Five Ways to Effectively Teach Cybersecurity to Your Staff 

While cyber threat actors have become more sophisticated, including conducting complex vulnerability exploits, incidents involving the human element continue to make up the majority of breaches, according to Verizon’s 2025 Data Breach Investigations Report.

Social engineering techniques, such as phishing, are the most prevalent type of attacks that exploit humans inside an organisation to gain access to sensitive systems.

Therefore, cybersecurity awareness training remains critical to cybersecurity.

There is a growing recognition that traditional approaches to staff cybersecurity training, such as annual multiple choice online modules, are ineffective against the vast volume of threats and their constant evolution.

Social engineering threats are being exacerbated by advanced AI tools such as deepfakes.

In this environment, companies need to be more creative around engaging staff in cybersecurity best practices and behaviours.

In this article, we explore five innovative practices firms can take to effectively teach cybersecurity to their staff.

Gamification is a practical way of imparting cybersecurity messages and approaches. If done well, it can be an enjoyable experience for employees, meaning it is more likely to be remembered.

Examples of such gamified approaches include Riskio, a tabletop game for three to five players, plus Games Master, in which players must protect an organisation’s data and services against various threats.

Another, Cyber Defence Dice, aims to build up a sense of basic threats and defences. The game is based around two sets of dice – a red set with attacks and a blue set with defences – and then players compete to beat the combinations that their opponent has rolled and selected.

Commenting on these novel gamified approaches to training, Steven Furnell, professor of cyber security at the University of Nottingham, cautioned that the gamified experiences are unlikely to provide a direct replacement for what can be achieved in full training programme.

“However, the role that they can play is to enrich the employee’s experience and provide a provocation of interest in cybersecurity or a particular aspect of it,” he said.  

Organisations should strive to make cybersecurity lessons relevant to employees’ particular job roles and home lives. This can help individuals appreciate why cybersecurity is important and understand how incidents can personally impact their lives.

Andrew Rose, CSO at SoSafe, told Infosecurity that organisations should internalise the consequences of not following through on awareness training.

“They need to understand that clicking on the malware could endanger the reputation of the organisation, which could have an effect on their bonuses or a project might be cancelled,” he explained.

Training should also highlight cybersecurity risks at home and the consequences of insecure behaviours. Examples may include children downloading malicious apps that purport to be games.

This approach will emphasise that cybersecurity is not just a corporate.

Another effective way making security relevant and relatable is the development of security champions programmes. These initiative involve ordinary employees across an organisation who volunteer to improve cybersecurity knowledge among colleagues.

Security champions can be more effective than IT teams at imparting this messaging for a number of reasons.

Firstly, employees may be more likely to change their security behaviours if they see peers in their team adopting them, creating a self-sustaining culture.

Additionally, security champions are more likely to understand the best way to translate security messages for their localised audience, as they work with and speak to these individuals on a day-to-day basis.

They can also understand where there are blockers in enabling secure behaviours or where guidance might be lacking, and feed that crucial information back to the security team.

Top-down instructions from security teams can be detrimental to security awarness and the adoption of secure practices.

These types of instructions can see staff switching off if they are constantly being told to do something that’s not relevant to them and result in users circumventing controls as a result.

To counter this, a new approach called ‘just in time coaching’ has emerged. This is the idea that employees are given ‘nudges’ to correct potentially unsecure behaviours in real time, such as automated messages asking them whether they want to continue sending personal information via a certain platform.

These automated messages can be enabled by specialist AI tools.

Employees can then make an informed choice whether to continue with that action. This approach is both more respectful of employees’ time and ensures that the ‘coaching’ is targeted and relevant to their role.

Organisations should also strive to enable employees to experience realistic cyber-attack simulations. This can help them appreciate how an incident can impact the entire business and how different departments can come together to mitigate it.

They can be invited to view tabletop exercises based on past incidents to understand the type of decisions that need to be made, and the company-wide response, from crisis communications to rebuilding systems.

All teams should also be encouraged to practice using manual processes in their day-to-day work if IT systems are taken offline following an attack.

These practical incident simulations can serve to underscore the gravity of cyber incidents to businesses, how it can affect their day-to-day roles and how the entire organisation contributes to incident response.

On a smaller scale, phishing simulations are another way of involving employees in security mitigation, by encouraging them to report suspicious emails to the security team.

It is important to inform employees of the results of such simulations and if they correctly identified a malicious email, as this will help them feel like they’re able to contribute to helping keep the business secure, thereby improving buy in to security protocols.

Cybersecurity awareness and training remains a crucial component of security teams’ strategy, particularly given the increasingly sophisticated social engineering tactics being deployed.

Organisations need to move beyond ‘tick box’ annual security training programmes, to strategies that better engage and involve employees in the process.

These approaches must underline the message that cybersecurity affects every employee personally and that they each have a role to play in keeping their organisation secure.

ADVERTISEMENT

Enjoyed this article? Make sure to share it!

Looking for something else?