Spent some time looking for ideas on how to do a security training (compliance requirement) that didn't suck. Cribbing from some reddit posts, I think I'm going to give everyone a notecard with something like "Is Bob Bobson a client here", have them pair up, and do a little phone conversation roleplay where one person is a visher trying to trick the other into revealing the piece of information, while the other person gets practice saying "No." Seemed like a good way to let the staff dip a toe into thinking like an attacker.
Depending on your field, your business may already have a cybersecurity department. There's an endless parade of thankless grunt work to be done like patching (often after hours), following up with users whose machines didn't patch for whatever reason, and so on. (With your manager's permission) you may be able to reach out to them and volunteer to help with some of those tasks, as a way to dip a toe into that world and start learning.