Is Your Security Awareness Program Just Ticking Boxes?


Is Your Security Awareness Program Just Ticking Boxes?

This episode is a little different. No news. No phishing breakdowns. Just two awareness professionals (on holiday, sort of) talking through something that affects every security team come October: what do we actually do for Cybersecurity Awareness Month?

It’s a familiar scene. You sit down with a blank whiteboard, maybe a fresh pack of Post-its, and ask the question we all dread: “What’s our campaign this year?”

Well, in this special episode, we tried something new. We asked ChatGPT for its “Top 10 Strategies to Enhance Cybersecurity Awareness Among Colleagues” and then reacted live. What’s solid advice? What’s tired and overdone? And what’s actually harmful to your internal brand?

Spoiler: we have thoughts.

Training Isn’t Top. Engagement Is.

The list ChatGPT gave us ended with “implement regular cybersecurity training sessions” as the number one strategy.

We disagreed. Strongly.

Yes, training has its place. It ticks compliance boxes. It satisfies auditors. But it's rarely what changes behaviour. In fact, if it’s bad training, lengthy, irrelevant, unrelatable, it can actively harm your internal credibility.

Instead, we believe in engagement.

If you're nudging, educating, storytelling, and staying visible year-round, that is training. You're building a culture, not just ticking a box. You’re shifting perception. That should be the goal.

Our Take on the “Top 10” (and where it goes right)

Here’s what stood out from the rest of the list:

10. Open Communication Channels

A strong start. Most people don’t report security concerns because they don’t know how. Or worse, they feel stupid doing so. Your job is to remove that barrier. Whether it’s Slack, Teams, email, or a champions network, make it easy and human.

9. Recognise and Reward

Yes. Celebrate the wins. Not just from security nerds or your champions, but from Kevin in Accounts who reported a dodgy email. From the tech team that patched ahead of schedule. Recognition is cheap and powerful. Use it.

8. Gamify the Learning

Escape rooms. Simulations. Even a quiz that isn’t painful. Interactivity matters. Just keep it user-first. Don’t add fluff because it looks fun. Make it feel useful.

7. Real-World Consequences

Bring the stories to life. Don’t say “a retailer was attacked.” Say “M&S was breached, where you buy Percy Pigs.” That makes people pay attention. If it’s public, use names. Be human about it.

6. Clear Policies

Policies shouldn’t be written in legalese. Why do we still do that? Flip the script. Say what someone can do. Use natural language. And maybe explore ideas like interactive policy lookups or AI chatbots that explain the rules like a friend.

5. Culture is Everything

Security isn’t just a poster on a wall. It’s how often your team talks about it, how leaders model it, how peers treat it. Embed it everywhere. Celebrate it. Live it.

4. Push MFA

No debate here. Just maybe next year we’re saying “push passkeys.” Either way, MFA is still the best bang-for-buck control. And people should be using it at home too, not just at work.

3. Strong, Unique Passwords

Still relevant. Still a mess. Most people reuse passwords. Or use Arsenal1886 across all sites. Use this moment to promote password managers. Long is better than complex. Unique is better than clever.

2. Simulated Phishing

Controversial. It has a place, but only if it’s done well. Don’t traumatise staff. Don’t make it about punishment. Use it as a prompt for better conversations. Otherwise, just talk to your people. Teach. Don’t trap.

Ideas for October: More Than Just Posters

If you’re planning Cybersecurity Awareness Month, we also shared five initiatives that go beyond “raise awareness” and actually drive behaviour:

  • Photo Challenges – Get personal. Ask staff to show how they stay secure.

  • Escape Rooms – Team-based, hands-on, and fun.

  • Myth-Busting Webinars – Kill off old beliefs with relatable stories.

  • Device Security Check-Ups – Help people secure their real lives.

  • Interactive Phishing Games – Teach people what to look for, not just test them.

Final Thought

Training isn’t dead. But it’s not the hero.

What matters is how we show up. How we make people feel. How often we get in their ear. If your training is 30 minutes once a year, but your engagement is weekly, daily, embedded, that’s your awareness programme.

So as October approaches, don’t just ask “What’s our training?” Ask: “What are we doing to actually connect?”

And if you need help making that happen, well, you know where to find us.

Missed the episode? Watch it below!

Transcript - 

Anthony Davis (00:02.444)
Welcome to the awareness angle where we break down the latest cyber security stories and look at what they really mean for awareness, behavior and staying safe. This is the award-winning podcast. We're gonna milk that till it's tiresome. And I am one of the hosts, I am Ant Davis and with me as always is my fellow co-host, Luke Pettigrew. Hello, Luke.

Luke (00:26.463)
Hey everyone. Yeah, not too bad, thanks.

Anthony Davis (00:28.354)
I do.

Good, yeah, all good, all good. This week is gonna be a little bit different, but first of all, let's get the formalities out of the way. This is an independent podcast. Our views are our own, so if we say something you don't like, blame us, not the people that employ us. There we go, right. So, this is gonna be a little bit different this week because we're on holiday, so.

We're not actually on holiday, Luke's not on a beach and this is a deep fake version of Luke. That isn't what we're doing. We're having a week off, so we've recorded this in advance, because we didn't want you guys to miss us. So we're trying something new this week, that we've been thinking about doing for a little while. So no news, sorry guys, there's no news. There may be a newsletter, depends how newsworthy things are, but there may be a news related newsletter, we'll see. But right now,

Today, we're looking forward. So for security awareness professionals, this might be a great episode for you. Because we're looking forward to October, to cyber security month that comes around every year where security awareness professionals around the globe scratch their heads going, what am gonna do this year?

So we're helping you out aren't we Luke? We're helping you out with that.

Luke (01:47.755)
Yeah, hopefully get some good ideas going around.

Anthony Davis (01:53.603)
We, with the abundance of AI tools around now, we thought why not ask our AI friends what we could do? And then we're gonna talk through what ChatGBT says we could do and see whether or not it's actually any good and all gives us enough detail. So this week we're gonna talk about the top 10 strategies to enhance cybersecurity awareness among your colleagues.

So if you're in a business and you're tasked with keeping people safe, this might be a good listen.

Luke (02:34.667)
Yeah.

Anthony Davis (02:36.876)
So, should we get in with it? This is the top 10, chat GPT's top 10 strategies to enhance cyber security awareness among colleagues. Do you like a one to 10 or 10 to one? What shall I do?

Luke (02:46.027)
Let's see how accurate they are.

Luke (02:50.702)
This goes into one, guess. I don't know if they're ordered, but...

Anthony Davis (02:52.27)
Number to one. I don't know. So, number 10's a lovely one. Maintain open communication channels. Establish clear lines of communication for reporting security concerns and ensure that employees feel comfortable seeking assistance or clarification.

Luke (03:14.379)
It's a good one to... sort of a basic one in a way, not a of people are open to having these sorts of free communications. Often it's sort of filtered through ticket systems and behind a robotic type system, automated.

Anthony Davis (03:32.301)
Hmm.

I think this is sometimes a challenge depending on the organisation of who in the team will be approachable because not everyone that works in a security function is approachable. And not everyone that works in a security function wants to be approachable or human facing. So finding those that do is probably quite important.

Luke (03:54.837)
Yeah.

Luke (04:00.063)
Yeah, guess you could, depending on your size, have a few people from each area rather than trying to expect everybody to or one specific department to do it.

Anthony Davis (04:13.454)
I mean this is a real good place where champions would come in if you have a security champions initiative. Having them being able to signpost, support and promote your champions and having them as like a first port of call would be really really good if you are an organisation big enough to have one.

Luke (04:19.55)
Yeah.

Luke (04:32.352)
Yeah.

No, it's definitely an option. I think as well with like, I think most businesses use Meet or Slack, stuff like that. So having channels on there that are open for conversation, even a few different ones, kind of more social, sort of open channel for people to talk about the latest going on in the world. But then yeah, maybe a semi-support channel.

that sort of signpost people.

Anthony Davis (05:08.174)
I think the worst part when something goes wrong is not knowing who to call or when to call and not knowing, like if you compare it to real world life, okay, like if I fall off, if my kid falls off their bike and they've hurt themselves, you have to make a judgement call really quickly. Do you take them to hospital? Do you call 111 if they're unwell? Do you call 999?

Luke (05:13.108)
Mm.

Anthony Davis (05:35.331)
you know, in America, you call 911? you take them to the local health center or wherever? So you have to make those judgment calls really quickly, but I'm familiar with what all of those options are. Does everyone in your organization know what the options are? And do they know where that threshold is? if we, we both used to work in help desk, right? And know, occasionally you get someone going, I saw my mouse move.

Luke (05:36.202)
Yeah.

Luke (05:53.759)
Yeah.

Anthony Davis (06:03.02)
I saw my mouse moved and I didn't move it. And that can start, like, we've seen that in security organizations where that starts an investigation as in, is there a rogue actor on their computer? Is someone from help desk dialed into their machine when really they've just shuffled paper on their desk and didn't realize they moved their mouse and it's twitched, you know. But it's knowing where that baseline is, like.

Luke (06:21.707)
Yeah.

Anthony Davis (06:25.614)
And now, especially now, and everyone's heightened with all the recent cyber attacks that have happened since Easter. know, it's like, tell your people where that line is. At what level do you want to know if something fills off?

Luke (06:34.698)
Yeah.

Luke (06:41.149)
Yeah, I guess it depends on your sort of setup and stuff, but yeah, having a clear contact point, whether it's an email address, a portal, a phone number, like yeah, just keep emphasizing these points of contact. think often you sort of do it once, maybe when they're on boarded or you sort of do it a few times, but doing it often is probably where you want to be.

Anthony Davis (07:08.974)
It's also worth remembering that we're immersed in it day in day out, whereas Kevin in accounts or Karen in the people team isn't. So like they've got a million and one other things to think about. So you do have to keep banging that drum and in every communication, every email, every email footer that you have, should have security concern, contact security app, know, or dial 555 or whatever. Do you know what I mean?

Luke (07:37.419)
Yeah.

Anthony Davis (07:39.853)
Yes, that's good. That's number 10, maintain open communication channels. Coming in at number nine, recognize and reward good security practices. Acknowledge employees who demonstrate exemplary security behaviors to motivate others and reinforce positive actions.

Luke (08:02.667)
Yeah, it's a good one. I mean, perhaps a difficult one to implement in some cases, yeah, I think it helps a lot if people are recognized to sort of want to do the right thing, just to get, maybe get some recognition or just to help others sort of understand the importance of it.

Anthony Davis (08:26.006)
I think you're always gonna get your users that are hyper engaged. maybe champions, but those that aren't champions but just care about it or are interested in it. So they're gonna constantly engage. So it'd be really easy to just go, we do it on the podcast. Hayden reaches out all the time. Ollie's providing the stories occasionally. And it's like, that's brilliant. We love that. But then if someone...

Luke (08:47.861)
Hehehe.

Anthony Davis (08:55.214)
that doesn't often reach out. It's really important that you value their contribution so they will come again and again. And it's the same with good security practices. If someone spots something that prevented a massive incident and it wasn't you, it wasn't the awareness team, it was the SOC or it was an engineering team or some other team.

Luke (09:18.795)
you

Anthony Davis (09:19.232)
Let them let you know and be the mouthpiece to congratulate them for that great piece of collaboration work or whatever. I think that's really important, isn't it?

Luke (09:27.305)
Yeah, no, yeah, so I guess, yeah, if you have the platforms that can help you sort of track these behaviors as well, could be really quite a nice way to do it. can sort of, guess, yeah, get stats of these people and yeah, helps you sort of know who's doing well and the right thing. Maybe help you.

Anthony Davis (09:54.806)
If you have.

Luke (09:56.437)
So maybe help you look at areas of the business that aren't engaging as well.

Anthony Davis (10:02.062)
Yeah. I think if you have some kind of human risk measurement matrix and you can see the people that are making a difference that are changing, you know, if Luke clicked on every phishing email for four months and you failed every simulation for four months and then in months five and six you didn't, like well done, well done, greatest improvement, but you've got to be careful not to flag the fact that you were rubbish beforehand.

Luke (10:19.947)
Mm-hmm.

Luke (10:26.473)
Yeah.

Luke (10:32.585)
Yeah, maybe. Yeah, actually, we've to be careful around the way you word it. Yeah.

Anthony Davis (10:33.102)
or not rubbish, vulnerable. Like, you know what I mean? Yeah.

Anthony Davis (10:39.948)
Yes. Seeing the success stories though, think that's the important part here. Like talk about the successes, talk about the good stuff.

Luke (10:48.107)
Yeah, not even, I guess, not even just the employees, but the team itself as well. Making people aware that you're actually making a difference.

Anthony Davis (11:00.864)
It could even be, if you've got technical functions, it could even be well done to this team for patching all of their servers in X amount of time or consistently being above this level or well done for this team for helping us roll out this initiative. It doesn't have to be end users, it can be teams that then build collaboration with the whole of cyber. Quite often, awareness teams are the...

Luke (11:19.049)
Yeah, the collaboration,

Anthony Davis (11:27.61)
most vocal mouthpiece of a cyber function. So if you want others to work with you, we like the PR function. yeah, shout about it. Say thank you. That's pretty much it, isn't it? Saying thank you for good behavior. Yeah.

Luke (11:38.975)
Yeah.

Luke (11:43.507)
Yeah, I think so.

Anthony Davis (11:48.961)
Right, that was number nine, recognize and reward good security practices. Coming in at number eight, offer interactive learning opportunities. Use gamified learning modules or interactive workshops to engage employees and reinforce cyber security concepts.

Luke (12:14.708)
You

Anthony Davis (12:15.724)
This is an interesting one. Interactive learning opportunities. So gamified learning modules versus, if we're talking training, gamified learning modules versus being lectured at in a training course, gamification will always win. The more interactive it is, the more it makes people think in a different way, the more they're gonna remember and take away from it.

Luke (12:18.08)
Yeah.

Luke (12:40.362)
Yeah.

Anthony Davis (12:41.482)
No one wants to be asking questions about how big the fine that this company received for this breach and what is the fine when this data breach happens, you know what I mean? Gamification is proven to, I'm pretty sure it's proven to help with knowledge retention.

Luke (12:49.653)
Yeah.

Luke (12:59.113)
Yeah, I imagine so.

Anthony Davis (13:01.516)
and interactive workshops. It's when we work together, I wanted to do this, we never got the opportunity. I do wonder what would have been different if COVID and lockdowns hadn't have hit, but getting in front of people, getting people in a room to talk about stuff, getting them on interactive live sessions to talk about stuff. There's a million different ideas you can do and a million ways to engage with people. Escape rooms is a great one.

You know, I often question their scalability, but we've had conversations with Amy at the Cyber Escape Room Co. about the fact they are scalable.

Luke (13:40.766)
Yeah, I guess, yeah, I guess it depends on your business and how big the team is and stuff, there's obviously, there's external options to bring people in to come and run some workshops. But yeah, I think people, some people like the gamification side of things with like leaderboards and stuff like that, but yeah, I mean,

Anthony Davis (13:42.284)
Stuff like that would be really good.

Luke (14:09.803)
it's definitely better than being sort of talked at or just following a piece of training that is just lot of text and nothing, you don't really learn anything, sort of just click through it. Just getting people involved.

Anthony Davis (14:24.832)
It's tough though, isn't it? Because there is also adding fluff because you think it looks good. First is you've got to put yourself in the eye of the end user. We've seen training before where we've asked for things to be slimmed down and reduced and cut down just because they're a little long and if an end user sat there and they just want to get on with it, you you don't want too many barriers.

Most often people are doing training or education because they have to, not because they necessarily want to. So unnecessary clicks, unnecessary waiting, like make sure it's all adding value or telling a story, I think is really important.

Luke (14:58.571)
Yeah.

Luke (15:07.147)
Yeah, I think it's worth it. They're quick and sort of accessible for people to just sort of jump in and out of and of like these little learning by size or learning pieces. Well, this server, this for a platforms out there that will sort of nudge someone to sort of take part in a, in a, in a module or something can every now and then you sort of take part and do it just to keep.

Anthony Davis (15:28.942)
Hmm.

Anthony Davis (15:34.584)
Yeah.

Luke (15:36.179)
sort of refreshing your knowledge and stuff.

Anthony Davis (15:39.663)
Do know the Wikipedia page for security awareness says the role of gamification and interactive training says, one of the security awareness programs increasingly utilize gamification and interactive learning modules. Studies have shown that engaging employees through serious game and some other stuff helps improve retention and application of security practices. So, yeah.

Luke (16:06.655)
you

Anthony Davis (16:08.546)
don't know what the source on that is though so do I know what the source is? the Journal of Business Research so it is a legitimate source from June 2024 gamification in workforce training improving employees self-officially and information security and data protection behaviors so there's a paper on it so there you go it must be true

Luke (16:11.648)
Yeah.

Luke (16:30.109)
yeah.

Yeah.

Anthony Davis (16:36.128)
Number seven, I think this should be higher. Number seven, highlight real world consequences. Share anonymized case studies of security breaches to illustrate the potential impact of cyber security lapses.

Who's anonymising that? Just like shout it loud and proud. There's a discussion to be had around that, isn't there? Because if you anonymise it... Of course. Yeah. You know, I felt that first hand. If you're literally just saying a large retailer has been attacked, or not even that, a company has been attacked, how is that relatable? But if you're saying it's the shop on the corner...

Luke (16:55.307)
Yeah, if it's public knowledge, but well, yeah, loses its impact, doesn't it?

Luke (17:17.035)
you

Anthony Davis (17:21.55)
If it's like your local, it's where you do your weekly shop. Or it's the brand whose clothes you're wearing. Straight away that's relatable, it's real. It impacts you. What happens when I want another t-shirt from Adidas or I want to go to Marks and Spencer's to get some Percy pigs? They've been attacked. You can't take my Percy pigs away, do you know what I mean? Yeah.

Luke (17:28.071)
Mm-hmm. Yeah.

Luke (17:45.259)
definitely yeah this has a much bigger impact helps you sort of show that it is a real thing that people actually do face these sorts of yeah security breaches and attacks and it could happen to your to you and your business sort of thing

Anthony Davis (18:02.638)
I mean that's key isn't it? We used to do this all the time when we worked together. We talked about other things and then we brought them back to how it was relatable to our world. So if it was a Google compromise for example it would then be we use Google and we're protected Google kicking in. Hang on. it's

Luke (18:14.048)
Yeah.

Anthony Davis (18:31.126)
Make it relative and make it real. And if there's any way to tie in with the technologies or the business or the suppliers or the companies or the location, anything you use that just makes it more real to your people.

Luke (18:43.861)
Yeah.

That's good. Good one,

Anthony Davis (18:48.92)
You ready for number six?

Luke (18:51.531)
Yeah.

Anthony Davis (18:54.382)
provide clear policies and guidelines.

develop and disseminate clear accessible policies regarding acceptable use, data handling and incident reporting to ensure employees understand their responsibilities.

So who here can say they've read the acceptable use policy for their employer?

Luke (19:20.075)
Yeah, I think it's one that everybody struggles with, I'm sure, the team.

Anthony Davis (19:28.95)
We spoke about this on the podcast some time ago and I was gonna go away and find out, and I didn't actually, I didn't need to do this, find out how much the policies we have in a cyber security function need to be written in legalese or can be written in a nice, accessible, friendly tone. And it's the...

Luke (19:50.229)
Yeah.

Anthony Davis (19:51.551)
view that you write them from as well like all of the ones i'm familiar with write them from the company's perspective you must do this you must not do that it is considered bad practice if you were to do this but why aren't we saying like as a as a colleague you can do this you can you know do it from the colleague's perspective let's not talk about removable media and let's talk about

things in the way that they would understand if you want to transfer a file from one device to another if you want to let's keep them simple keep them human

Luke (20:26.772)
Yeah.

I think it's difficult in that way of, yeah, you often don't really explain the reasons behind it in a policy or really give, potentially give the actual best practice of how you should do it. It's often to say I do a must and must not list.

Anthony Davis (20:40.428)
Mm.

Anthony Davis (20:54.368)
I have to say, I have to give, a few years ago, she's at Think Cyber, Red Flags now, but Lucy Finlay, who's their previous employer, I went to see her, because she'd written this amazing document, and it was a reverse policy lookup. And from memory, I think it was a PDF file. And you literally, the end user, the colleague could go to that document and look at what they wanted to do.

Luke (21:15.179)
you

Anthony Davis (21:23.138)
and it would then tell them in reverse, you can do this, you can do that. And I know we tried building similar. It's a difficult thing to flesh out. AI really can help with this, I would have thought, if you're allowed to get your policies into AI and ask it to flip the script and change your perspective. Even better if you can build some AI chatbot that a user can go, I want to do this, and it goes, the acceptable use policy says you can do this, but you can't do that. It's like perfect, so.

Luke (21:29.269)
Mm.

Luke (21:40.351)
Yeah, I'm sure that we...

Yeah, exactly.

Luke (21:52.043)
I think more and more businesses are probably trying to that approach and platforms are probably out there now to offer that. I guess it's difficult with all the regulations and laws and stuff around the world, I'm sure. Some of these things probably have to be that way, but definitely having an accessible front end.

Anthony Davis (22:01.934)
Hmm.

Anthony Davis (22:14.624)
It must be difficult now. know in certain countries in Europe, acceptable use policies need to go through workers councils and stuff, so they all need to make sure that the workers rights are intact. I'm sure there's one country where...

Luke (22:26.261)
Hmm.

Anthony Davis (22:31.906)
You have to be really careful what punishment you bring down on someone should they not meet that because workers' rights and stuff like that. it's a really murky, murky area. I wonder if there's a way of having an acceptable use policy really minimal and then having like an employee cyber charter or something like that, which is more of a, maybe is more of an agreement rather than a policy. I don't know.

Luke (22:56.597)
Yeah.

Yeah, it's difficult one to fulfill that. of, yeah, providing clear policies and guidelines, but I guess it's got to be done.

Anthony Davis (23:03.266)
Yeah.

Anthony Davis (23:08.803)
Yeah.

Anthony Davis (23:12.536)
Let's move on to number five. So we're at the halfway point now. Number five. Foster a culture of security awareness. Integrate cyber security into the organisational culture by making it a shared responsibility and encouraging open discussions about security practices. Now this could be a whole episode in itself. I've been on at least two webinars in the last 12 months.

as a participant that have been on this topic. it's, there's lots to be discussed on this, but getting cyber security awareness across everything is vital, isn't it really?

Luke (23:41.087)
Yeah.

Luke (23:52.863)
Yeah, yeah, it sort of goes back to number 10 of open communication channels and yeah, helping people understand that it is a shared responsibility and often they are the most important part of a security program really.

Anthony Davis (24:12.12)
just being, just hearing it spoken about often does that. If you are visible and you are out there talking about cyber security to your colleagues, you're already making it part of the culture, single-handedly.

Luke (24:27.403)
Yeah, having a brand and newsletters and channels on platforms like Slack or Teams and yeah, just regularly sharing stuff.

Anthony Davis (24:41.122)
just making noise, but standing out and being, you know, making people pay attention, telling good stories. And then if you can get senior leaders in on a slice of that as well and get them to occasionally mention something, it's a great way to get it properly embedded and get everyone considering it, keeping it front of mind.

Luke (25:02.507)
Yeah, I think as well, running culture studies and surveys and stuff across the year and sharing that as well so that everybody can sort see the results and understand the sort of current culture at the business and yeah, you can sort of run that regularly and get some data and trends that will probably help.

understand the culture and where you can focus sort of efforts on.

Anthony Davis (25:36.257)
You've got perceptions to change there as well, because there will be people in your organization that think the cyber function is there, the information security team is there to act like the police or enforcement. You should be a trusted friend.

an ally, know, a reliable, should be a shoulder to cry on, someone to listen, you know, someone to offer support. Definitely shouldn't be the police or inform. I mean, the police should be seen as that as well, shouldn't they? But they're not quite often they're seen as like this brutal force that, you know, will punish. Quite often security. Yeah, but quite, quite often cyber teams aren't there to punish, they're there to just highlight the risks.

Luke (25:56.395)
You

Luke (26:10.069)
Yeah, it's difficult with the media and stuff, isn't it? Like the perception of it.

Luke (26:21.099)
Hmm.

Anthony Davis (26:21.588)
And very often we're not the risk owners. We'll make people aware of the risks and then they make the decision. But we are there to set the boundaries quite often. The laws of the land, you can do this, but there's a good reason why, so maybe we have to explain why.

Luke (26:23.753)
Lower the risks really as well.

Luke (26:36.491)
Mm.

Luke (26:42.89)
Yeah.

Anthony Davis (26:46.882)
I'll move on to number four. Number four, encourage multi-factor authentication. Advocate for the adoption of MFA to add an extra layer of security beyond just passwords. Now I think this is, I think the advice is now, I think if we did this again in a year, that advice would be different. And you could swap out MFA for passwordless. Probably. Or pass keys.

Luke (27:09.673)
Yeah.

Luke (27:15.997)
I get the end, on the size of the business and stuff. You'd think, yeah, a lot of businesses would already be having this as a standard requirement, but there probably are smaller businesses out there that don't use or enforce MFA. You to see a lot of breaches happen because they're on MFA or they're using SMS. Still, yeah.

Anthony Davis (27:41.737)
The article that this comes from is a Varonis article. And Joseph Avanzato, who's a forensic expert at Varonis, said during a live session, attackers don't break in, they log in. is, we've seen that even recently with &S and co-op, the suspected source of the attack, was social engineering on a help desk to reset a user's password.

Luke (27:57.631)
Mm.

Luke (28:09.503)
Yeah.

Anthony Davis (28:11.52)
and that was suspected SIM swaps for MFA codes. That's why we're seeing Microsoft and other people move away from SMS authentication and move away from, now we're moving away from multi-factor authentication, moving over to pass keys to the device's key. You're hearing talk of unfishable authentication now, which is...

Luke (28:31.689)
Yeah.

Luke (28:39.188)
Mm.

Anthony Davis (28:40.11)
That's going to be interesting.

Luke (28:42.411)
Yeah, I think as well, just, um, we have a lot of these things as well, just making it relatable to personal lives and personal accounts. think a lot of the time people don't bother putting MFA on their personal stuff. Um, and then yeah, their Facebook gets hacked or their Instagram or whatever else.

Anthony Davis (29:05.934)
It's madness. It's not a math. It's a bit of an inconvenience, but losing everything is a bigger inconvenience. And you do get used to it. Like quite often, we've worked in organizations where they've put off making changes to MFA because of the user impact. And in the end, you know, when we worked together, we did it there. We helped promote it and it was successful. Other places I know they've done it very, very quickly in response to, you know, industry trends. And it's actually been.

Luke (29:12.075)
Mm-hmm.

Luke (29:29.587)
Yeah.

Anthony Davis (29:35.47)
Users have come along on the journey because they've had no choice and it's not that painful. these changes when communicated and managed well don't have to be really difficult.

Anthony Davis (29:51.246)
Number three, promote the use of strong, unique passwords.

I'm surprised we're still calling them passwords. I thought passwords would have died and we'd be calling them passphrases by now, I have to be honest. That's one thing that hasn't. We talked about changing that when we worked together five, six years ago. Where we worked, went from like an eight character password to a 15 character passphrase. So we started calling them passphrases. But people, but the rest of the world hasn't kind of adopted that. They are still passwords.

Luke (30:02.184)
Mm-hmm.

Luke (30:13.961)
Yeah.

Anthony Davis (30:27.822)
think it's plural I in some ways.

Luke (30:29.259)
you

Yeah, think a lot of times standards aren't updated. You often see platforms asking for a really low minimum or full of complexity. Yeah.

Anthony Davis (30:37.39)
Hmm.

Anthony Davis (30:45.132)
Yeah, there's, note that this said strong, unique passwords. It didn't say strong, unique, complex passwords. Complexity is, so if you're using a password manager, which everyone should be, don't be scared of a password manager, they're great. Keeper, NordPass, two I've used recently and they're both really good.

Luke (30:54.443)
you

Luke (31:06.891)
Mm-hmm.

Anthony Davis (31:08.684)
If you're using a password manager, then complexity is great, because it does it for you, right? You don't have to think about it. But if you're not using a password manager, don't ask users to be complex, just ask them to be strong and unique, which can be long. Complexity is an unnecessary complexity quite often.

Luke (31:13.887)
Yeah.

Luke (31:25.875)
Yeah.

Luke (31:30.507)
Yeah, I think it leads to people making a weak password. And it often doesn't add a lot to it, really.

Anthony Davis (31:39.119)
No. I'll always remember, I'm sure there was a, I think it was a password list I saw years ago and one of the most popular passwords used was Arsenal 1886! Or something like that. And Arsenal the football club 1886, the year they were founded, I think, I'm not an Arsenal supporter.

Luke (31:54.879)
Mm-hmm.

Anthony Davis (32:01.868)
and then an exclamation mark, because that typically is someone's go-to special character. So I wonder what percentage of special characters in passwords is an exclamation mark. It's probably quite a lot of them. Or an A for an at. An at for an A, for example. So.

Luke (32:06.794)
Yeah.

Luke (32:13.621)
Probably.

Yeah, it's always the idea of substituting some words. mean, there's charts out there which show the complexity to length in terms of how long it takes to crack it and stuff and often, the longer password is... longer passphrase or whatever is just as good, if not better in some cases. Just having the length, really.

Anthony Davis (32:36.834)
Yeah. The other thing is, the other thing is, if you've got good passwordless or multi-factor authentication, like, keep your password strong and unique, but you've got an extra layer of defense there, haven't you? Which is important. Unique we haven't touched on, and that's really important, but also really difficult if you don't use a password manager. Properly unique passwords, not just like,

Luke (32:52.895)
Yeah.

Anthony Davis (33:05.526)
My password?

Lidl1, because that's my Lidl password, or my password, Facebook1, you know, like some people think it's clever. yeah, what I do is I take the F and the B, because it's Facebook, and I whack the F at the beginning and the B.

And then what do is if it's Gmail, I'll put the G at the beginning and the because it's Gmail. The problem is if someone spots that pattern in your password, because one password gets popped, they then see that pattern on all of your passwords. And we know credential stuffing happens, because that's how North Face were recently compromised by a breach of usernames and passwords and then shoved in something. And because credential stuffing happens, because people reuse passwords.

Luke (33:31.007)
Yeah.

You

Luke (33:40.99)
Mm-hmm.

Luke (33:50.987)
Yeah, it's definitely, But you look at stats, it's always a high percentage of people reusing passwords. And a lot of times, yeah, they... Yeah, like you said, you use it on a personal account and your work account, and then you of compromise both.

Anthony Davis (33:51.97)
Unique.

Anthony Davis (34:10.69)
Yeah, I mean companies, we used to harp on about that all the time. Companies, like it's really important that for your company account, or for the company, it's really important that the company account has a unique password compared to their personal account. Because you have some control over your corporate space, but.

Luke (34:12.159)
Yeah.

Luke (34:27.584)
there.

Anthony Davis (34:32.578)
When you've got people out using Facebooks and all different nature, know, 90 different logins or however many the average person has, you want them to be different to your corporate account.

Luke (34:44.107)
Yeah, it's just touching on like some of the complexity in the systems where you'd be like passed with expiring and often people would just add an extra character or a number on the end of it just to sort of satisfy that. A lot of these things encourage bad behaviors.

Anthony Davis (35:05.08)
Password expiring is massive bugbear for me. It's something that I experience and I don't understand and I've been part of the discussion around it. If a password is compromised and is out there, it does mean that it's not pokeable.

Luke (35:31.083)
you

Anthony Davis (35:31.609)
But it does make them weaker. It does encourage people to put a one or a two or a three at the end, which isn't ideal. Yeah, especially when you can't reuse the password for the next 10 iterations or something like that, because password reuse also shouldn't be allowed. And then yeah, it's expiring passwords. In my opinion, it's such a fake defensive method. It just encourages bad behaviors.

Luke (35:48.681)
Hmm.

Luke (35:59.709)
Especially if it's a regular thing. People might just run out of ideas. Just something at of a week pass.

Anthony Davis (36:08.674)
Remember this is an independent podcast and my opinions are my own not those of my employer.

Anthony Davis (36:16.344)
you

Number two, we're in the top two now. Number two, utilize simulated phishing exercises. Deploy simulated phishing campaigns to test and improve employees' ability to recognize and report suspicious emails. Now, there's two people we've had on this podcast, two guests that wouldn't agree with that. Yeah, so obviously.

Luke (36:40.843)
Yeah.

Anthony Davis (36:45.738)
Erin at Fastly didn't fish. mean, they didn't have lots of users on email, but they didn't fish, they just did awareness on it, and everyone else communicated on Slack. They were Slack first. And then obviously Terry McCorkill, we had in the podcast previously, who, from Fishcloud, and their system does away with the need, really, because you hover over a link and it tells you if it's safe or not based on threat intelligence. So.

Luke (37:12.171)
Right,

Anthony Davis (37:14.752)
I hate simulated fishing. But unfortunately I kind of see a place for it but I just think we need to make sure the narrative around it is right and I'm not sure it always is.

Luke (37:17.675)
Thank

Luke (37:27.805)
Yeah, I think often it gets relied on as a sort of main piece of a program.

Anthony Davis (37:35.117)
Historically, you go back 10 years in awareness, it was the only metric you had for success or failure. That and training completion, but we'll come to that in a second. Phishing simulation and how many people have clicked or reported, not even reported half the time, was the only metric you could report the success or failure of your security awareness function, which is probably why security awareness is the lesser funded part of cyber, like.

Luke (37:40.317)
Mm-hmm.

Luke (37:44.905)
Yeah.

Anthony Davis (38:03.052)
You've got thousands of alerts coming in here. You've got millions of pounds being spent on EDR and on AV and firewalls, but human risk never gets the investment. And that's probably because the metrics have never really been there and trusted.

Luke (38:10.4)
Hmm.

Luke (38:17.618)
Yeah, I think like as well, something we saw recently, and we see it a lot, where companies run a simulated phishing campaign that's controversial about bonuses and stuff and you end up upsetting people and you end up in the news I guess, stuff like that.

Anthony Davis (38:36.632)
I saw one recently that was similar to the retail attacks that have been happening, especially here in the UK. And I was like, I'm like, I got it, but it just felt a little uncomfortable to me. And this is the problem. I'm a fan and we did a lot of work on educating and awareness rather than simulating.

Luke (38:52.65)
Mm.

Anthony Davis (39:05.742)
I think it's a bold move because everybody simulates, right? Everybody's like, yeah, I a phishing platform, blah, blah. And indeed, when we work together, we have phishing platforms. But where we work, we both have a phishing platform now. But I'm a big fan of education, education, and communication.

Luke (39:08.907)
Mm.

Anthony Davis (39:26.698)
It does, if you get a phishing email once every two, four weeks, is that gonna move the needle? I suppose if we spoke to any company that provides phishing simulations, they'd probably say it does.

Luke (39:42.827)
yeah i think is a one yeah like i it has its purposes and for a lot of users i guess it can be beneficial but i guess it's what you do with the results as well if you've got people that are failing it lot making sure you actually do something about it and aren't just sort of leaving it as a metric i it's obviously there's even companies around the world that

people from failing, fishing and other sort of security tests.

Anthony Davis (40:15.628)
Yeah.

Anthony Davis (40:19.168)
I someone here in the UK, used to work in London and they had to fail people if they failed a certain amount. Yeah, it's a tricky one. There's probably still a place for fishing if it's done right, but I'm not sure everyone does it right.

Luke (40:27.231)
Yeah.

Luke (40:36.041)
Yeah. No, often, know, often it's not used for the right things, I guess. You sort of want to it to build people's awareness around understanding how to spot them. But often it's used as a punishment or a negative sort of thing. If someone's failed more than three times, for example, they're bad.

Anthony Davis (40:45.325)
Mm.

Anthony Davis (41:01.912)
bring people on the journey with you. I think that's the important takeaway from that.

Luke (41:05.885)
Mm. Yeah.

Anthony Davis (41:09.534)
Right, well that's number two. So let's just do a recap before we hit number one. Number 10 was maintain open communication channels. Number nine was recognize and reward good security practices. Number eight, offer interactive learning opportunities. Number seven was highlight real world consequences. Number six, provide clear policies and guidelines. Number five,

foster a culture of security awareness, number four, encourage multi-factor authentication, number three, promote the use of strong, unique passwords, and number two, with simulated phishing exercises. Which means, according to ChatGPT, the number one strategy to enhance cybersecurity awareness among colleagues is implement regular cybersecurity training sessions. Ugh.

Luke (42:06.347)
It would have fought it.

Anthony Davis (42:08.398)
Conduct periodic training to educate employees about current threats, safe practices, and organisational policies. No, chat GPT, I disagree. I disagree. It's framed all wrong. User engagement, that's what should be top, not training. Engagement, and that's the problem. I've said this before about compliance requirements as well.

Luke (42:29.205)
Yeah.

Anthony Davis (42:34.786)
Do you train your staff? No, should be do you engage with your staff and educate them? It doesn't need to be training.

Luke (42:42.185)
Yeah, it's often... all of these regulations are very black and white with emphasizing that, they must receive training. No, yeah.

Anthony Davis (42:49.784)
don't even ask what's in the training. Just the fact do you do training? And then you have to have a conversation or a persuasion episode with an auditor to explain the engagement is training. Like I have sent this person 34 emails this year telling them about threats that they face. Is that training? No, because they haven't ticked a box and answered some questions. It's like,

Luke (43:13.931)
you

Anthony Davis (43:16.792)
We're measuring the wrong stuff. We should be measuring like knowledge transference. We should be managing behavior change. We should be measuring how the needle has been pushed or how far the needle has been pushed. And training does not push the needle, in my opinion.

Luke (43:29.419)
Okay.

Luke (43:34.955)
Yeah, no, it's often just, um, you sort of get the basics in it for whatever satisfies the regulations that you need or whatever. then, yeah, just building a program that's around, like you said, communication and regular messaging and there's platforms out there that do like the nudges and behavior, but they, yeah, catch a behavior before it becomes something like a problem.

Anthony Davis (43:37.378)
Rant over.

Anthony Davis (43:53.784)
Yeah.

Anthony Davis (44:04.75)
I would love to see the word training disappear from our world to be replaced with either a minimum education because education is more, there's more ways to educate than train. So from our security awareness human risk world, I would love to see the word training disappear and be replaced with two E's, education.

Luke (44:24.651)
Mm-hmm.

Anthony Davis (44:35.2)
as a minimum in an ideal world engagement. And engagement goes beyond nudges. Nudges are great. There's a place for nudges, right? Nudges are awesome. Some of the nudging tools out there are great and do a really good job. But nudges aren't enough. You need engagement in order for the nudges to land. Because otherwise, you're just annoyed. If you're on a bus and you're getting nudged by the person next to you, you're like, what are they doing? Get off me, leave me alone. Like, stop elbowing me.

Luke (44:45.515)
you

Luke (44:57.204)
Yeah.

Anthony Davis (45:05.272)
But if it's your mate nudging you, like, you know, I'll stop it. You know, like, it's different, isn't it? Like, eventually it will become annoying, but it's different. So you need to, we need to bring people on that journey and make the nudges feel like they're from a friend rather than from some random stranger on the bus.

Luke (45:09.781)
Yeah.

Luke (45:13.195)
You

Luke (45:21.097)
Yeah, you don't be pointing fingers either, blaming people. Be careful with what, that's these sorts of messages and especially automated messages and all it responds, responses and stuff. Making sure they sound like they've actually been written by a friend and a human, not a robot.

Anthony Davis (45:26.466)
Yeah.

Anthony Davis (45:44.92)
Yeah.

I think we need to have a conversation with our auditors and with the people that we have to provide evidence of training to, to see whether or not we can change that control and where that control comes from. And whether or not we can be confident in saying that the engagement we do and the education we do throughout the year is more impactful. And indeed, what did we end up doing?

We ended up bringing training down right down to a minimum viable product, so it met compliance requirements because we were confident that we engaged so much throughout the year. And I think that's, I think more companies should do that if you're doing quarterly training or you're doing a big lengthy annual training. Why not think about like just doing whatever the minimum required of you is, just so there's just enough perceived knowledge transfer from those above you.

Luke (46:19.435)
.

Anthony Davis (46:42.86)
and then you can just constantly be in the ear of your colleagues throughout the year. I think that's the important, that's the difference.

Luke (46:49.109)
Yeah.

Yeah, I training is always a difficult one. Like we've touched on with the compliance requirements, but also getting people to actually complete it and take part in it. Often like you might buy off the shelf training, isn't particularly relatable or fun to do. You can obviously make your own training, but it a lot of effort.

Anthony Davis (47:16.14)
we could make the training for them.

Luke (47:19.135)
Yeah.

Anthony Davis (47:19.746)
This hasn't been a 47 minute sales pitch, but with many of these, you know, these are challenges that we've faced and we've built our own training before. So if you're interested in something different, get in touch. Let's have a chat.

Luke (47:35.499)
yeah i mean it'd be interesting to hear from other people professionals around the things we've spoken about what they do what they don't do

Anthony Davis (47:44.044)
Yeah, I wonder how many agree with that top 10.

I definitely don't agree that regular cybersecurity training sessions is the number one strategy to enhance awareness amongst colleagues. If we flip that.

Luke (48:00.787)
Yeah, it's probably just because it's a requirement for certain regulations is this sort of ends up being number one.

Anthony Davis (48:09.024)
One interesting perspective is that is which ones you think could do the most damage to your internal brand. Bad training could do some serious damage. Asking everyone to spend 20 minutes of their day when they're busy on some training that isn't relative to them and they don't wanna do. That could be damaging to your internal brand and all the traction and goodwill that you build up. So that's quite an interesting one when you look at it through that optic.

Luke (48:38.239)
Yeah, lots to think about.

Anthony Davis (48:38.317)
Yeah.

Anthony Davis (48:42.422)
Let us know your thoughts. Let us know if we've missed anything. And let us know if you think training is the number one strategy. It'd be really, really interesting to know.

Luke (48:52.181)
Yeah.

Anthony Davis (48:54.944)
Right, think that's it for this week then.

Luke (48:57.749)
Yeah, I I think it is.

Anthony Davis (49:00.716)
It's been a pleasure. Let us know what top 10 you'd like us to talk about next time.

and we'll have a chat, let us know what your top 10 strategies are. That'd be lovely.

Luke (49:11.029)
Yeah, people can email us.

Anthony Davis (49:13.74)
Yes, what's the email address Luke?

Luke (49:16.361)
Hello at riskycreative.com

Anthony Davis (49:18.456)
Boom, brilliant, thank you for bringing that up. I should have said that. Right, that's all from us this week. So we'll see you again next week.

Luke (49:28.521)
We are back to a normal episode next week.

Anthony Davis (49:30.658)
Back to normal. Yes. Holidays are over.

Luke (49:34.251)
cool see you bye

Anthony Davis (49:35.703)
See you next week. Bye.