Photo of Luke Peach

Luke Peach

Training Team Leader

10th November 2021

Five secrets to brilliant security training

Annual Cybersecurity and Information Security training is needed to meet most compliance standards, including ISO 27001 and the GDPR. It’s also the best way to reduce the risk of human error in a business. However, in a recent survey conducted by Defense.com™, 25% of businesses admitted to not conducting any form of security training for over a year, if at all. But getting businesses to realise the benefit of this training is only half the battle. The other obstacle to efficient staff security awareness is employee engagement. When most employees get the email saying ‘you need to do cybersecurity training’ their eyes roll into the back of their heads and they mentally switch off before they’ve even finished reading the rest of the email. But why?

There’s a general perception of training as being boring. This comes from a lot of businesses treating training as an afterthought or just a tick-box exercise, and as such, no effort is made to make the training engaging or memorable. If you do this, then your staff will adopt the same attitude towards it. Failure to deliver training that positively informs a staff member’s actions when faced with a potential phishing attack, for example, could lead to data breaches, regulatory fines, and have a negative impact on your business’ reputation.

In my experience there’s five key ways to get your team excited by cybersecurity training. Let’s break them down…

1. Make it relatable

cybersecurity is a technical subject, and it can be tempting for inexperienced trainers to talk directly about these technical details. However, most of your staff don’t understand, and don’t need to understand, the techy details. If your training talks about encryption in VPNs and injecting SQL code into websites, then of course you’re going to disengage anyone who doesn’t fully understand those things. However, if you talk instead about:

  • Social media
  • Using your devices on open WiFi
  • Security of devices at home
  • Stories from the news

You can deliver relevant and relatable messages that everyone can understand. By only sharing what your staff need to know, and delivering it in a way that sparks their interest, you’ll find staff retention increases. I also find that live demonstrations (such as “let’s see what information we can find out on LinkedIn”) grab everyone’s attention.

2. Get a passionate and experienced trainer

Finding someone who is good at delivering training content and has the knowledge and experience in cybersecurity is an uphill battle. We’re certainly a rare breed, and it’s safe to say that most cybersecurity subject matter experts prefer to stay behind the scenes. That’s why you need to go to a specialist cybersecurity company offering training solutions. At the very least you know that those trainers are surrounded by cybersecurity professionals daily. You may even find some of them do training as well as other security disciplines such as consulting, which means they’ll likely add additional advice to the core training agenda.

Having a passionate person deliver training on any topic will always be better than someone who sees it as ‘just another subject’, as the delivery will be done by someone who genuinely cares, and will encourage others to feel the same way.

Did you know?

Cyber awareness training delivered by our experienced security trainers is included as part of all Defense.com™ packages.

Find out more
Training and Exams – Train and test your staff

3. Talk about the dark side

No, I don’t mean Star Wars (as cool as that would be). So many cybersecurity trainers just focus on the stuff that people need to do to stay secure, yet only briefly touch on (or completely leave out) the impacts of what happens if they don’t. I’m not saying you should trade of fear and doubt, but talking about the impacts of poor cyber hygiene helps give context and clarity to what you’re talking about. For example, when discussing social engineering, it helps to explore the disastrous impact that ransomware would have. Explaining how a Rubber Ducky USB stick works or how a phishing email can capture data can be useful for turning a boring ‘thou shalt’ lecture into an engaging training session.

4. Avoid drab and dreary materials

You get out of training what you put into it. That’s why you need to make sure all your materials have been professionally made, professionally delivered and, of course, measurable. Let’s not mince words here: dull PowerPoints, dreary Word documents and wonky, cobbled-together videos will never engage an audience, or inspire them to take in information.

One of the common traps people fall into is making cybersecurity training long and time consuming. Some videos I’ve seen are up to an hour long, and sometimes Word documents can ramble on for 22 pages. This doesn’t lead to good knowledge retention. When done right, one five-minute video, or a 10-slide PowerPoint can have a better impact than all the other waffles combined.

5. Make it enjoyable (Bribery works)

Free pizza!

See, that got your attention, didn’t it? Yes, there will be some people that say ‘I shouldn’t have to bribe my own staff to protect the businesses’, and they would be right. However, doing something nice like free pizza during the training can boost staff morale and encourage more people to turn up. Let’s do the maths: £40 on 4 large pizzas vs. all the lost business after suffering a cybersecurity incident. It’s a no brainer, surely?

There are so many ways you can make something like cybersecurity training enjoyable. Allowing people to get involved, providing freebies, or just making the process funny and entertaining can transform staff from saying ‘well that was boring’ to ‘wow, I’m going to make sure I tell my friends about that’.

Summary

So, there you go. In my experience, the best and most successful cybersecurity training is delivered by passionate, experienced trainers that know how to speak to both techy and non-techy people. The materials should be top-class and delivered with their audience in mind. And of course the company mandating the training need to treat it as a high priority business task, not a tick-box exercise or an afterthought.

Easily manage cyber risks with Defense.com

Get access to comprehensive security tools and expertise, without the enterprise price tag.
No advanced knowledge required – we’ll take care of the heavy lifting for you.

Find out more about the 7 steps to securing your business and sign up for a free trial today.