[Reading time: 2 minutes]

I still remember delivering my first in-person cybersecurity awareness training session.

A glazed look in their eyes

Soon after I started my own version of ‘Death by PowerPoint’, I quickly realised that many of the people in the room couldn’t have cared less about cybersecurity.

I explained how most attacks succeed, the importance of unique and long passwords, MFA, and other ‘important cyber stuff’…

… and I still remember the glazed look in their eyes.

After the longest 30 minutes of their lives, we got to the Q&A, and it was clear that many couldn’t wait to leave.

Many were already standing up when one of their colleagues asked a question.

 

One question taught me a lesson

Their colleague mentioned that their personal email account had been hacked a few weeks before and all of their friends had received spam emails from ‘them’.

They asked me how I thought it had happened, and what I recommended they should do to prevent it happening again.

Everyone who had stood up sat back down.

I explained how most attacks succeed, the importance of unique and long passwords, MFA, and other ‘important cyber stuff’…

… and that glazed look in their eyes magically disappeared.

More questions followed, all based on incidents that the attendees had encountered in their personal lives.

I think the Q&A went on for another 30 minutes, and only ended because the conference room was needed for another meeting.

 

So what?

Employees don’t care about your cybersecurity.

They care about their own.

If your training does not show them how to be more secure in their personal lives, don’t be surprised if they aren’t more secure in their professional lives.