Traditional Cybersecurity Training Is Bullshit. Here's What Actually Protects Your Business.

By Dan J, Founder of PhishPlease

Most cybersecurity training is a waste of money that protects nobody. If you want to actually stop your small business from getting breached, which happens through phishing and social engineering roughly 60% of the time according to the latest Verizon research, your team needs hands-on practice with realistic simulations, not a 45-minute video they'll watch at 2x speed while eating a sandwich and mentally composing their shopping list.

I spent 3 years at Duo Security, which Cisco acquired for $2.35 billion. I've seen how the biggest, most security-conscious companies in the world approach this stuff. And I can tell you with absolute confidence that the version of "cybersecurity training" most small businesses are buying is complete and utter bullshit. A crappy video. A multiple-choice quiz a particularly motivated hamster could pass. A certificate that says "completed" that means absolutely nothing. And then everyone acts shocked when someone on the team clicks a phishing link and the company loses $50,000 to a wire fraud they never saw coming.

The problem is bigger than most people realize

The 2025 Verizon Data Breach Investigations Report found that 60% of all confirmed data breaches involved the human element. Social engineering, phishing, credential theft, someone clicking something they shouldn't have. Not sophisticated nation-state hacking, not some genius exploit that slithers past your firewall while dramatic music plays. A person, getting tricked by an email.

And if you think your company is too small for attackers to bother with, Barracuda Networks found that an average employee at a company with fewer than 100 people receives 350% more social engineering attacks than someone at a large enterprise. Small businesses aren't being ignored by attackers. They're being specifically targeted because attackers know the defenses are thin, the budgets are tight, and the training is usually nonexistent, the cybersecurity equivalent of a house with no locks in a neighborhood where everyone else has installed alarm systems, you're not getting burgled because you're special, you're getting burgled because you're the easiest option on the street.

Barracuda's 2025 email security report found that 78% of organizations experienced an email-related breach in the past year, with recovery costs per employee at smaller firms hitting $1,946 compared to $243 at larger companies. For a 25-person company, that's nearly $50,000 in recovery costs from a single incident, and that's before you factor in lost clients, reputational damage, and the three weeks of absolute chaos while everyone scrambles around like ants whose hill has just been kicked over.

If the majority of breaches start with someone getting tricked by a phishing email, then training your people to spot those emails isn't "one of many things you should do." It's THE thing. The single biggest lever you can pull. The one investment that addresses the actual, documented, statistically proven way that companies like yours get wrecked.

Why the training you're buying doesn't fix this

The annual video problem. Someone in management buys access to a training platform, assigns a 30-to-60-minute video module, everyone clicks through it over a lunch break while simultaneously answering Slack messages and wondering what to have for dinner, and at the end there's a quiz with questions like "should you click links from unknown senders?" Everyone passes. Everyone gets a certificate. Nobody's behavior changes at all, because the Ebbinghaus forgetting curve shows people forget roughly 70% of new information within 24 hours without reinforcement. That video your team watched last March has evaporated from their brains with the permanence of a sandcastle at high tide.

And here's the part that makes me want to throw my laptop out of a window: a training program can have a 100% completion rate and a 0% impact on actual behavior. If nobody paid attention, if nobody retained anything, if nobody's reflexes changed, what exactly did you pay for? A PDF that proves your employees can click a "next" button 47 times in a row? Congratulations, you've bought the world's most expensive screensaver.

The test that tests nothing. When companies do run phishing simulations, they're often so hilariously fake that passing them proves about as much as beating a toddler at arm wrestling proves about your fitness. Emails from "Amaz0n" written in grammar that suggests the author composed it during a seizure, so obviously bogus they may as well arrive with a flashing neon banner that says "THIS IS THE FAKE ONE." Your team spots them, click rate drops to 2%, and leadership pops champagne with the misplaced confidence of someone who's outrun a tortoise and now reckons they're ready for the Olympics.

Meanwhile, real phishing emails in 2026 are generated by AI. They're grammatically perfect, personalized with details scraped from LinkedIn, and reference real projects, real colleagues, real vendors. Training your team against cartoon fakes is like preparing for a cage fight by wrestling a beanbag.

The frequency problem. Even decent training done once a year is nearly useless. Threats evolve monthly. AI-generated phishing has doubled in volume over the past two years according to Verizon. Annual training is like getting a flu shot in 2019 and expecting it to work in 2026, the threat has mutated beyond recognition and your protection expired so long ago it might as well be a fond memory.

What actually works

When I was at Duo, security wasn't a once-a-year event. It was woven into how people worked every day. That's the model, and it's what I built PhishPlease to do for small businesses that deserve the same caliber of protection without the million-dollar budget.

Hands-on practice beats passive watching. You wouldn't hand someone a pamphlet about driving and then toss them the keys on the motorway. Phishing training works the same way: send realistic simulations, give immediate feedback when someone clicks, provide a short targeted lesson on what they missed, then do it again next month. Simulate, catch, teach, repeat.

Short and frequent beats long and annual. A 2-minute targeted lesson right after someone clicks a simulated phishing link is worth more than a 45-minute video they watched seven months ago and have since forgotten with the thoroughness of a goldfish that's been shown a magic trick. Monthly simulations, micro-lessons, immediate feedback. That's how humans actually learn.

Realistic simulations beat obvious fakes. If your phishing simulations aren't good enough to actually catch people, they're just flattering your team into a false sense of security that will shatter the moment a real attack arrives. We send emails that look like the real thing: Microsoft security alerts with one letter off in the domain, invoice scams that match your vendor's formatting, CEO impersonation emails that reference actual projects.

We're the good bad guys. We trip your people up on purpose, not because we're arseholes, but because it's a hell of a lot better for us to catch them than for some scammer who's going to empty your bank account and vanish like a fart in a hurricane.

The single biggest thing you can do

60% of breaches involve the human element. For small businesses, the numbers are even more skewed because you don't have the technical defenses that larger companies use as backup. Your team IS your defense.

You can spend thousands on firewalls and endpoint protection and intrusion detection systems, and all of it becomes worthless the moment someone enters their password into a fake login page because they got a convincing email. The entire security stack collapses at the point where a human makes a decision about an email, like a chain that's only as strong as its weakest link except the weakest link is also the one that gets yanked on three hundred and fifty percent more often than anyone else's.

Train your people. Train them with realistic simulations, not crappy videos. Train them monthly, not annually. Train them with respect and immediate feedback, not gotcha tests designed to humiliate them. Make reporting a suspicious email the easiest, most rewarded behavior in your company.

That's the single most impactful investment you can make in your company's security. Not one of many. THE one. Because the breach that's going to hit your business won't come through your firewall. It'll come through your inbox.