This is the one thing I’ve discussed before regarding where we might fall short in our cybersecurity training. We don’t hold anyone accountable.
Make cybersecurity part of formal employee evaluation.
Give people a reason to care. Much like I talked a couple of weeks ago about creating a training culture, provides a way for people to learn more from others. Give them space and time to talk about security. Recommend they read some security blogs, meet to share stories about the latest phishing information, etc.
Let them do that, and don’t penalize them for spending part of their week getting educated instead of billing hours, making calls, closing tickets, or whatever other productivity measurements you are using. That’s how you create a culture, not by giving them a 30-minute training once a year.
Go read the whole thing and think about what we can be doing differently.