Estimated reading time: 4-5 minutes
You probably already know: effective awareness training in your company is no longer a nice-to-have.
It's a requirement. If you want to change behaviour in the company, awareness programmes have to be continuous and targeted – that's the whole point of effective awareness in an organization.
NIS2, DORA, ISO 27001 and GDPR all point to the need for documented action against human risks – especially the ones you can't patch with tech. But sending a PDF around once a year and ticking a box in a spreadsheet isn't an effort. It's an excuse.
Because while awareness training increasingly shows up in audit reports and strategic security plans, the quality is still lacking in many places. Not because the intention is missing – but because the training isn't designed to change behaviour.
And behaviour is the key.
According to Ebbinghaus' forgetting curve, we forget up to 80% of new knowledge within a few days if we don't revisit it. In other words: if awareness training isn't continuous, relevant and behaviour-oriented, it has very little effect.
And even less value if regulators come knocking.
Here are 10 tips that can help lift awareness training from formality to actual change:
1. Start by selling the point
If employees don't understand why they need to be trained, they just click through. Awareness has to make sense – also for those who never think about cybersecurity in their daily life.
2. Drop the jargon
Few employees are interested in protocol names and compliance paragraphs. They want to know what they should actually do – and why. Speak a language you don't need an IT background to understand.
3. Break it up – and repeat
Forget about a single annual awareness day. Learning has to be broken into small doses and repeated over time, if it's going to stick. Microlearning and nudging work because they fit how the brain – and the workday – actually function.
4. Tailor the training to reality
An IT supporter and a customer service employee face different risks – and shouldn't get the same training. Relevance is a precondition for impact.
5. Tell stories, not rules
“Don't click on links” isn't a useful rule. But the story of the IT lead who clicked the email about a free cake (and triggered a ransomware attack) – that, you remember.
(Yes, it actually happened.)
6. Make it interactive
No one changes behaviour by reading a PowerPoint. Training has to activate – with reflection, quizzes, simulations or dialogue. It's not an information project. It's a learning project.
7. Remove all unnecessary friction
Logins, portals and click marathons kill participation. Awareness has to be easy to access – or it won't happen. Use the system people already use. Keep it simple.
8. Repeat. Repeat. Repeat.
A security culture isn't created by a campaign. It takes sustained influence – and that's where awareness can really make a difference. If it keeps being there.
9. Leadership has to take part – not just back it up
Awareness only works if it's backed up by behaviour from the top. When leadership takes the training seriously and participates actively, it becomes clear that this isn't “something for everyone else”.
10. Measure what matters
“Opened email” isn't a success criterion. Instead, measure whether people understand the points – and whether they act differently afterwards. Adjust accordingly.
It's not (only) about training – it's (also) about responsibility
Awareness training is far too often reduced to a requirement to be met – instead of an investment in the organization's resilience.
But when the human element is still the most exploited vulnerability in cybersecurity, it's not enough to be able to document that you've done something.
You have to be able to document that it works.
That requires moving awareness out of the compliance folder and into everyday life, for it to be effective. That it has a place in the leadership room, and that it's anchored as an ongoing effort, not an annual event.
It also requires us to dare to ask ourselves:
- Do our employees actually understand the threats we face?
- Do they know how to react best?
- And have we given them the prerequisites for doing the right thing when the pressure hits?
If the answer is “maybe” – then it's worth taking your awareness training seriously.
Not for show. But because it works, when it's done right.
If you'd like a sounding board on what it could look like for you – reach out.
It costs nothing to have a chat, but it can give you a far better return than the annual employee event on cybersecurity ever could.