June 2024

Your Boring Cybersecurity Training is Only Helping Scammers – Here Are 4 Ways We Can Do Better

Tom Baragwanath Head of Content
Tom Baragwanath
Head of Content

Close your eyes and picture the last great cybersecurity training you took. Not just fine, but actually great. Are you drawing a blank? Be honest – we won’t judge!

The truth is, it would take a miracle for you to actually remember your cybersecurity training. And why would you? Generic courses on data encryption and password best practices aren’t exactly thrilling. But unfortunately, all of this forgettable training only helps one group: scammers.

In this article, we’ll explore why most cybersecurity training fails to prepare us for the ever-expanding list of threats we face online. Then, we’ll offer a four-step guide to delivering practical, engaging training that not only keeps people safe, but actually holds their interest.

Let’s get started by looking at why cybersecurity is more critical than ever.

Cybersecurity is critical – so why is the training so boring?

The COVID-19 response drove a huge uptake in digital activity, with an additional 30% of businesses moving online during the pandemic. Given this trend, it’s no wonder cyberattacks targeting businesses have surged. After all, where people go, scammers follow.

And follow they have. A staggering 83% of US organizations report experiencing more than one data breach per year, with each breach costing an average of $9.44 million USD. For publicly-traded companies, these breaches also cause an average loss of 7.5% in stock value. The most sobering stat of all? Three-quarters of all breaches involve an element of human error.

Fortunately, most businesses have training programs in place to boost threat awareness and mitigate the risk of cybersecurity missteps. Great, right? Well, yes and no. While 85% of employees say they complete security awareness training, 64% say they don’t really pay attention. Even worse, 36% say their cybersecurity training is actually boring.

So, why does so much cybersecurity training fail to hold our attention?

Learn more: 3 Ways to Take Control of Your Digital Footprint and Stop Giving Scammers a Head Start

5 reasons why most cybersecurity training misses the mark

There are five key reasons why most cybersecurity training doesn’t prepare people for the very real threats they face.

#1: It looks (and feels) like Windows 95

Today, people expect training to be sleek, intuitive, and quick. Unfortunately, most cybersecurity training is stuck in the 90s, with boxy interfaces, clunky slide formats, and big chunks of text.

Don’t believe me? Here’s what you get when you Google ‘cybersecurity training’:

Boring Cybersecurity Training

A lot of training content looks like this because it’s built by subject-matter experts with a depth of technical expertise, but little awareness of how people actually retain and apply information. It’s not their fault – but it does lead to forgettable learning experiences.

We can do better by offering cybersecurity training that matches expectations, keeps people engaged, and gets key ideas and techniques across quickly.

#2: It doesn’t reflect individual experience levels or training needs

For many companies, the cybersecurity training on offer is the same no matter a person’s background or level of experience. This means a summer intern might take the same phishing awareness training as a Head of IT with 30+ years’ experience.

This generic, one-size-fits-all training is a huge missed opportunity. We need to tailor the training to match different levels of experience and technical ability, and the specific risks faced by each individual. This way, we can give people the learning experiences they really need.

#3: It’s treated just like any other compliance training

Too often, cybersecurity awareness training is treated like any other compliance training, like workplace health and safety, data privacy, or filing best practices. People get a yearly reminder, read some slides, and check a box to say they understand. That’s it.

In reality, cyber threats are changing every day, with scammers inventing new ways to exploit our systems. Instead of treating cybersecurity like just another compliance requirement, we need training that is every bit as innovative and responsive as the scammers are.

#4: It’s framed in terms of systems, not people

Cybersecurity training is often framed in terms of systems and technologies, sending the message that with the right set of protocols, we’ll all be safe. And while tools like multi-factor authentication and password managers are crucial, they don’t tell the whole story.

That’s because cybersecurity is a human challenge. Scammers succeed mostly because of human error: people trust strangers too much, or they share sensitive information. Basing our training in real stories and putting a trusted face on our culture of cybersecurity (i.e. our Head of Security, Chief Information Security Officer, or other designated person) can help keep us safe.

#5: It takes more time than people have

For most people, cybersecurity training simply takes more time than they have. We’re all busy, and we can’t spend hours wading through generic one-size-fits-all guides and resources.

Add up all of these shortcomings, and you have a dream scenario for scammers. They know the majority of us are too busy or too bored to learn about cybersecurity best practices – that’s how they win. We owe it to our teams – and to ourselves – to do better.

Your 4-step guide to delivering better cybersecurity training

It’s time to put an end to boring cybersecurity training and give people what they actually deserve. Here are four steps we can take to get this right.

#1: Offer compelling stories about why cybersecurity really matters

It’s easy for people to switch off from cybersecurity training if they don’t have an immediate sense of why it really matters to them. Phishing, passwords, secure networks… who cares?

That’s why it’s so crucial to ground your cybersecurity training in real stories, and show people exactly how things can go wrong. For example, instead of explaining the hypothetical risks of invoice fraud, you could show them how Evaldas Rimasauskas scammed Google and Facebook out of more than $120 million US over the 2013-2015 period using fake bills.

Then, it’s time to put all this new training into action. For example, you can follow up your phishing training with email campaigns designed to test people’s awareness. This will give you a clear overview of who has aced the training, and who needs some more help.

#2: Customize your training to match the individual

Effective cybersecurity training is customized to match different levels of experience, as well as the particular challenges and demands a person faces. This way, you can drive greater engagement, boosting retention and awareness.

For example, let’s say someone gets promoted to manager or coach. They should receive training on how to oversee a great cybersecurity culture within their team, and how they can offer the right guidance and resources to keep critical projects safe.

This customized approach takes a greater level of collaboration and cooperation between HR, L&D, and IT, but it pays off in the long-term.

#3: Embed bite-sized training in regular routines

Instead of seeing cybersecurity training as an annual box-ticking exercise, you need to make it a regular habit. That’s why it’s critical to embed quick, bite-sized training and reminders within team routines – and to make them available where people already work, like Slack or Teams.

These conversations should be quick enough for people to fit between the other items on their to-do lists, and engaging enough to be memorable.

#4: Make it fun – no, really!

We’re not kidding – you really should be trying to make cybersecurity training fun. After all, if you take all the pain and boredom out of the training, your teams will have a much greater incentive to stay one step ahead of scammers and fraudsters. Trust us – they’ll thank you later!

Speaking of fun, when was the last time you took a break? Find out how to keep your team safe even when you're on vacation with our free 5-step checklist.

CISO vacation cybersecurity checklist
Our 5-Step Checklist for a Worry-Free CISO Vacation

You care about cybersecurity training – so prove it

We all care about cybersecurity, right? So let’s offer our teams awareness training that is more than just another boring compliance exercise. We need to elevate their experience with real stories, up-to-date insights on the latest threats, and training that works the way they do.

With Albert, we offer the kind of cybersecurity training people can’t stop talking about. We make this happen with our conversational cybersecurity coach, and with convincing phishing simulations, real-time data breach monitoring, and a clear and simple awareness dashboard.

To find out how Albert can keep your team safe by delivering fun and unforgettable training on AI deepfakes, spear phishing, and more, get in touch with one of our experts today.