The Annual Tradition of Forgetting Everything We Learned About Cybersecurity

Because nothing says “security first” like annual PowerPoint fatigue.

Well, it’s that time of year again. Pumpkin-spiced coffee, ghosts and goblins, trees turning colors, and holiday ads airing entirely too early. Oh yeah, and Cybersecurity Awareness Month! I almost forgot. It’s the single month where companies suddenly remember security exists: don’t click things, use strong passwords like “Autumn2025!”, and beware of those “suspicious” misspelled emails.

We leave October-- one single month-- to cram in education everyone will totally remember until next year, right? …Right?

You know it, I know it, everyone sitting through the “required trainings” knows it. It’s a hoop to jump through, a box to check, a pencil to whip. And that’s bad. It’s reduced what’s an incredibly important topic-- one that can make or break a business-- into oversimplified DOs and DON’Ts without ever explaining the why. Why is this important? Why should we care?

And here’s the thing: training once a year isn’t training-- it’s trivia.

Nobody masters anything by being told once and then left alone for eleven months. You don’t go to the gym once a year and expect to stay in shape, and you don’t hold a single safety meeting and expect zero accidents. Cybersecurity is no different.

Monthly training keeps the conversation alive. It takes what would’ve been a miserable October checkbox and turns it into part of company culture. When users see security reminders throughout the year-- short, frequent, and relevant-- it becomes muscle memory instead of trivia. The goal isn’t to make people paranoid; it’s to make awareness second nature.

But that awareness can’t be generic.

A huge mistake some MSPs make is treating everyone’s cybersecurity training like it’s one-size-fits-all. As if the CFO, the help desk tech, and the intern who just learned how to use the printer all need the same PowerPoint about phishing emails. They don’t. Yet somehow, we keep rolling out the same generic, corporate-approved videos that sound like they were written by a committee that’s never seen an actual phishing attempt.

Your IT folks need depth-- technical context, emerging threat trends, real examples of how vulnerabilities are exploited. They should be learning how to spot the weird stuff before it becomes a ticket. But your end users? They need connection. They need to know why this matters beyond “don’t click links.” Show them how the same scams hit their personal lives-- fake package deliveries, compromised social media, phony job offers-- because once they care about protecting themselves, they’ll start protecting the business, too.

This is why we encourage you to use our Tech Defense, Self Defense, Data Defense, and SecOps trainings every month. You (and your MSP) already have access to them-- and if you’re not using them, you should be.

No matter the audience, the training has to tie back to business risk. Users don’t need to know how malware works, but they should understand what happens when it does. When people see that a “harmless click” can shut down payroll, kill access to customer data, or cost their company its reputation, it stops being abstract. It becomes personal.

And if that annual training is your only effort, you’re already losing.

People forget-- not because they’re dumb, but because their brains are full of more important things like client calls, deadlines, and remembering where they parked. Expecting someone to retain cybersecurity lessons from a single training session is like expecting them to recall every detail from last year’s HR meeting. Spoiler: they don’t.

And honestly, even if they did remember, half the time the training itself isn’t helping. You know the type: a forty-five-slide PowerPoint with six-point font, one bullet per paragraph, and SmartArt straight out of 2009. Maybe a flying clipart lock spins across the screen for dramatic effect. Everyone zones out, checks email, and prays for the “Next” button to appear. The only thing they remember afterward is how much coffee it took to survive it.

If you want people to actually learn, you can’t bore them into awareness. Otherwise, you’re not building good habits-- you’re just hosting an annual PowerPoint endurance test with slightly better stock photos.

And while we’re at it, let’s talk about everyone’s favorite activity: phishing tests.

They’ve become the corporate Hunger Games of cybersecurity. Someone decides it’s time to “keep users sharp,” so they send a fake email that looks just real enough to trick half the company. A few people click, management gasps, and then the punishment begins: another mandatory training module that’s somehow even more boring than the last one.

Here’s the dirty secret: phishing tests don’t actually teach anyone anything. They measure embarrassment, not awareness. Nobody walks away from failing one thinking, “Wow, I’m so glad I learned how to spot that.” They walk away thinking, “I’m never opening another email again,” or worse, “IT’s just out to make us look stupid.” Congratulations-- you’ve just trained your staff to resent you.

And that mythical “0% click rate” companies love to chase? It doesn’t exist. Even the most well-trained organizations still have people who click, because phishing has evolved way past the bad spelling and Nigerian princes of the early 2000s. These days, the emails are perfect-- the logos are right, the tone is right, and sometimes they even come from a real compromised account inside the company.

So yes, people will click. They’ll enter credentials. They’ll scan QR codes. Some will even approve MFA prompts because they think it’s part of their day. Punishing them afterward doesn’t fix that-- preparing for it does.

And that’s the point: assume they’ll click.

It’s not because they’re careless; it’s because attackers are clever. They’ve studied human behavior longer than most companies have existed.

That’s why relying on phishing tests as your frontline defense is a losing game. It’s like training for a fire drill by hoping nobody ever lights a match. You can’t stop people from making mistakes, but you can build systems that keep those mistakes from burning the whole building down.

That’s where layered defenses come in-- strong security controls, real-time monitoring, and tested incident response and disaster recovery plans. Because when (not if) someone clicks, the goal isn’t to panic. It’s to detect, isolate, and recover before it becomes a headline.

Training should reinforce that mindset-- not shame users for clicking, but teach them what to do after they click. Who do they call? How fast should they report it? How do they limit the blast radius? That’s real security awareness: not paranoia, not punishment, but preparation.

Cybersecurity isn’t about preventing mistakes; it’s about surviving them.

And that’s the mindset shift we need.

Cybersecurity Awareness Month isn’t a holiday. It’s not something you break out the decorations for once a year and forget about the moment November hits. It’s supposed to be a habit-- part of the culture, not a calendar event wedged between “Team Lunch” and “Bring Your Pet to Work Day.”

Doing one month of security training is like brushing your teeth once a year and acting shocked when you get cavities. Awareness can’t be seasonal. If you want people to take it seriously, it has to be baked into everything-- onboarding, meetings, and yes, those regular refreshers that don’t make people want to claw their eyes out.

Stop treating Cybersecurity Awareness Month like the Super Bowl of “don’t click that.” As IT and Cybersecurity professionals, our job isn’t to run a once-a-year parade of password tips; it’s to make security part of how our clients operate year-round. Because hackers don’t care what month it is-- and they sure aren’t waiting for your next awareness campaign to end before they send the next phishing email.

If you really want to make a difference, skip the once-a-year PowerPoint marathon. Instead, help your clients turn cybersecurity into a habit-- short, focused, consistent, and relevant. That’s what keeps them safe long after the pumpkin spice lattes are gone.

Oh, and before I forget-- please don’t use the season, year, and exclamation point as a password for anything. It’s one of the first ones every hacker, including myself, tries.