strive for a company-wide approach to data privacy. We see the GDPR as inspiring cultural shifts that will begin with training and communication initiatives that helps employees understand that the individual\u2019s claim to their data takes precedence above all else.Real GDPR compliance means privacy by design writ large across the culture of the organization. We think this will mean a rethink of how privacy awareness training initiatives are undertaken for 2018.Rise of the programWe\u2019ve said it before and we\u2019ll say it again: once-a-year employee awareness training simply won\u2019t cut it. Our own experiences with clients and years of adult learning research bear this out. Repetition is the mother of learning, meaning employees need consistent and repeated exposure to key topics to embed new information into their mental models. We may sound like a broken record, but we don\u2019t really care. It\u2019s just that important.Fortunately, though, we think 2018 may be the year most organizations get it. For one, a 2017 survey of security awareness professionals by the SANS Institute found that 55% of respondents described their awareness efforts as including training reinforcement throughout the year. An encouraging sign to be sure.We\u2019ve also seen this in interactions with our clients, who often come to us with ideas about how to present the most pertinent security and privacy topics in varied ways throughout the year. Additionally, we\u2019ve noted an uptick in other vendors in this space speaking directly about the importance of an awareness program over the last year. Many signs are pointing to awareness programs being the wave of the future, and we\u2019re excited to be at the forefront.Future phishingA colleague of mine tells the story of a phishing email he got recently that proved surprisingly cunning.The email offered help paying off student loans incurred while at college\u2014his college!He\u2019s not a big social media user but he does list his alma mater on his LinkedIn profile and he was surprised at the time this scammer took to craft a personalized email. We joked that spear phishing is not just for \u201cimportant\u201d people any more.Many experts predict this is just a taste of the tactics phishing scammers will use in the new year and for years to come. The only limits to cleverly crafted phishing attempts exist in the bad guys\u2019 imaginations.Though \u201cphishing will get worse\u201d may as well be a fact rather than a prediction, we couldn\u2019t not include it in an employee awareness predictions article. Why? Here again we\u2019d like to take a positive spin: scammers are being forced to up their game because users are getting better at recognizing phishing attempts. Those of us in the security awareness business should almost take this trend as a compliment since it means our efforts to educate employees are having an effect.Toward the futureI have no illusions that many predictions articles, this one included, are little more than whistling in the wind. They can be good for starting meaningful conversation, for sure. But idle speculation released to the internet like a message in a bottle on the open ocean is just that: speculation.Most organizations serious about planning for the InfoSec threats of next year don\u2019t need such articles to tell them what to do. Plus, no one could have predicted the immensity of the Equifax data breach, or the fact that it took months for the company to reveal the details. Or the Uber data breach that company heads waited a year to reveal, after paying off the hackers that broke in.The only thing that can be said with certainty is that events like these will continue to happen. The responsibility, then, is in the hands of organizations to make themselves as breach resilient as they can.Employee awareness is not a panacea in this regard, but I don\u2019t think it\u2019s too much of a stretch to say that a greater focus on a risk-aware culture could have lessened the chances of the major breaches of 2017. What are you doing to instill such a culture?