Antonios (Tony) Christodoulou, Founder of Cyber Dexterity.

A cyber training programme is particularly tricky to get right. It’s a stubborn problem to which there seems to be no straightforward solution. A phishing attack is so easy to mount, and is very often effective, particularly among South Africans. Phishing is also where over half of all cyber attacks originate, says ESET.

Companies will now routinely do phishing dry runs to get some sense of how well their security awareness programmes are working, but as Gartner says, there’s little evidence that this will actually reduce cyber risk. All it may do is train staff to be better at spotting phishing tests. But at least the compliance people will be happy. Staff don’t seem to care about cyber risk; after all, it’s not their company. According to 2024 Gartner research, 93% of staff carrying out unsecured actions at work actually knew this would increase risk at the organisation, but went ahead anyway. But they may simply have been trying to do their jobs, and were perhaps pushed into unsafe behaviour by company policies, such as banning all use of GenAI tools, without explanation.