Cybersecurity training is like going to the dentist. We know it’s necessary for our own good and we appreciate the results. But the process itself? It can range from tedious to uncomfortable to feeling like we’re pulling teeth. (And that’s as far as we’re willing to go with this analogy.)
Yet the fact that cybersecurity training is not a favorite training subject, or even a top priority for most employees, can have serious consequences. Because unlike going to the dentist which is a passive experience, cybersecurity training for employees is an active experience — as all training should be in order to have an impact. When people are bored, confused, or overwhelmed, they tend to check out. And that’s when mistakes happen.
According to the latest TalentLMS survey regarding the state of cybersecurity training, 61% of employees who took cybersecurity training failed a basic test. This is not great. It basically means that more than half of your team members can inadvertently expose your company to security risks.
So how do you ensure your investment in cybersecurity training actually does what it’s supposed to? You need to learn how to keep learners hooked. But first, you should figure out the reasons your employees disengage from their training.
Why cybersecurity training turns employees off
There are several reasons why employees are disengaged during cybersecurity training:
The language is too technical
To retain information, one needs to first understand the information they’re absorbing. Yet cybersecurity training for employees tends to be chock-full of industry jargon.
Making your employees sit through a training session where they struggle to understand half the words involved not only is discouraging for them, but it’s also ineffective.
Employees don’t see how it relates to their job
Most employees view cybersecurity training as something that’s very unlikely to come in handy on a daily basis or to affect their work in any way.
But this assumption is sadly not accurate. With the rise of remote work due to the COVID-19 pandemic, ninety percent of companies faced an increase in cyberattacks. If anything, cybersecurity awareness training has now become more relevant than ever.
It’s mandatory training — which makes it feel like a chore
Employees do enjoy training, for a number of different reasons. But the training they enjoy the most is usually on subject matters they have an interest in, or in soft skills they believe will help them grow both personally and professionally.
Much like compliance training, the mandatory nature of cybersecurity training can make it feel like a chore if not handled properly.
Learners believe they already know enough
It’s an interesting conundrum: because most employees work with a computer on a daily basis, they think they already know everything they need about how to use it. This gives them a sense of security that, according to the results of the TalentLMS survey, is a false one.
In fact, 74% of respondents who answered every single question of a simple cybersecurity test incorrectly, report feeling safe from cybersecurity threats.
Do we need to keep employees engaged during cybersecurity training?
TLDR; Yes, we do.
Cybersecurity training, like any other training, is only effective when employees are present and engaged for its duration. If you (and by extension, your employees) view cybersecurity training as a box you tick once and forget, it’s as if you didn’t deliver said training at all.
Consider the following scenario: Joan, from accounting, takes cybersecurity training online along with the rest of her remote coworkers. The training video is long, filled with technical terms, and Joan is not given the opportunity to ask questions or retake the course.
So, after dutifully watching the video to the end, she goes back to her usual tasks. Next time the accounting software system she uses asks her to change her password, Joan does what she’s always done: she chooses a password she’s used in other instances so that she can remember it easier. To ensure she’s typing it properly, she opens her browser, where she has stored all her other passwords.
Joan is not alone. In the TalentLMS survey, 33% of employees said they store their passwords in their browsers. This practice is far riskier than most people realize.
In our scenario, this would make it possible for anyone who has access to Joan’s computer (physically or remotely), to open the browser and view all her passwords, including that of your accounting software. That person would then have access to your company’s payroll and to all sorts of sensitive data from clients and employees alike.
If Joan had received better cybersecurity training, delivered in a way that would have kept her engaged and would have helped her understand and retain information, she would remember not to store her password in the browser.
This is just one example of how poor cybersecurity training for employees can leave your company seriously exposed to cyberattacks.
How to engage learners during cybersecurity training
Now that you know how important it is to keep employees engaged, here’s what you can do to ensure the cybersecurity training you offer actually sticks:
Create (or buy) engaging courses
First and foremost: your cybersecurity courses should be engaging, not boring. If you’re unsure where to start, why not explore the ready-made courses in TalentLibrary™?
The Cybersecurity Essentials collection covers everything from the importance of passwords and how to store them properly, to viruses, ransomware, phishing, and identity theft. More importantly, all the lessons are short, simple, and feature fun, animated characters.
Use more real-life examples
That scenario about Joan from accounting we used earlier? That’s a good example of how to present complex subject matters, like password safety, in a way that makes sense and feels relevant to your employees’ daily lives.
Avoid technical, confusing language
Even when your training covers emerging technologies such as Cloud-Native Application Protection Platforms (CNAPP), or complex issues like the GDPR regulations, you can still make sure you’re using a language that would be easily understandable by a 15-year old. That way, employees won’t feel alienated by the jargon.
For example, take a look at the trailer for TalentLibrary’s GDPR course:
Offer microlearning sessions on a regular basis
Cybersecurity training for employees is not something that should happen once — and then promptly forgotten about. According to 38% of the respondents in the TalentLMS survey, one of the key things that would make cybersecurity training more enjoyable is to break courses down into smaller, more digestible units.
Microlearning is great for engagement and makes it possible for employees to study from their mobile phones.
Add gamification elements
From fun quizzes to scoreboards and interactive features that use social and informal training, gamification is the “spoonful of sugar that makes the medicine go down.”
Learners are more likely to stay focused till the end of the course if there are some fun elements involved — even if it’s something as simple as a badge they can share with their coworkers.
Make sure you cover all learning styles
Some people learn better by reading; others by seeing, listening, or doing. Animated, voice-over videos that include captions, combined with more practical, hands-on tasks, make it easier for all different types of learners to stay engaged during cybersecurity training.
Create follow-up training to reinforce learning
Even if your employees have retained the information from their training at first, it’s possible that they slip back to their old, bad habits after a while (like Joan did in our scenario). You should be evaluating employees frequently and always have follow-up training at hand for when people need a refresher.
Use certificates and prizes as incentives
Most people are results-driven. Offering a prize or a certificate once they successfully complete their training, can work as an extra incentive for them to remain engaged throughout its duration.
Cybersecurity training should be for humans, not machines
Just because it’s about machines, it doesn’t mean cybersecurity training for employees should feel like it was created for machines.
If you deliver cybersecurity training without making it engaging to real humans, you throw away more than just the money you spent on creating it. You also risk hurting your brand reputation and incurring everything from cyberattacks to compliance fines.