Cybersecurity training access has increased for the first time in four years, yet a quarter of employees still skip it entirely—often due to overconfidence, according to a new global study. The findings come from CybSafe's "Oh, Behave!" report for 2024-2025, which surveyed over 7,000 people across seven countries.
The study exposes a troubling paradox: employees who feel most confident about their cyber skills are often the most vulnerable to attacks. This is particularly true for younger workers, with Generation Z and Millennials showing the highest rates of both confidence and actual cybercrime victimization.
While 57% of participants claim intermediate or advanced cybersecurity knowledge, their behaviors tell a different story. For instance, over a third (35%) of participants include personal information in their passwords, and this percentage rises to 52% among Gen Z workers. These risky practices are particularly dangerous for small and medium-sized enterprises, which often lack the resources to recover from cyberattacks.
"While cybersecurity may not always seem a top priority for startups, it should be at the forefront of every founder's mind," says Oz Alashe MBE, CEO and Founder of CybSafe. "The statistics are clear. SMEs are highly vulnerable to cyberattacks and are likely to fold if they become victims."
The Risks of Skipped Training
The consequences of missed training are manifesting in dangerous security practices across organizations. Most alarming is employees’ casual approach to AI tools; 38% admit they’ve shared sensitive work information without their employer’s knowledge. Password security also remains problematic, as 40% of participants acknowledge creating passwords using a single dictionary word or name – a practice that makes accounts particularly vulnerable to breach.
Technical safeguards are also being ignored. Fewer than half of employees have enabled automatic software updates, leaving security gaps unpatched. Meanwhile, nearly a third of workers still don't report phishing attempts, even when provided with easy-to-use reporting tools, potentially allowing harmful emails to circulate unchecked through their organizations.
These risky behaviors are creating opportunities that cybercriminals are actively exploiting. The report shows that 35% of participants had been victims of cybercrime, representing an 8% increase from the previous year—a stark reminder that inadequate training has real consequences for both individuals and organizations.
Why Current Training Methods Fall Short
Traditional cybersecurity training approaches appear to be missing the mark. While access to training has increased, with 33% reporting usage, the current methods fail to engage many employees effectively. Nearly a quarter of workers skip training because they believe they "already know enough," while another 22% claim they're simply too busy to participate.
Perhaps most concerning is that 71% of employees receive only one-off training sessions rather than ongoing education, creating a significant gap in continuous learning. The study also revealed a disconnect between industry trends and employee preferences. While many organizations have invested heavily in gamified learning experiences, only 11% of employees actually prefer this format. Instead, video content emerged as the clear favorite, with 46% of respondents preferring it, followed by online courses at 37%.
Behavioral-Focused Solutions for Cybersecurity Awareness
The report advocates for a fundamental shift toward behavior-focused training approaches that go beyond simple knowledge transfer. Organizations need to address the stark gap between perceived and actual security skills through regular, ongoing education rather than relying on annual compliance sessions. This includes creating practical, hands-on learning opportunities that reflect scenarios employees face every day.
Additionally, training must evolve to provide specific guidance on emerging threats and tools to address the rise of new technologies, particularly AI. The focus should be on fostering a security-conscious workplace culture where good practices become routine rather than an afterthought.
"Unlike enterprises that must invest heavily to improve security practices across diverse teams and regions, startups are agile and adaptable," Alashe notes. "This creates an opportunity to build a business with security embedded in its DNA, supported by a team that genuinely values a security-conscious culture."
Bridging the Security Gap
To close the gap between confidence and competence, organizations must review their cybersecurity training programs and consider behavior-focused approaches. The report suggests implementing regular security awareness check-ins, creating tailored training programs for different age groups, developing clear guidelines for AI tool usage, and building security consciousness into company culture. Regular assessment of security behaviors, rather than just knowledge, has become essential.
The complete “Oh, Behave!” report, featuring detailed findings on cybersecurity attitudes and behaviors, is available on CybSafe’s website.
