I train a lot of people, and I always like to ask whether they have done this type of training before. Largely people in this day and age have done some flavour of cyber awareness training.
But no matter, the flow of the workshops are nearly always the same - I work through the content and people say things like "I didn't know that!" or "OMG" or "I want to live in a cave now".
At the end when I summarise I always get positive feedback, lots of comments about new things learned, and how scary it was. To which I say: "But you know this stuff now and that keeps you safer, so you can be far more confident online".
So what's the disconnect here? People have done awareness training, but they still don't know a lot of the things I teach. That's not right.
The problem, is that they haven't "done" awareness training. They've more accurately been "presented" with awareness training, so that a company can tick a box. People are largely presented with boring content, they work through it while disinterested and likely multi-tasking, they fumble through some quizzes at the end, and now the box has been ticked.
That's compliance. The company might have to do this to comply with a cyber security framework. What has been achieved? Not much. I know it's not much, because I train these people, and they don't know what I'm showing them! And cyber security awareness is NOT a one off thing. This is not people's jobs - they need regular training and reminders to keep them informed and suspicious.
What it comes down to is whether you care about risk, or just compliance. Given the average cost of a data breach (in the millions), surely companies should care about reducing risk? And yet, they still often don't.
If you only want to tick a box to say you've done awareness training for your staff, then you're likely still accepting a large amount of risk. Risk has a probability of occurring, so it's only a matter of time before a staff member is tricked, and your network is hacked. Now suddenly the money you saved on awareness training by using cheap and boring online content is soaked up a thousand times over with your incident response costs.
And that's when I get called in.