Words matter in cyber security more than we think.

This is especially true in smaller businesses, where every pound and every hour counts.

SME leaders sometimes talk about ‘training’, ‘education’ and ‘awareness’ as if they’re the same thing. It means they often end up buying off‑the‑shelf courses that tick compliance boxes but don’t actually change what people do day to day. 

This was the challenge addressed by cyber security expert Dr Adrian Davis in his address to the East Midlands Cyber Summit led by EMCSC in Leicester in February 2026.

Dr Davis’s message was clear: if we get the words wrong, we get the results wrong.

Three words, three different outcomes

The differences matter for SMEs because they often have limited time with their teams.

Education is the deep end: helping people understand why cyber matters to your specific business, what’s really at risk if systems go down or data is stolen, and how attacks typically play out. Training is practical: showing staff exactly how to use tools safely – from finance systems to email – and practising the right actions under pressure.

Awareness is the lightest of the three: it simply makes people see that something exists. To make the point, Dr Davis shared a clever example with Summit delegates.

He told them early in his presentation that more than 750 men reached the rank of general or above in the British Army during World War II. Dr Davis then finished his slot by asking whether that fact will change anything in delegates’ lives. 

It won’t. They’re now aware, but nothing about their behaviour shifts. And that’s the trap many SMEs fall into with ‘cyber awareness’.

Why ‘awareness only’ doesn’t work for SMEs

In smaller organisations, ‘cyber’ often gets squeezed into a quick toolbox talk. Alternatively, it may be a forwarded article or a cheap e‑learning module.

It’s usually a list of don’ts: don’t click links, don’t reuse passwords, don’t get hacked. People rush through it, guess the quiz answers, and go straight back to old habits.

Awareness in isolation is simply information with no context, no practice, and no clear ‘what should I do differently tomorrow?’. 

Knowing that phishing exists is as useful as knowing how many WWII generals there were. If your team can’t spot a dodgy invoice email – or don’t know who to ask before paying it – then awareness means nothing.

What actually makes a difference

Dr Davis suggested starting with one simple question: “What exactly are we trying to achieve?”.

Instead of ‘raise awareness of cyber risk’, pick one concrete behaviour and design around that. For example, teach everyone to press Windows‑L to lock their screen every time they stand up. Then explain it in terms they care about – stopping colleagues (or kids at home) from sending embarrassing emails or messing with customer records.

In an SME, you need clarity and repetition. The way to achieve this is to give your leadership team short, plain‑English stories about real risks to your business – lost revenue, downtime, reputation. For everyone else, build a few simple, repeatable actions into daily routines, and recognise people when they do the right thing.

Dr Davis’ takeaway for SME owners and managers? Stop buying “awareness” and expecting it to magically fix behaviour. Be precise about whether you’re educating, training, or simply informing. Then choose one behaviour you want to change first, and work on that until it sticks.

• This post is part of a series based on content from speakers at the East Midlands Cyber Summit. The Summit was delivered by East Midlands Cyber Security Cluster as part of its CyberGrowth programme.