Vladimir Dashchenko, Kaspersky

The conversation around security awareness training is often focused on time: how often should you conduct training? How long should training take? When is the right time to increase awareness? What’s the best way to keep employees engaged? It’s a balance between ensuring that any information provided remains relevant (which is difficult in a security landscape that is constantly changing) and retained.

When a woman who I’ll call Ria Moodley joined a global advertising agency in 2018, one of her first tasks when onboarding was security awareness training. The programme consisted of a few screens with dated illustrations that she needed to click through with multiple choice questions at the end. “I remember one of the questions was about finding a USB stick lying around the office. Would it be okay to plug it into your computer without knowing who it belongs to?” Checking a few boxes, Moodley received a certificate to acknowledge that her training was complete and that’s where her learning ending.