Cyber Security Training – What You Need To Know

Training & awareness. It’s a tricky topic.

Whenever you read about the top things businesses can do to defend against cyber attacks, training & awareness is often at the top of the list, and for good reason too.

At its core, training & awareness is about educating people on the threats and risks associated with cyber security and how to defend against them. The idea is that once people are aware of the danger and how to avoid it, they can then work more safely.

As a concept this is fine. If I were to say to you “Don’t do this. Do this instead”, you may very reasonably ask “Why?”. So, to approach cyber from this angle is sensible.

However, like most things, training & awareness programs are not created equal. The issues stem from three areas – goals & objectives, delivery and implementation.

Goals & Objectives

When deciding to use training and awareness, you need to establish clear goals and objectives which your program will work to meet. Why does the training exist? What do you hope to achieve with it? How will you measure that?

Saying “so we don’t get hacked” might seem okay in principle, but that’s a very absolute measurement. It also doesn’t help staff – who will be the end users of your training – resonate with it.

Instead, think about what your training will lead to. “So we can implement a password manager”, “So we can track when staff receive phishing emails”, “So we can improve our performance against a clear screen audit” are all objectives that your training can very effectively support.

Goals should not stand still either. Today you might have six goals, all aimed at specific problem areas. In six months’ time you might have six totally different goals. If your goals reflect the current needs of the business you won’t go far wrong, but it might take a bit of work to identify what those needs are.

Delivery

“Classic” training and awareness is often death-by-PowerPoint. Sit in front of a slide deck and listen as someone reads off them. It isn’t engaging, it isn’t effective and it’s very boring.

How you deliver training should vary. If you’re telling people to use a password manager, consider running a workshop. Have them bring their laptops, have some guys from the IT department on hand, help them install it and get them up and running. You can field questions, see their issues first hand and get them using it right there and then.

If you’re explaining why reusing the same password is poor practice, relate it to something your audience is already familiar with. Break it down into areas that they can easily relate to their personal life. Would they use the same key for their gym locker, front door and their car? Probably not, so why would they do the same on their online accounts?

Get creative! If you’re running a session on why incident response is important, consider running a tabletop exercise. Put them in the driving seat, make the session real and get them familiar with what a breach can feel like. Bring them back, reflect on what they did and then go forward with what could be done differently.

You’re trying to get complex, sensitive topics across. That’s very hard (if not impossible) to do via a slide deck. So make it approachable and accessible.

Implementation

Almost all training and awareness I see is “fire and forget”. That is, it is delivered once and then not followed up with anything more.

This is a big mistake!

Training and awareness is a continuous exercise. For professionals in cyber as well as staff who are on the periphery, it is constantly changing and evolving. Sitting one training session as part of onboarding and then having nothing more, is not going to instil good working practices.

If you run a workshop, follow it up with a short drop-in session. “How are you getting on with that password manager?”. You can build a positive relationship with your audience, they will feel more supported and you can catch any bad habits early on.

At DPAS, we always work with clients to prepare infographics or “cheat sheets” that cater to their specific needs following sessions. They distil the key points down into a single side of A4 and make it visually appealing and accessible. Some people learn better by visual stimuli, so they for these folks too.

Proof is in the pudding

Finally, take time to reflect on the performance of your own training. Your staff will perform poorly if your training is poor. The Goals & Objectives previously described are for you to measure the success of your training. If you run a password manager workshop, but after the first month nobody is using it, that says something!

We offer a thorough cyber security training course here at DPAS, with upcoming dates if you would like to enroll. Check out our dates later on in the year.

Altenratively, consider outsourcing your cyber security services.

related posts

Jack Penaligon

How to Respond to a Data Breach: A Practical Guide

This blog provides an overview of the practical steps organisations can take to reduce the impact of a data breach once it has been identified. It focuses on the actions that should be taken during the early stages of an incident to contain the breach, protect affected individuals, and meet regulatory requirements.

The article discusses a range of mitigation measures, including contacting unintended recipients of personal data, securing the deletion or recovery of exposed information, isolating compromised systems, and maintaining clear records of actions taken. It also explores the challenges posed by both digital and physical data breaches, highlighting the importance of balancing operational needs with data protection obligations.

Finally, the blog emphasises the value of preparation, explaining how established procedures, communication templates, and predefined response plans can help organisations respond more effectively and demonstrate accountability during a regulatory investigation.

Read More »
Noah de Wild

How to Assess a Data Breach: A Practical Guide

This blog explains how to assess a data breach by identifying its cause, determining what information was exposed, and evaluating the potential impact on affected individuals and the organisation. It outlines common causes of breaches, the importance of understanding the type and scale of compromised data, and how assessing the timeline of an incident can help businesses respond effectively, meet legal obligations, and reduce long-term risks.

Read More »
Noah de Wild

Don’t Panic: A Pragmatic Guide to the June 2026 Enforcement of the Data (Use and Access) Act Changes

With the June 19, 2026 enforcement of the Data (Use and Access) Act approaching, ensuring your business is compliant doesn’t have to be complicated or expensive. In our latest guide, we break down exactly what the new data protection complaint rules mean for you. Cut through the noise and discover our simple, free six-step checklist to update your protocols, designate handlers, and keep your business confidently compliant.

Read More »

Get a Free Consultation