How can businesses make their cybersecurity training stick?

It’s widely-agreed that cybersecurity training creates a more resilient business. Yet many firms are failing to embrace the area, with only 19% of companies including training and awareness activities, according to the UK government’s 2025 Cybersecurity Breaches Survey.

Cybersecurity training is mandated through regulations such as the EU Cyber Resilience Act, the Network Information and Systems 2 Directive and the US Health Insurance Portability and Accountability Act.

Yet cybersecurity training can be a minefield, not least because of the amount of options available. So, who exactly in the business needs training, and what key factors should firms keep in mind when approaching the area?

Who needs cybersecurity training

Experts say training should apply to everyone, but it must also be tailored to different departments and people within the business.

Every employee needs “a solid foundation” in spotting phishing attempts, protecting credentials, and reporting suspicious activity, says Mandy Andress, CISO at Elastic.

Beyond that, training should be more specialized, she says. “Finance and HR teams should focus on social engineering and data protection, while developers and DevOps teams need a deeper understanding of secure coding, vulnerability management, supply chain integrity and cloud configuration risks.”

Effective training requires nuance, agrees Darren Anstee, chief technology officer for security at NETSCOUT. “For instance, the leadership team needs to understand the strategic and financial implications of a breach, while the finance department requires training in areas such as business email compromise and invoice fraud.”

Top executives must take part in cybersecurity training. While they might need convincing, your CEO should not be excluded, no matter how busy they are, says James O’Leary, manager for security awareness training at Huntress.

Customers will often ask if they can exclude their CEO from training due to busy schedules, he tells ITPro. “But in fact, those are the people who need to be trained the most, as they are a hacker’s biggest target at the company.”

Types of training

While multiple types of training are available, the best is “hands-on and scenario driven”, according to Phil Chapman, cybersecurity subject matter expert at Firebrand Training. Tabletop exercises, simulations and gamified sessions work well because they force people to think laterally, he says. “You remember what you’ve done, not what you’ve been told, which is how you build lasting habits.”

Tabletop exercises are designed to confirm what you do well, while identifying any gaps that need addressing, says Christopher Crummey, director executive and board cyber services at Sygnia. “This drives stakeholder alignment and the debating you want to happen in a safe environment so you can then make faster decisions during a real crisis.”

Gamification helps, says Crummey. He describes how Equifax uses a concept called “cybersecurity scorecard”, with bonuses and spending tied to how well people score. “We have done executive escape room gamification to drive awareness of cybersecurity fundamentals,” he adds.

Hands-on labs and gamified platforms are ideal for technical staff, according to Emmanouil Gavriil, vice president of labs at Hack The Box. “They simulate realistic attack scenarios and encourage experimentation and problem-solving, and help build confidence.”

Meanwhile, tabletop exercises and scenario simulations work well for leadership and cross-functional teams, says Gavriil. “The focus is on decision-making under stress, communication and awareness of what their role is and the processes to follow.”

In addition, capture the flag competitions and team challenges can help promote teamwork, efficiency, and resilience under pressure, while “driving continuous learning and engagement”, he says.

How often to train

In the past, training was often performed once a year to fit compliance requirements. As the likelihood of being hit by a cyber attack increases and resilience is mandated through regulation, this is no longer the case.

Training should be “continuous”, says Gavriil, For non-technical staff, this means refresher modules every six to 12 months. “These should be combined with hands-on phishing simulations to reinforce awareness and reduce risk.”

Business leaders benefit from annual tabletop exercises, alongside updates throughout the year in line with the threat landscape, Gavriil advises.

Meanwhile, security and IT teams can take part in monthly or quarterly labs, red-team or blue-team drills and annual simulations to maintain readiness.

Cross-functional teams should participate together in exercises at least annually. “These must replicate real-world incidents, including ransomware response, crisis communication and regulatory obligations,” says Gavriil.

The more frequently you can train users, without being overbearing or distracting from their day jobs, the better, says O’Leary. “We’ve found that about ten minutes every month is the sweet spot where you spend enough time to pass on meaningful information, without it being overwhelming.”

Some employees may end up with more training, depending on their individual level of risk. For instance, if a person clicks on a phishing simulation, they should get some “quick, just-in-time training”, according to O’Leary.

Cybersecurity training best practices

Ensuring everyone in the business is on board with your approach to training will help create a better cybersecurity culture. The phrase "cyber training" can create some negative feelings, Crummey points out. “You need to get around that by making them feel they are a part of the cybersecurity program,” he advises.

For example, firms could send out monthly newsletter advising how employees can be safer at home with their emails, multifactor authentication and passwords, says Crummey. As a result, he predicts staff will continue to use these best practices when they come into work.

Overall, training should promote a culture of shared responsibility, says Gavriil. As part of this, every employee needs to “understand their part in the organization’s cyber defence” and “feel confident in responding to threats”, he says.

While all employees must be prepared for attacks, it’s important that leaders do not blame individuals for mistakes. “Instead, they should use them as learning opportunities,” says Anstee. “If an enterprise's security policies are so complex that employees can't realistically follow them, they simply won't, and this failure impacts the entire business.”