Effective cyber guidance is the single most effective buffer against a crippling company attack. But despite this common knowledge, companies are still battling a disengaged – and sometimes openly indifferent – workforce.  

In fact, our recent research found that although nearly three-quarters (73 per cent) of UK CISOs wish to improve on the training they offer staff, just under a third (28 per cent) said they currently run a comprehensive training programme more than twice a year.  

With more than 90 percent of successful cyber attacks requiring human interaction, employee awareness of threats is critical. 

Cybercriminals are consistently – and successfully – targeting people with social engineering efforts to syphon sensitive corporate data and more.   

Awareness won’t make people change behaviour – as proven by tobacco warnings

While cybersecurity training is vital to raise awareness – this is only the beginning. Changing ongoing security behaviours and culture is the key to lowering risk.    

One relevant analogous example is smoking. It’s common knowledge – and of high awareness among all citizens – that smoking is dangerous because it's written on every packet, but still, people smoke – so awareness doesn’t naturally lead to the correct behaviour.  

Culture is your single strongest security control

So how do you transform awareness into behaviour? And how do you change behaviour into culture? That's what CISOs need to focus on: this isn't about security awareness anymore – it’s more complex than that. A strong security culture is the single most important cyber security control a firm can have.  

Here are five ways to stop your staff ignoring cybersecurity advice:  

Variety is the spice of engagement

Robust cybersecurity training needs to keep employees interested and engaged. It is vital to provide a variety of consumable materials that reinforce the importance of cybersecurity and guide employees towards the right behaviour.  

Present cyber training as a story

Users are not security experts – and commonly have little interest in becoming one – so organisations should consider presenting the cybersecurity process as a story or journey.  

Exemplify, and exemplify some more

Give real-life examples to support employee knowledge and build their understanding of the potential consequences. Develop this narrative even further by engaging different departments and individuals across your business to personalise content, add context, and suggest improvements.   

Highlight relevant and actual threats

Ideally, security training should be relevant to an organisation’s actual threats. It should alert employees on the real threats they are likely to encounter, educate them on how they are likely to be manipulated, and outline the potential consequences of the threat. Use phishing simulations based on real-world examples to help users gain knowledge on how to use security tools.  

Make it short, sharp – and as fun as possible

Positive and enjoyable training activities help avoid user resistance and indifference, yield measurable security benefits for the organisation and empower employees to become a key part of their organisation’s security posture.  

Using gamification in short, sharp modules can really differentiate your content and messaging from other corporate training and education.