If cybersecurity is often the afterthought in organisational strategy and planning, then dealing with user awareness and training is typically the afterthought within cybersecurity itself. Despite a pandemic that led to an increase in home working and a corresponding need for related policies and awareness to be provided, evidence suggests that the situation is unchanged or even worsened. Meanwhile, incidents continue to occur and people continue to be blamed, despite often being unsupported to do any better. This talk will examine the issues that ought to be covered to enable basic cybersecurity literacy, but which are often overlooked, neglected, dismissed or mishandled. It will also illustrate how guidance needs to be meaningfully aligned to users’ needs and why relying on them to solve it for themselves will generally lead to a false sense of security.