The overwhelming majority of cyber attacks gain a foothold the moment a member of staff opens an email, clicks a link or answers a call that seemed routine. No firewall fixes that. Staff training does — when it's done right.
No onboarding calls, no sales pitch. Free until you invite the team in.
The reality in 2026
These aren't future scenarios. These are everyday incidents — the kind that show up in Vísir and DV, and that CERT-IS keeps publishing advisories about.
Phishing in the name of Skatturinn
Spoofed emails posing as the tax authority, Landspítalinn or Icelandic banks — often very convincing — funnel staff onto lookalike sites and harvest credentials in seconds.
AI voice cloning over the phone
Attackers use AI to mimic a CEO's or partner's voice and demand a transfer 'right now'. Five seconds of voice from social media is enough to build a convincing copy.
Ransomware against small businesses
Small and mid-sized Icelandic firms have become a preferred target precisely because their defences are thinner than enterprise. One click on the wrong attachment can shut a business down for weeks.
Kennitala scams and fake government sites
Fake portals impersonating vehicle registration, driving licence renewal or Þjóðskrá harvest kennitölur and bank details that later get used for identity theft.
What these attacks have in common: they breach through people, not through systems. You cannot buy your way out of this problem with another firewall.
Why now
NIS2 is now an obligation
Once implemented in Iceland, documented staff security training is one of the core duties under NIS2. Many more Icelandic companies are now in scope than under the old NIS1.
Cyber insurance requires it
Cyber insurance premiums have risen sharply. Insurers now ask for proof that your staff get annual security training, and reward companies that can show it.
Your customers are asking
Large customers now send security questionnaires with their RFPs. 'What security training does your staff receive?' is a standard question. If you can't answer it, you lose the contract.
Or keep reading — the rest of this page walks through the solution.
What actually works
The behavioural science is unambiguous: the brain remembers what it sees often, not what it saw at length. Short, repeated training beats long one-off courses every time, in every discipline this has been measured in.
Annual training
About 30% remember anything after 3 months
A one-hour course once a year ticks a box on paper, but within weeks the content is gone. Behaviour doesn't change.
Monthly micro-training
Over 90% keep the skill live
Five minutes a month, always on new material, always right after a reminder, builds durable reflexes. This is the path every serious security-awareness study confirms.
General figures drawn from work like the SANS Security Awareness Reports and the Verizon Data Breach Investigations Report — exact numbers vary by study, but the ratio is stable.
Why ordinary training doesn't work
It's in English. Icelandic-speaking staff skim half the words. One might pass the quiz — but behaviour doesn't change.
Each course is an hour long. Nobody finishes them. The ones who do forget them a week later.
Training happens once a year. The attacker shows up in October and the people you trained in January have already forgotten.
No measurement. You don't know who completed, who failed, who's overdue. Any serious audit request can't be answered.
Priced for US enterprises. Icelandic SMBs either pay absurd prices for something they don't use, or give up and do nothing.
How Varhugi is different
Every item on this page — five minutes, monthly repetition, Icelandic content, automatic certificates, simple pricing — is a direct response to one of the reasons above.
In Icelandic, with Icelandic examples
Phishing in Skatturinn's name, kennitala fraud, AI voice cloning in Icelandic — content staff recognise from their own inbox. Nothing translated from English.
Five minutes, once a month
Each module is five minutes, ending in a short quiz. Total time per year: one hour. That's the time a staff member is willing to give, and the repetition is what does the training.
Reminders and audit reports run themselves
The system nudges staff when a module is due, issues certificates automatically when they pass, and produces a monthly audit report for leadership. Nothing to track in a spreadsheet.
Three minutes to set up
Sign in with Microsoft, Google or an email link, type the company name, share a sign-up link in Teams. Staff get themselves in — you don't have to send invites to 50 people.
Where Varhugi pulls ahead
How this plays out
An accountant gets an email from the 'CEO' at 16:45 on a Friday
Án Varhuga
'Anna, can you approve this transfer before the bank closes? Confidential, don't ask anyone else.' Anna sends 1.2 million ISK to an account that turns out to be in the Bahamas.
Með Varhuga
Anna remembers last month's module on CEO fraud. She calls the CEO on the number she knows, confirms he sent nothing, and tells IT. Loss: zero.
A staff member accidentally uploads a loan contract to a 'free PDF converter'
Án Varhuga
He finds a site on Google, uploads the document with kennitölur, financial details and contract text. The site keeps everything for a year and resells it to marketing firms. The GDPR data is in Singapore by the time the breach is discovered.
Með Varhuga
Last month's module on shadow IT told him to use the Microsoft 365 tool the company already pays for. Takes 30 seconds longer. Nothing leaves the EEA.
The sales phone rings and 'Microsoft IT' asks for an MFA code
Án Varhuga
The salesperson reads out the code. The attacker gets into the company's Microsoft 365 account, blasts phishing email to every customer from that account, and uses the contact lists to target partners.
Með Varhuga
The salesperson remembers that no legitimate IT desk asks for an MFA code over the phone. Hangs up, calls IT on the known number to report it. The account is still safe.
Open a workspace for free, share a sign-up link in Teams, and the first module is on your staff's calendar by the time you close this page.
Free
0 ISK
One user, the full library, for trying the platform.
Lite
Low flat price
Small and mid-sized companies. Everything included.
Pro
From a certain headcount
Larger organisations with departments, audit reports and exports.
No credit card for the free plan. No setup fees. Cancel anytime.
varhugi