Is Your Security Awareness Program Just Ticking Boxes?

This episode is a little different. No news. No phishing breakdowns. Just two awareness professionals (on holiday, sort of) talking through something that affects every security team come October: what do we actually do for Cybersecurity Awareness Month?

It’s a familiar scene. You sit down with a blank whiteboard, maybe a fresh pack of Post-its, and ask the question we all dread: “What’s our campaign this year?”

Well, in this special episode, we tried something new. We asked ChatGPT for its “Top 10 Strategies to Enhance Cybersecurity Awareness Among Colleagues” and then reacted live. What’s solid advice? What’s tired and overdone? And what’s actually harmful to your internal brand?

Spoiler: we have thoughts.

Training Isn’t Top. Engagement Is.

The list ChatGPT gave us ended with “implement regular cybersecurity training sessions” as the number one strategy.

We disagreed. Strongly.

Yes, training has its place. It ticks compliance boxes. It satisfies auditors. But it's rarely what changes behaviour. In fact, if it’s bad training, lengthy, irrelevant, unrelatable, it can actively harm your internal credibility.

Instead, we believe in engagement.

If you're nudging, educating, storytelling, and staying visible year-round, that is training. You're building a culture, not just ticking a box. You’re shifting perception. That should be the goal.

Our Take on the “Top 10” (and where it goes right)

Here’s what stood out from the rest of the list:

10. Open Communication Channels

A strong start. Most people don’t report security concerns because they don’t know how. Or worse, they feel stupid doing so. Your job is to remove that barrier. Whether it’s Slack, Teams, email, or a champions network, make it easy and human.

9. Recognise and Reward

Yes. Celebrate the wins. Not just from security nerds or your champions, but from Kevin in Accounts who reported a dodgy email. From the tech team that patched ahead of schedule. Recognition is cheap and powerful. Use it.

8. Gamify the Learning

Escape rooms. Simulations. Even a quiz that isn’t painful. Interactivity matters. Just keep it user-first. Don’t add fluff because it looks fun. Make it feel useful.

7. Real-World Consequences

Bring the stories to life. Don’t say “a retailer was attacked.” Say “M&S was breached, where you buy Percy Pigs.” That makes people pay attention. If it’s public, use names. Be human about it.

6. Clear Policies

Policies shouldn’t be written in legalese. Why do we still do that? Flip the script. Say what someone can do. Use natural language. And maybe explore ideas like interactive policy lookups or AI chatbots that explain the rules like a friend.

5. Culture is Everything

Security isn’t just a poster on a wall. It’s how often your team talks about it, how leaders model it, how peers treat it. Embed it everywhere. Celebrate it. Live it.

4. Push MFA

No debate here. Just maybe next year we’re saying “push passkeys.” Either way, MFA is still the best bang-for-buck control. And people should be using it at home too, not just at work.

3. Strong, Unique Passwords

Still relevant. Still a mess. Most people reuse passwords. Or use Arsenal1886 across all sites. Use this moment to promote password managers. Long is better than complex. Unique is better than clever.

2. Simulated Phishing

Controversial. It has a place, but only if it’s done well. Don’t traumatise staff. Don’t make it about punishment. Use it as a prompt for better conversations. Otherwise, just talk to your people. Teach. Don’t trap.

Ideas for October: More Than Just Posters

If you’re planning Cybersecurity Awareness Month, we also shared five initiatives that go beyond “raise awareness” and actually drive behaviour:

Photo Challenges – Get personal. Ask staff to show how they stay secure.
Escape Rooms – Team-based, hands-on, and fun.
Myth-Busting Webinars – Kill off old beliefs with relatable stories.
Device Security Check-Ups – Help people secure their real lives.
Interactive Phishing Games – Teach people what to look for, not just test them.

Final Thought

Training isn’t dead. But it’s not the hero.

What matters is how we show up. How we make people feel. How often we get in their ear. If your training is 30 minutes once a year, but your engagement is weekly, daily, embedded, that’s your awareness programme.

So as October approaches, don’t just ask “What’s our training?” Ask: “What are we doing to actually connect?”

And if you need help making that happen, well, you know where to find us.