This is the one thing I’ve talked about before when it comes to where we might fall short on our cybersecurity training, we don’t really hold anyone accountable.
Make cybersecurity part of formal employee evaluation. Give people a reason to care. Much like I talked a couple of weeks ago about creating a training culture, provide a way for people to learn more and to learn from others. Give them space and time to talk about security. Recommend they read some security blogs, meet to share stories about the latest phishing information out there, etc.