How to
Jonathan Crowe
Nov 2016

5 Ways to Make Cybersecurity a Boring Waste of Time for Employees

Photo by Source

security awareness training fail.jpg

If getting up in front of a room full of coworkers and explaining why they should care about security doesn’t exactly sound like a great time, don’t worry, you’re not alone.

At their worst, security awareness training sessions are treated as a brutal once-a-year, death by PowerPoint snooze fest. At their best, though, they’re interactive, discussion-driven, and genuinely helpful opportunities to answer questions and get folks on the same page.

How do you steer your own sessions closer to the latter? Here are five straightforward tips that can help. 

Bonus: Get employees more engaged with cybersecurity . . . really!
Download our Security Awareness Playbook for a free actionable plan.  


Mistake #1: Trying to "go big"

Unless you have a closet full of black turtlenecks and pride yourself a Steve Jobs in the making, shelve those thoughts of delivering a company-wide keynote. Instead, focus on providing smaller, more actionable sessions geared to specifiic groups of employees.

Work with field sales reps on how to use a VPN and stay secure while traveling. Work with executive assistants on how to protect themselves and their bosses from business email compromise (BEC) scams and spear phishing emails.

Not only will keeping training sessions small and focused make them easier to manage, you’ll be able to customize your material to make it much more relevant and actionable. You’ll also have more opportunities for one-on-one questions and follow up.


Mistake #2: Going on and on and on...

Quick question: When’s the last time you were able to focus solely on one thing for an hour or more at work? It’s not that easy, right?

In addition to us all having shorter attention spans in general these days, the majority of us are also being pulled in more and more directions at work. With that in mind, be courteous of employees’ time and keep training sessions concise.

Avoid presenting for longer than 15-20 minutes non-stop, and try not to get bogged down going off on tangents. You can always follow up one-on-one with users who have detailed questions afterwards.


Mistake #3: Trying to be comprehensive

Security is a big subject. Don’t overwhelm employees by giving too much background or trying to cover too much at once. You may find the technical details behind how particular strains of ransomware have evolved fascinating, but employees really just need to know they won’t be able to open their files.

Instead, keep training accessible and actionable by zooming in on a particular policy, threat, or control that has direct relevance to their day-to-day work.

A good way to stay focused is to head into the session with one clear question or topic you’re going to cover and one clear takeaway or next step.


Mistake #4: Treating security awareness like a one-and-done project

Training sessions shouldn’t be a once-a-year affair. Not only does that result in security being out of sight, out of mind for the other 364 days in the year, it also perpetuates the misconception that security isn’t truly part of everyday work.

Establishing a regular cadence relieves the pressure to cover everything at once, allowing you to drill deeper into specific relevant topics and build off the previous session’s takeaways.


Mistake #5: Letting your material go stale

The only thing worse than a boring training session is a boring training session you’ve already sat through before. If you’re repurposing older training session materials be sure to update your stats (try to avoid anything more than a year old), and replace any outdated examples. Including current references will help your session feel more timely, too.


"Bonus" Mistake: Not giving employees more safety nets

When most of us think of protecting our employees from cyber attacks, we turn to security awareness training. But the truth is even the best awareness training can take up to two years to drop employee click rates on phishing tests even 10 percent. And it doesn't remove the risk of employees getting phished entirely.

Security awareness training phishing click rates.png

Source: Wombat 2016 State of the Phish report

The fact is employees are going to make a mistake at one point or another. It’s just bound to happen. To prevent attacks from doing damage, you need to protect your users while you train them to be safer. How do you do that? For starters, here are 4 things you can do to limit the fallout from inevitable user mistakes.

Photo by Spry 

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.