Yes. Most breaches start with human error—clicking phishing links, weak passwords, falling for scams. Technical controls catch most attacks, but trained humans catch what technology misses. Effective training is short, regular, and relevant.
Quick answer: Yes. Most breaches start with human error—clicking phishing links, weak passwords, falling for scams. Technical controls catch most attacks, but trained humans catch what technology misses. Effective training is short, regular, and relevant.
Why Training Matters
The statistics:
- 90%+ of successful breaches involve human element
- Phishing is the most common attack vector
- Average employee receives 14+ malicious emails per year
- One click can compromise the entire organisation
- Email security catches most phishing, not all
- MFA stops account takeover, but users can be socially engineered
- DLP prevents data loss, but users find workarounds
What Effective Training Looks Like
Short and regular
- Monthly 5-10 minute modules
- Not annual 2-hour compliance sessions
- Reinforced through the year
Relevant
- Based on real threats your organisation faces
- Industry-specific examples
- Tailored to job roles
Engaging
- Interactive, not just slides
- Real-world scenarios
- Not checkbox compliance
Measured
- Completion tracking
- Knowledge assessments
- Phishing simulation results
Positive
- Reward reporting, don't punish mistakes
- Build a security culture
- Make it safe to ask questions
What Training Should Cover
Core topics (everyone)
- Recognising phishing
- Password security
- MFA importance
- Social engineering awareness
- Reporting suspicious activity
- Safe web browsing
- Physical security basics
Role-specific (additional)
- Finance: Invoice fraud, payment verification, BEC
- HR: Recruitment scams, employee data protection
- Executives: Whaling attacks, impersonation
- IT: Privileged access, technical social engineering
Current threats
- AI-powered phishing
- QR code attacks (quishing)
- Deepfake awareness
- Latest scam patterns
Phishing Simulations
What they are: Fake phishing emails sent to test employee responses.
Why they work:
- Measure real behaviour, not just knowledge
- Identify high-risk users for additional training
- Reinforce training in realistic context
- Track improvement over time
- Start easy, increase difficulty
- Focus on learning, not punishment
- Immediate feedback when someone clicks
- Praise for reporting
- Public shaming
- Punitive measures for first offences
- Unrealistic "gotcha" tests
- Testing without training first
Measuring Effectiveness
Track these metrics:
- Training completion rates
- Assessment scores
- Phishing simulation click rates
- Phishing simulation report rates
- Actual incident reduction
- 95%+ completion
- Click rates below 5%
- Report rates above 50%
- Year-on-year improvement
What Doesn't Work
Annual compliance training One session per year doesn't change behaviour. People forget.
Long, boring sessions 2-hour presentations aren't absorbed. People tune out.
Generic content "Don't click suspicious links" without context. People don't know what suspicious looks like.
Blame culture Punishing mistakes makes people hide them. You need reporting.
No measurement Training without assessment = no idea if it's working.
Platform Options
Microsoft Defender for Office 365 (Plan 2) Attack simulation training included. Basic but integrated.
Dedicated platforms:
- KnowBe4
- Proofpoint Security Awareness
- Mimecast Awareness Training
- And many others
Our Approach
Security awareness training is included in our managed services:
- Monthly micro-training - short, relevant modules
- Phishing simulations - regular, measured testing
- Role-specific content - relevant to each user
- Reporting - you see completion and results
- Continuous improvement - adapted based on results
---
about awareness programmes.
---