Many companies, Burke argues, are doing cybersecurity training simply as another piece of red tape with which to comply, demonstrating little regard for the end goal of such training: the reduction of cybersecurity incidents. 

“I think it’s fallen into the compliance team; it's deemed to be like compliance training,” he says. “By being perceived as training, it just falls into 'well, let's give it to annual compliance training and then they can handle it'.”

Then there’s the question of who is doing the training. Even if it is more frequent and focused than an annual 40-minute session, the wrong trainer can have a serious impact on its effectiveness.

“It sometimes fell to some technical people to do it, and technology people are not the educators in the world; they're not the best communicators in the world, which, coupled with bad content, just makes for a recipe for disaster that doesn't really lead to the outcome that one wants,” explains Burke.

Instead of the commonplace compliance-based approach, Burke argues that companies should be using methods that increase the frequency while making sessions shorter, punchier and easier to take in.

“Going forward, I think it has to be small and often content, which is bite-sized chunks of awareness tied to specific topics such as data protection, email security, web security, password security, thus focusing on single topics; focused and practical and relevant to people in their personal lives,” he says.

“And if that is the approach taken, well, that will be far superior in reducing the risk and enabling companies to demonstrate and meet their legal and regulatory requirements in this space, which is obviously an increasing requirement that they are doing security awareness training, but also showing how effective it is.”

Cyber Risk Aware is one of several companies offering this approach, which Burke describes as “creating a human firewall”, which is designed to generate a culture of awareness among employees. 

“The whole key to this is to be helping them in their personal lives as well as in their work life, and producing the content that doesn't get in the way of the business, is eight minutes in duration, [like] our training courses, or videos, which are one minute,” he says. “But also, creating a culture of awareness so that people start talking about it among themselves rather than just leaving it to IT.”

As part of this, the company also practices mock attacks, followed by immediate targeted feedback for employees who prove to be weak links, to ensure the same problem does not occur in a real-life incident. In particular, this practice has proved effective for mock phishing attacks, where companies are able to assess their risk level and provide additional training for those that need it.  

“Seeing where that risk lies and giving instant feedback to staff who fall for that, [companies] really like that, they really see that that's very powerful, and it's powerful for the senior executives to know that they're seeing that level of risk and they can demonstrate that back to the shareholders,” he says.

It has also been appreciated by IT security teams, which are able to provide valuable data to back-up their requests for increased resources. 

“Nothing is ever foolproof, but our whole approach to this is to not only schedule phishing campaigns, knowledge assessment quizzes, training content, it's to provide real-time intervention awareness,” says Burke. “So where we're going is that immediately in response to detected risky behaviour [we] deliver a fully contextualised message to that user, so they instantly become aware as to what was risky about what they just did because they simply do not know that it was risky, hence the problem in the first place.”

Part of the reason this approach has yielded very positive results is that it considers cybersecurity across employees’ whole lives, not just during the time they are at work. And company executives are increasingly recognising the value in this for improving the general culture of cybersecurity awareness. 

“They know that, as people themselves, when they go home if they're able to speak to their wife or their spouse or whoever it is, about 'I just learned this about how to do passwords' or 'this is how I learned how to check a website' or 'here's how to check and email or set a secure password', if they're able to talk about it at that level it permeates back to the workplace,” says Burke. 

“That is based on my experience as a CSO and how I would want to get the message across that's practical, useable, you can pretty much go home and use it. 

“That's how you create the awareness, that's how you get the buy-in and the support from the company to support your other initiatives that might be a bit hard to swallow, but because you've done such a good job in helping them, then that's key, so there's a myriad of aspects that are really engendering people to say 'actually, do you know what? This is really important'.”