Skip to content

True or False? Your annual cybersecurity training keeps you safe

Spoiler: the answer is False

Arthur Gaplanyan

Cybersecurity Training

Cyber threats are everywhere and keep increasing year after year. So it’s vital for your business to stay aware of these evolving threats to keep a step ahead and stay safe.

Many companies just like yours have adopted annual cybersecurity training in an effort to keep their entire team educated and less likely to make a mistake, or worse, naively do something so stupid that risks the entire company.

It’s a sound plan. Your team is the front line of your business and is exposed to the majority of cyber threats out there. There’s just one problem…

Annual cybersecurity training doesn’t work.

Wait…what? Training doesn’t work?

You might be thinking right now, “Hey Arthur, don’t you provide cybersecurity training as one of your IT services?”

Yes, I do.

“And don’t you recommend training as part of your security approach?”

Again, yes, I do.

“So what do you mean that annual cybersecurity training doesn’t work?”

There’s nuance to the answer and it’s based on two things; mentality and timing.


Don’t get me wrong, the fact that a company would commit to annual cybersecurity training for their team is a big plus. It shows an awareness of a problem as well as a commitment to address it. I wish all businesses were that forward-thinking.

It’s a positive step and it isn’t totally worthless. However, just ask any security expert and they’ll give you some form of the same answer that it isn’t effective.

That’s because the mentality behind it is oftentimes (dare I say always?) just a task to check off a list rather than an actual education and training for the team.
“Cybersecurity training? Yeah, we do that so we must be all good!”
That’s not really how it works. Most employees just view it as a tedious and mundane task they must do. They quickly click through slides or rush through videos at double speed, just so they can say they did it (and check that box) then get back to their real job.

That’s not really a mentality that fosters a culture of cybersecurity vigilance. People will never learn, let alone change behaviors, with a mentality like that.


The second aspect is the timing of it all. Annual is..well, once a year.

Does that even sound right? Think about it. Let me give you a lesson on something. Anything. Say, this article for example. I’m explaining this all to you right now. In a year how much of it will you have retained?

I have a hard time remembering what I ate for breakfast yesterday.
The general rule of thumb is that people can retain information for about 3 months. That means that annual training is only 25% of what you need to be doing.

Here’s another reason why it doesn’t make much sense. The tech world…including its threats… changes at an accelerated rate. Sure, there are commonalities. Phishing and Ransomware are both still common, huge threats and that won’t change year over year (other than increasing as it always does).

But specifics and trends are changing all the time. As an example, active trends this year have included stealing authentication tokens from your browser, meaning criminals do not need your username and password at all.

These are the reasons why annual cybersecurity training is failing its intended purpose, and leaving your business less protected than you think.

What if I told you there’s a better way though?

Effective Training

There is a better way to approach cybersecurity training. Simply put, it eliminates the two problems I explained to you.

Conventional methods are not interactive and fail to engage employees on a personal level. Training doesn’t have to be boring like that.

It can involve small, frequent, human-focused interventions. It fosters better security habits without overloading them with information. It empowers them.

It’s a gentle reminder of cybersecurity, similar to how speed limit signs are posted on the road. They are just prompts to make the driver aware and get them to pause and think before making potentially hazardous decisions.

By the way, there’s some gamification in it as well. Sometimes people like a challenge, or are competitive. Some training is presented like a game, which engages the employees far greater than impersonal slides and information.

Cyber threats are only getting better and stronger, utilizing generative AI and other tools. Training and guidance to navigate around potential risks has never been more crucial to protect your sensitive business data.

Although annual training has its merits, there’s a far better approach to cybersecurity education. We can help with this. If you want to know more, get in touch.