How businesses can make their cybersecurity training stick?

Source Domain: www.itpro.com

It’s widely-agreed that cybersecurity training creates a more resilient business. Yet many firms are failing to embrace the area, with only 19% of companies including training and awareness activities, according to the UK government’s 2025 Cybersecurity Breaches Survey.

Cybersecurity training is mandated through regulations such as the EU Cyber Resilience Act, the Network Information and Systems 2 Directive and the US Health Insurance Portability and Accountability Act.

Yet cybersecurity training can be a minefield, not least because of the amount of options available. So, who exactly in the business needs training, and what key factors should firms keep in mind when approaching the area?

Who needs cybersecurity training

Experts say training should apply to everyone, but it must also be tailored to different departments and people within the business.

Every employee needs “a solid foundation” in spotting phishing attempts, protecting credentials, and reporting suspicious activity, says Mandy Andress, CISO at Elastic.

Beyond that, training should be more specialized, she says. “Finance and HR teams should focus on social engineering and data protection, while developers and DevOps teams need a deeper understanding of secure coding, vulnerability management, supply chain integrity and cloud configuration risks.”

Effective training requires nuance, agrees Darren Anstee, chief technology officer for security at NETSCOUT. “For instance, the leadership team needs to understand the strategic and financial implications of a breach, while the finance department requires training in areas such as business email compromise and invoice fraud.”

Top executives must take part in cybersecurity training. While they might need convincing, your CEO should not be excluded, no matter how busy they…

Source