Cybersecurity Training Should Not Be a Silent Exercise.

Written By Sarah Barnes

Why interactive sessions still matter when building a stronger security culture.

Cybersecurity is definitely more front of mind than ever before.

Most organisations are doing some form of awareness training now, with many using online modules delivered at regular intervals. These often include a short video followed by a few questions to check understanding.

This kind of training has value.

It keeps cybersecurity visible. It helps organisations deliver consistent messages across their teams. It also creates a record that awareness training has been completed.

In today’s environment, that record matters. It allows an organisation to show that training has been done and that the box has been ticked.

But awareness training should not stop there.

A strong security culture is not just about whether someone has seen the information or whether they can select the correct answer in a clearly structured question.

It is about whether they feel confident enough to use that information when something doesn’t feel right.

That is where interactive sessions still matter.

Not because online modules are bad, or that they don’t serve a purpose.

They matter because real security culture is built through conversation.

The problem is not online training

Online modules can be useful.

They are easy to roll out, easy to repeat, and easily fit into a busy workday. For small businesses and not-for-profit organisations, that matters. Time is limited, people are busy and cybersecurity is usually one of many competing priorities.

A short module can remind staff to think before they click. It can explain why multi-factor authentication matters. It can introduce topics like phishing, password reuse, payment redirection scams, and protecting sensitive information.

That is all helpful.

But it is not enough for the module to be the whole conversation.

Staff complete it quietly at their desk, answer the questions, get the pass mark, and go back to what they were doing. At the end of the day, the report says it’s complete, so everyone assumes the message has landed.

The question is, when no one is talking about it, how can you be sure it did?

A room tells you the things a report cannot

There is still a lot to be said for getting people together in a room to talk about cybersecurity.

It does not have to be formal, technical, or full of scare tactics and complicated terminology.

In fact, the best sessions are usually the opposite.

They are practical and they are conversational. They create a safe space for people to ask questions they couldn’t ask during an online module.

When given the opportunity to ask, you may be surprised how many questions your team has.

It might start with one person saying “I received an email like that last week.” Then suddenly someone else says, “I would not have known who to report that to,” followed by someone in finance explaining how changes to supplier bank details are actually handled.

These are not interruptions to the training. They are the reason it is so valuable.

A completion report can tell you who finished a module, and perhaps who had to redo one.

It cannot tell you where staff are confused, what assumptions are being made, or whether your team feels comfortable speaking up when something feels wrong.

A group conversation can.

Knowing the answer is not the same as knowing what to do

In a training module, the example is usually clear. The phishing email has staff rolling their eyes at how painfully obvious it is. The quiz usually has just the right mix of suggested answers, so even if someone is not completely sure, they can work out which of the four is most correct. Or, they will copy and paste it into AI to get the answer.

Real life is rarely that neat.

AI has really shifted the way social engineering is used. It is no longer just scalable. It can also be tailored. A fake invoice may look like it came from a supplier the business already uses. A payment change may come through during a busy period. An email may look mostly right, but something just feels slightly off.

That is where people hesitate.

When they are not sitting there doing an online module, their first thought is rarely, “This is a cybersecurity risk.” They are thinking, “This looks urgent,” or “I will just do this now, I don’t want to slow everyone down.”

This is where interactive sessions can make a real difference. They give people a chance to talk through realistic examples, or even break down well-known breaches, before something happens in their own workplace.

A module will tell you to verify a supplier bank account change. A group conversation can walk through how that actually looks in the business. Who checks it? What number do they call? What happens if the request looks urgent, or appears to come from someone senior?

When people talk about these situations together, they start to see that cybersecurity is not sitting with one person, one team, or one provider.

That shared understanding is a big part of security culture.

The goal is confidence, not completion

Let’s be clear. This is not an argument against online training.

Short, regular, and easy-to-understand training modules can be effective. They help keep the message visible and provide regular reminders about the risks staff may face.

But interactive sessions add something different.

They bring the message back to real life and help staff connect the training to situations they may face.

A module will remind someone what to look for. A conversation helps them understand what to do next.

That matters, because the goal of awareness training should not be to scare people, or make cybersecurity feel bigger, harder, or more technical than it needs to be.

The goal should be confidence.

Confidence to pause when something is off. Confidence to question something unusual. Confidence to say, “I am not sure about this, can we check?”

Training should not just be something that staff complete. It should be something they understand, discuss, and feel confident to use when it matters most.

Online modules can help keep the message visible, but interactive sessions help bring it to life.

Because a stronger security culture is not built by ticking a box.

It is built through the conversations that help people know what to do next.

At BrightPath Cyber Advisory, this is the kind of awareness we believe in: practical, human, and connected to the way an organisation actually works.

Sarah Barnes
Next

We Have an IT Provider, So Are We Secure?