2 December 2021

3 Reasons Why Traditional Cyber Security Training Doesn’t Work

4 mins read

Table of Contents

Share post

Phishing Testing and Cyber Security Training services have grown to become a staple security measure for organisations of all sizes, across all sectors all over the globe, in the effort to prevent employees from causing security incidents. It’s widely known that over 90% of security breaches are caused by staff being targeted by cybercriminals.

For many years, the primary focus of organisations has been to implement technology such as email and web protection and data loss prevention to stop cyberattacks from being successful. Though these measures are still important to protect an organisation, the focus should also be placed on the workforce as having the potential to be the largest security risk.

Security awareness training and testing solutions have been the most popular way to address this over the past 10 years. As recommended by the National Cyber Security Centre in the 2021 annual review, engagement and training with the people who work for the organisation is one of the ten steps to cyber resilience. However, most of the solutions available are self-service and require a nominated head at your organisation to manage and maintain your cyber security training and phishing testing campaigns.

Ultimately, this traditional approach doesn’t work. Here are three reasons why:

Management overhead reduces effectiveness and doesn’t solve the problem

Managing a security awareness training and testing solution can quickly snowball into a full-time job. Self-service solutions quickly start costing your organisation more in time, effort and resource to manage. Some tasks, such as reporting and drawing results or maintaining your user list and license count can have a knock-on effect to other departments and can soon cause headaches across the organisation.

We have worked with customers who have transitioned from self-service solutions to fully managed and the consensus is that it is almost impossible to maximise the potential for a cyber security training and phishing testing solution without employing specifically for that role.

Default phishing email templates do not represent those used in successful cyber-attacks

Phishing has been around since the mid-90’s. Popular attacks included holiday offers, competition prizes, ‘you’ve been caught…’ inspired messages and of course false friend requests as social media started to take off. These types of emails are now almost comical and no longer represent those used in successful cyber-attacks, yet are commonly found as default templates in nearly all self-service phishing testing platforms. Using these types of emails to test employees does not prepare or expose the workforce to the true threats of today.

Cybercriminals have evolved and so have their methods of attack. Spear-phishing dominates the cybersphere and even more granular attacks such as CEO fraud and social engineering are the most prevalent ways a modern-day cyber-attack is made successful. This is how phishing testing can be effective; with targeted simulations that replicate the lengths cybercriminals go to deceive an employee.

Security awareness training is quickly forgotten if it is not put into practice

There is a risk that cyber security training may not be taken seriously, or forgotten within a short period. This is usually because the scale of the issue and context for training is sometimes not fully understood by staff. From our own research, the quality of training for an issue this important is also not up to scratch. Staff cannot be expected to take security seriously when they are faced with a cartoon criminal dressed in black and white stealing data with a fishing rod!

The other issue can be that the skills learned in the training are quickly forgotten if not put into practice. This harks back to the point of managing an ongoing program that ensures effectiveness. If the training is not reinforced with real-life examples of attacks or other methods of testing, it can be difficult to know how employees would perform when faced with a real cyberattack.

How do you ensure effectiveness without committing your time and resource?

The answer is to go fully managed. A fully managed Security Awareness Training and Testing service free’s up your time so you can spend it where it’s needed most and removes the burden of dedicating your own resource, at a fraction of the cost. Using a third-party also has other benefits such as true-to-life phishing testing, with the right balance of information in targeted attacks, similar to what a cybercriminal would be able to achieve if your organisation was in the firing line.

We have operated fully managed Security Awareness Training and Testing at Cyber Security Awareness for over 6 years now and have helped thousands of customers to reduce the risk level within their organisation.

One concern around using a fully managed service might be that there is a lower level of customisation. Phishing testing can be intrusive and has to be treated differently depending on the business culture. We’ve learnt this from working with all types of organisations over the years. That’s why our fully managed service is highly customisable and bespoke to each customer.

The most important part of what we do is ongoing phishing testing, usually on a monthly basis where at-risk employees are made aware of mistakes they have made and are offered additional training. Matched with one-to-one support from dedicated account managers, organisations can achieve a 0% monthly click rate using this methodology.

For more information on what we do, visit or call 01256 379977.

Woman typing on laptop in a dark room with light overhead

12 February 2024

Penetration Testing vs Vulnerability Scanning: Why your organisation might need them

Man with glasses typing on laptop with light shining down

5 February 2024

Best Practice for Business Passwords 2024

Man and woman sitting opposite one another typing on laptops

18 December 2023

UK Small Businesses Need to Invest in Cyber Security