{"id":181666,"date":"2026-01-26T06:57:00","date_gmt":"2026-01-26T11:57:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/26\/how-businesses-can-make-their-cybersecurity-training-stick\/"},"modified":"2026-01-26T07:55:08","modified_gmt":"2026-01-26T12:55:08","slug":"how-businesses-can-make-their-cybersecurity-training-stick","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/26\/how-businesses-can-make-their-cybersecurity-training-stick\/","title":{"rendered":"How businesses can make their cybersecurity training stick?"},"content":{"rendered":"

How businesses can make their cybersecurity training stick?<\/a><\/p>\n

https:\/\/www.itpro.com\/security\/how-businesses-can-make-cybersecurity-training-stick<\/a><\/p>\n

Publish Date: 2026-01-26 06:57:00<\/a><\/p>\n

Source Domain: www.itpro.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

It\u2019s widely-agreed that cybersecurity training creates a more resilient business. Yet many firms are failing to embrace the area, with only 19% of companies including training and awareness activities, according to the UK government\u2019s 2025 Cybersecurity Breaches Survey.Cybersecurity training is mandated through regulations such as the EU Cyber Resilience Act, the Network Information and Systems 2 Directive and the US Health Insurance Portability and Accountability Act.Yet cybersecurity training can be a minefield, not least because of the amount of options available. So, who exactly in the business needs training, and what key factors should firms keep in mind when approaching the area?Who needs cybersecurity trainingExperts say training should apply to everyone, but it must also be tailored to different departments and people within the business.Every employee needs \u201ca solid foundation\u201d in spotting phishing attempts, protecting credentials, and reporting suspicious activity, says Mandy Andress, CISO at Elastic.Beyond that, training should be more specialized, she says. \u201cFinance and HR teams should focus on social engineering and data protection, while developers and DevOps teams need a deeper understanding of secure coding, vulnerability management, supply chain integrity and cloud configuration risks.\u201dEffective training requires nuance, agrees Darren Anstee, chief technology officer for security at NETSCOUT. \u201cFor instance, the leadership team needs to understand the strategic and financial implications of a breach, while the finance department requires training in areas such as business email compromise and invoice fraud.\u201dSign up today and you will receive a free copy of our Future Focus 2025 report – the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executivesTop executives must take part in cybersecurity training. While they might need convincing, your CEO should not be excluded, no matter how busy they are, says James O\u2019Leary, manager for security awareness training at Huntress.Customers will often ask if they can exclude their CEO from training due to busy schedules, he tells ITPro. \u201cBut in fact, those are the people who need to be trained the most, as they are a hacker\u2019s biggest target at the company.\u201dTypes of training While multiple types of training are available, the best is \u201chands-on and scenario driven\u201d, according to Phil Chapman, cybersecurity subject matter expert at Firebrand Training. Tabletop exercises, simulations and gamified sessions work well because they force people to think laterally, he says. \u201cYou remember what you\u2019ve done, not what you\u2019ve been told, which is how you build lasting habits.\u201dTabletop exercises are designed to confirm what you do well, while identifying any gaps that need addressing, says Christopher Crummey, director executive and board cyber services at Sygnia. \u201cThis drives stakeholder alignment and the debating you want to happen in a safe environment so you can then make faster decisions during a real crisis.\u201dGamification helps, says Crummey. He describes how Equifax uses a concept called \u201ccybersecurity scorecard\u201d, with bonuses and spending tied to how well people score. \u201cWe have done executive escape room gamification to drive awareness of cybersecurity fundamentals,\u201d he adds.Hands-on labs and gamified platforms are ideal for technical staff, according to Emmanouil Gavriil, vice president of labs at Hack The Box. \u201cThey simulate realistic attack scenarios and encourage experimentation and problem-solving, and help build confidence.\u201dMeanwhile, tabletop exercises and scenario simulations work well for leadership and cross-functional teams, says Gavriil. \u201cThe focus is on decision-making under stress, communication and awareness of what their role is and the processes to follow.\u201dIn addition, capture the flag competitions and team challenges can help promote teamwork, efficiency, and resilience under pressure, while \u201cdriving continuous learning and engagement\u201d, he says.How often to trainIn the past, training was often performed once a year to fit compliance requirements. As the likelihood of being hit by a cyber attack increases and resilience is mandated through regulation, this is no longer the case.Training should be \u201ccontinuous\u201d, says Gavriil, For non-technical staff, this means refresher modules every six to 12 months. \u201cThese should be combined with hands-on phishing simulations to reinforce awareness and reduce risk.\u201dBusiness leaders benefit from annual tabletop exercises, alongside updates throughout the year in line with the threat landscape, Gavriil advises.Meanwhile, security and IT teams can take part in monthly or quarterly labs, red-team or blue-team drills and annual simulations to maintain readiness.Cross-functional teams should participate together in exercises at least annually. \u201cThese must replicate real-world incidents, including ransomware response, crisis communication and regulatory obligations,\u201d says Gavriil.The more frequently you can train users, without being overbearing or distracting from their day jobs, the better, says O\u2019Leary. \u201cWe\u2019ve found that about ten minutes every month is the sweet spot where you spend enough time to pass on meaningful information, without it being overwhelming.\u201dSome employees may end up with more training, depending on their individual level of risk. For instance, if a person clicks on a phishing simulation, they should get some \u201cquick, just-in-time training\u201d, according to O\u2019Leary.Cybersecurity training best practicesEnsuring everyone in the business is on board with your approach to training will help create a better cybersecurity culture. The phrase “cyber training” can create some negative feelings, Crummey points out. \u201cYou need to get around that by making them feel they are a part of the cybersecurity program,\u201d he advises.For example, firms could send out monthly newsletter advising how employees can be safer at home with their emails, multifactor authentication and passwords, says Crummey. As a result, he predicts staff will continue to use these best practices when they come into work.Overall, training should promote a culture of shared responsibility, says Gavriil. As part of this, every employee needs to \u201cunderstand their part in the organization\u2019s cyber defence\u201d and \u201cfeel confident in responding to threats\u201d, he says.While all employees must be prepared for attacks, it\u2019s important that leaders do not blame individuals for mistakes. \u201cInstead, they should use them as learning opportunities,\u201d says Anstee. \u201cIf an enterprise’s security policies are so complex that employees can’t realistically follow them, they simply won’t, and this failure impacts the entire business.\u201d<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

How businesses can make their cybersecurity training stick? https:\/\/www.itpro.com\/security\/how-businesses-can-make-cybersecurity-training-stick Publish Date: 2026-01-26 06:57:00 Source Domain:…<\/p>\n","protected":false},"author":1,"featured_media":181667,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/cdn.mos.cms.futurecdn.net\/s7p8DKvFr58aqkJuvhuj8n-1920-80.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,30,24,35,25,27],"class_list":["post-181666","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-breach","tag-cybersecurity","tag-hacker","tag-phishing","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/181666"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=181666"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/181666\/revisions"}],"predecessor-version":[{"id":181668,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/181666\/revisions\/181668"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/181667"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=181666"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=181666"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=181666"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}