Cybersecurity is important. Obviously. Given all the prominent hacks of late, good cyber-hygiene should be top-of-mind in every company across the globe. But here’s the thing, if you have any employees whatsoever, you are placing your company at risk.

Per cybersecurity firm Heimdal Security, “the human factor is the weakest link." That means the lion’s share of the solution comes down to training. Unfortunately for those who must endure said trainings, they are often, quite frankly, boring. Monotonous concatenations of PowerPoint slides, techno-gibberish, and unmemorable quizzes, they tend to slip the mind the moment an employee escapes them.

Compounding the unpreparedness, upper management often underestimates the degree to which the company is vulnerable, as well as the potentially-catastrophic consequences of a breach. Almost certainly, one or more of the following mindsets feature prominently:

  • If it ain’t broke, don’t fix it.
  • Breaches happens to those other guys, but not to us.
  • We’ll deal with it when we need to—too much on our plate right now.
  • Cyber-what?
  • We held a training last year—what more are we supposed to do?

“A one-time training is not enough," says Josh Linton of Utah-based IT firm VLCM. “Employees should be trained, re-trained, reminded, and trained again." In other words, interminable trainings are here to stay.

In the world of cybersecurity trainings, some firms opt for funny. Make them laugh, and they’ll remember, right? Maybe…and maybe not. Unless you’ve got a massive production budget and some serious talent on deck, funny usually comes off as cheesy.

Two employees-turned-temporary-actors appear onscreen in the white Guy Fawkes masks popularized by the hacktivist group Anonymous. We are to understand that these are hackers because of the masks—get it? They sit across a table from one another, pecking away at their laptops. “Oh, look," one chortles to the other, “this guy used his mom’s birthday and his old address as his password." “Bingo!" responds his accomplice. Yes, this was an actual training. And yes, it was memorable.

Staged productions, however, have the drawback of limited scope: it’s hard to convey the full scope of cybersecurity best practices in a skit. Usually, a company can communicate a concept or two—in the case of the above training, the main gist was the necessity of using complex, unique passwords for each of one’s login points.

JC Carruthers of Snowfensive takes a different approach. “Rather than trying to be funny or cheesy," he says, “we find that employees learn best from experience." South Jordan-based Snowfensive “provides specialized security assessments for organizations…" (per the company’s LinkedIn blurb). Corporations and other organizations hire Snowfensive to perform penetration testing—a provocative term for breaching the entity’s data security systems—and subsequently showing the organization’s personnel how they failed said penetration test.

An organization’s people provide the largest attack surface (infosecurity jargon for exploitable weakness), and Mr. Carruthers makes them aware of this fact. Snowfensive uses techniques such as phishing and later reports in-person on the results. “We get all the employees together and show them," he says. “We’ll tell them, ‘We sent this email to everyone in the company and 40 percent of you clicked the link. We could have installed malware on your computer.'"

For the employee, ‘you fell for a hacking trap’ is much more memorable than an eye-glazing dissertation or goofy exposition. “We go through each step and show them exactly how the test exploited their habits and psychology," Mr. Carruthers says. “We talk about social engineering and how bad actors can be experts in human behavior." In other words, hackers study how you—how humans in general—place undeserved trust, take shortcuts, and otherwise present an opportunity to cybercriminals.

Mr. Carruthers adds, “We find that people are much more likely to change when we bring it home and make it personal."

One thing’s for certain: bad guys (and girls) will continue to look for easy pickings. And organizations will need to continue to ramp up their cybersecurity programs. That includes training their people. So, get used to it: the sessions are here to stay. In the words of Josh Linton, “As long as users view cybersecurity training and controls as a nuisance, companies will continue to be vulnerable to malicious attacks." But do so with the aim of achieving maximum impact. In the end, the goal of any cybersecurity training is increased security. And that’s something to be taken seriously.