Security awareness program for employees

Most security breaches don't start with hackers breaking through firewalls. They start with an employee clicking a link in an email, sharing credentials over a phone call, or leaving sensitive documents in a public place. Your employees are simultaneously your biggest vulnerability and your strongest defense — depending on how well they're trained.

Security awareness training turns employees from targets into sensors. A well-trained workforce doesn't just avoid threats — they report them. They question suspicious requests. They understand why security matters and make good decisions even when no one is watching.

This chapter covers how to build a security awareness program that actually works: engaging content, practical skills, and measurable results. Not the annual checkbox training that everyone forgets immediately, but ongoing education that changes behavior.

Why security awareness matters

The numbers tell a clear story:

Human error dominates breach statistics. Verizon's 2024 Data Breach Investigations Report found that 68% of breaches involved a non-malicious human element — people falling for social engineering or making mistakes. You can have the best technical controls in the world and still get breached through your people.

Phishing is the top attack vector. The same report shows phishing as the initial access method in 16% of breaches. Pretexting (social engineering) accounts for another significant portion. These attacks target humans, not systems.

Small companies are prime targets. Attackers know small companies often lack security training. According to the 2024 Hiscox Cyber Readiness Report, small businesses are more likely to be attacked than large enterprises, and they suffer proportionally greater damage.

One click can cost millions. The average cost of a phishing attack that results in a data breach is $4.76 million according to IBM's 2024 Cost of a Data Breach Report. For a small company, that's often fatal.

Training works. Organizations with security awareness training programs have 70% fewer security incidents. Regular phishing simulations can reduce click rates from 30%+ to under 5%.

What employees need to know

Not everyone needs to understand buffer overflows or SQL injection. But every employee — from receptionist to CEO — needs to understand these topics:

1. Phishing and email security

Phishing is the art of tricking people via email (or text, or voice) into revealing credentials, installing malware, or taking harmful actions. It's the most common attack vector against organizations.

What employees should recognize:

Phishing indicator	Example
Urgency or threats	"Your account will be closed in 24 hours"
Unexpected requests	"Please update your payment information"
Suspicious sender	"[email protected]"
Generic greeting	"Dear Customer" instead of your name
Grammar and spelling errors	"Kindly verify your informations"
Suspicious links	Link text says "amazon.com" but actual URL is "amzn-login.malicious.com"
Unexpected attachments	Invoice.pdf.exe or "Please review this document"
Request for sensitive info	"Reply with your password to verify your identity"

Training scenarios:

1. Credential phishing: Fake login page for Microsoft 365, Google Workspace, or internal systems
2. Spear phishing: Targeted email appearing to come from CEO or manager
3. Business Email Compromise (BEC): Urgent wire transfer request from "CFO"
4. Malware delivery: "Invoice attached" or "You have a package"
5. Callback phishing: "Call this number to resolve your account issue"

What to do when receiving suspicious email:

1. Stop — don't click any links or open attachments
2. Check — look at the sender address carefully
3. Verify — contact the sender through a known channel if unsure
4. Report — forward to security/IT or use the report button
5. Delete — remove from inbox after reporting

2. Social engineering

Social engineering is manipulation to get people to give up confidential information or take actions they shouldn't. It exploits human psychology, not technical vulnerabilities.

Common techniques:

Technique	Description	Example
Pretexting	Creating a fake scenario to extract information	"I'm from IT, I need your password to fix your account"
Baiting	Offering something enticing	USB drive labeled "Salary Info 2024" left in parking lot
Tailgating	Following authorized person through secure door	"Can you hold the door? I forgot my badge"
Quid pro quo	Offering service in exchange for information	"Free IT support" that installs malware
Vishing	Voice phishing via phone	Fake bank call about "suspicious activity"
Smishing	SMS phishing	"Your package couldn't be delivered, click here"
Impersonation	Pretending to be authority figure	Fake vendor, executive, or IT support

Real-world social engineering attacks:

The Twitter hack (2020): Attackers called Twitter employees pretending to be IT support, convinced them to enter credentials on a fake internal site. Result: High-profile accounts (Obama, Musk, Gates) tweeted Bitcoin scam.

The Ubiquiti breach (2021): Attackers impersonated a third-party vendor via email, convinced employees to make fraudulent wire transfers. Result: $46.7 million lost.

MGM Resorts (2023): Attackers called the IT help desk, impersonated an employee using LinkedIn information, and convinced the help desk to reset MFA. Result: Systems down for days, $100 million+ in losses.

Defense strategies to teach:

1. Verify through a different channel — If someone calls asking for information, hang up and call back using a known number
2. Be suspicious of urgency — "This must happen NOW" is a red flag
3. Confirm requests for money or data — Especially if unusual or unexpected
4. Don't let politeness override security — It's okay to say no to requests that seem wrong
5. Report social engineering attempts — Even unsuccessful ones, they're intelligence

3. Password security

Despite years of awareness efforts, passwords remain a major weakness. People reuse passwords, choose weak ones, and share them inappropriately.

Password realities to teach:

Why password reuse is dangerous:

2019: User creates account on random forum with password "Summer2019!"
2020: Forum gets breached, password leaked
2021: Attacker tries same email/password on company systems
2021: Attacker logs in successfully - user reused the password
2021: Data breach, company in the news

This isn't theoretical — credential stuffing attacks (trying leaked passwords against other sites) are extremely common. Have I Been Pwned has over 14 billion breached accounts in its database.

Password best practices:

Do	Don't
Use unique password for each account	Reuse passwords across sites
Use password manager	Write passwords on sticky notes
Use long passphrases (16+ characters)	Use short passwords with substitutions (P@ssw0rd)
Enable MFA everywhere available	Rely on password alone for important accounts
Change password if breach suspected	Change passwords on arbitrary schedule

Introducing password managers:

Most people can't remember unique passwords for 50+ accounts. Password managers solve this by:

1. Generating strong, unique passwords for each site
2. Storing them securely (encrypted)
3. Auto-filling credentials (so you don't type them where they could be captured)
4. Alerting when passwords are found in breaches

Recommended password manager:

We recommend Passwork — a business password and secrets manager with zero-knowledge encryption, shared vaults, granular permissions, and audit logs. Available as on-premise (your own servers) or cloud. Scales from small teams to 30,000+ users. From €3/user/month.

MFA (Multi-Factor Authentication):

Passwords alone aren't enough. MFA adds a second verification method:

MFA type	Security level	Convenience
SMS code	Low (can be intercepted)	High
Authenticator app (Passwork 2FA or any TOTP app)	Medium	Medium
Hardware key (YubiKey)	High	Medium
Passkeys	High	High

Teach employees:

• Enable MFA on all accounts that offer it
• Prefer authenticator apps over SMS
• Never share MFA codes with anyone (legitimate services never ask)
• "Someone called asking for my code" = attack in progress

4. Data handling and classification

Employees work with sensitive data daily. They need to understand what's sensitive and how to handle it.

Data classification framework:

Level	Description	Examples	Handling
Public	No harm if disclosed	Marketing materials, public website content	Share freely
Internal	For employees only	Internal policies, org charts, project plans	Keep within company
Confidential	Business-sensitive	Financial reports, customer lists, contracts	Need-to-know, encrypted
Restricted	Highly sensitive	Personal data (PII), health info, credentials	Strict access control, encrypted

Common data handling mistakes:

1. Emailing sensitive data unencrypted — "I'll just email this customer list to my personal account"
2. Saving to personal cloud storage — Company data on personal Dropbox/Google Drive
3. Sharing beyond need-to-know — Forwarding confidential docs to people who don't need them
4. Improper disposal — Throwing away documents without shredding, not wiping devices
5. Leaving data visible — Unlocked screen in coffee shop, documents on shared printer

Data handling guidelines:

Before sharing data, ask:

1. Does this person need this data for their job?
2. Is this the minimum data they need?
3. Am I using an approved channel to share it?
4. Is the data appropriately protected (encrypted if needed)?
5. Should this be time-limited or require acknowledgment?

Personal data (PII) special handling:

Personal Identifiable Information requires extra care:

• Full names + other identifying info
• Email addresses
• Phone numbers
• Social security / national ID numbers
• Financial information (bank accounts, credit cards)
• Health information
• Location data
• Biometric data

Legal requirements (GDPR, CCPA, etc.) often mandate specific handling. When in doubt, treat personal data as Confidential or Restricted.

5. Physical security

Security isn't just digital. Physical access to devices and documents can compromise everything.

Physical security basics:

Situation	Best practice
Leaving desk	Lock computer (Win+L or Cmd+Ctrl+Q)
Leaving office	Secure laptop, clear sensitive documents
Public spaces	Use privacy screen, don't discuss confidential matters
Visitors	Escort at all times, don't leave alone with computers
Documents	Shred confidential papers, use secure print
Devices	Don't leave in car, use cable lock when possible
Doors	Don't prop open, don't tailgate, challenge unknown people
USB/external devices	Don't plug in unknown devices

Travel security:

Business travelers face additional risks:

1. Use VPN on hotel/airport WiFi
2. Enable full disk encryption on laptop
3. Don't leave devices unattended in hotel room (use safe)
4. Be aware of shoulder surfers in airports/cafes
5. Be suspicious of "IT support" that contacts you while traveling
6. Consider burner devices for high-risk destinations

6. Remote work security

With remote and hybrid work, the home has become an extension of the office.

Home office security:

Area	Recommendation
Network	Secure home WiFi with WPA3, unique password
Router	Update firmware, change default admin password
Work device	Keep separate from personal use if possible
Video calls	Be aware of what's visible in background
Voice calls	Be careful discussing confidential matters if others can hear
Documents	Secure or shred work documents at home too
Screen	Lock when stepping away, even at home

Public WiFi:

Risk	Mitigation
Traffic interception	Always use VPN
Evil twin networks	Verify network name, prefer mobile hotspot
Session hijacking	Use HTTPS everywhere, avoid sensitive transactions
Shoulder surfing	Privacy screen, sit with back to wall

7. Incident reporting

Employees need to know how and when to report security concerns. Many incidents go unreported because people fear blame or don't think it's important.

What to report:

• Phishing emails (even if not clicked)
• Suspicious phone calls
• Lost or stolen devices
• Accidental data exposure
• Unusual computer behavior
• Unknown people in secure areas
• Credentials possibly compromised
• Anything that feels "off"

Reporting should be:

1. Easy — One-click report button, simple email address, quick Slack channel
2. Non-punitive — Reporting isn't admitting guilt
3. Acknowledged — Thank people for reporting
4. Actionable — Reports should go somewhere and be acted upon

Example reporting process:

How to report: Email [email protected] · Slack #security-reports · Phone IT helpdesk for urgent issues · "Report Phishing" button in your email client

When reporting, include: what happened, when it happened, any evidence (screenshots, email headers), your contact info for follow-up.

Training formats that work

Traditional security training — hour-long presentations, boring videos, annual checkbox exercises — doesn't change behavior. Here's what actually works:

1. Phishing simulations

Simulated phishing tests safe phishing emails to employees. Those who click get immediate education. Those who report get praised.

Why simulations work:

• Experiential learning — People remember what they experience more than what they're told
• Measurable — Track click rates over time
• Personalized — Identify who needs more training
• Real-time feedback — Teachable moment when they click

Running effective simulations:

Element	Best practice
Frequency	Monthly (not too often to become predictable)
Difficulty	Start easy, gradually increase sophistication
Variety	Different types: credential, attachment, BEC, etc.
Realism	Use relevant scenarios (fake company announcements, etc.)
Education	Immediate training for those who click
Recognition	Thank employees who report
Measurement	Track click and report rates over time

Phishing simulation tools:

Tool	Best for	Pricing
Gophish	Self-hosted, free	Open source
KnowBe4	Enterprise, comprehensive	Quote-based
Proofpoint	Large organizations	Quote-based
Cofense	Phishing-focused	Quote-based
Hoxhunt	Gamification	Quote-based
Microsoft Attack Simulator	M365 customers	Included in some plans
Google Security Center	Workspace customers	Included

Gophish setup example (self-hosted):

# Download and extract
wget https://github.com/gophish/gophish/releases/latest/download/gophish-v0.12.1-linux-64bit.zip
unzip gophish-*.zip
cd gophish

# Start Gophish
./gophish

# Access admin interface at https://localhost:3333
# Default credentials shown in console output

Sample simulation campaign schedule:

Month	Theme	Difficulty	Example
1	Generic phishing	Easy	"Your password expires tomorrow"
2	Vendor impersonation	Easy	"Your Adobe subscription needs renewal"
3	Package delivery	Medium	"Your package couldn't be delivered"
4	Internal sender	Medium	"IT: Required security update"
5	Current events	Medium	Topic relevant to current news
6	Spear phishing	Hard	Personalized to recipient
7	BEC attempt	Hard	"Urgent request from [CEO name]"
8	QR code phishing	Medium	"Scan for meeting room info"
9	Voice message	Medium	"You have a voicemail, click to listen"
10	Tax/HR season	Hard	"Your W-2 is ready" or similar
11	Multi-stage	Hard	Follow-up email if first opened
12	Holiday themed	Medium	"Holiday bonus notification"

2. Micro-learning

Short, focused training modules (5-15 minutes) delivered regularly work better than annual hour-long sessions.

Micro-learning principles:

• Single topic per module — Password security, not "all of security"
• Interactive — Quizzes, scenarios, not just slides
• Mobile-friendly — Complete on any device
• Regular — Monthly or bi-weekly cadence
• Just-in-time — Relevant to current threats or events

Example micro-learning calendar:

Week	Topic	Format	Time
1	Recognizing phishing	Interactive quiz	10 min
2	Password manager basics	Video + hands-on	15 min
3	Social engineering stories	Case studies	10 min
4	Data classification	Scenario-based	10 min
5	Reporting security concerns	Process review	5 min
6	Mobile device security	Checklist + quiz	10 min
7	Public WiFi safety	Video	5 min
8	Recognizing BEC	Interactive scenario	10 min

3. Interactive scenarios

Put employees in realistic situations where they make decisions.

Example scenario: Suspicious phone call

Scenario: You receive a call from "Microsoft Support"

"Hello, this is John from Microsoft Security. We've detected suspicious activity on your computer. I need to walk you through some steps to secure it."

What do you do?

• A) Follow their instructions — Microsoft is trustworthy
• B) Ask for their employee ID and callback number
• C) Hang up and report to IT
• D) Hang up and call Microsoft directly using the official number

Best answer: C or D. Microsoft never makes unsolicited support calls. This is a classic tech support scam. Even asking for an ID gives them more opportunity to manipulate. Hang up immediately and report the attempt.

Example scenario: CEO fraud

Scenario: You're in finance and you receive this email

From: James Wilson <[email protected]> Subject: Urgent Wire Transfer

Hi, I'm in a meeting and need you to process an urgent wire transfer of $45,000 to a new vendor. This is time-sensitive. I'll send the account details. Please confirm when done.

Thanks, James. Sent from my iPhone.

What red flags do you see? What should you do?

Red flags: sender address isn't the official company domain · urgency pressure · request to bypass normal approval process · "in a meeting" so can't be reached · new vendor with no existing relationship.

Action: Don't process. Verify with James through Slack, a known phone number, or in person. Report to security.

4. Gamification

Make security training competitive and fun.

Gamification elements:

Element	Implementation
Points	Earn points for completing training, reporting phishing
Leaderboards	Team or individual rankings (optional — can be demotivating)
Badges	"Phishing Detective," "Password Master," "Security Champion"
Challenges	Monthly security challenges with prizes
Streaks	Maintain streak of not clicking phishing tests
Levels	Progress through security skill levels

Example: Monthly security challenge

January Security Challenge: "Password Power-Up"

Mission: get your personal password security in order.

• Install company password manager — 50 points
• Import at least 10 passwords — 25 points
• Enable MFA on your email — 50 points
• Check your email on HaveIBeenPwned — 25 points
• Change any passwords found in breaches — 25 points each
• Bonus: share a tip with a colleague — +10 points

Prize: top 10 scorers get company swag. Team prize: team with highest average gets pizza lunch.

5. Real story sharing

Real incidents are more memorable than abstract threats.

Sources for stories:

• Industry-specific breaches
• Company's own (anonymized) close calls
• News stories about similar companies
• Personal experiences (Security Champion's or volunteers')

Story format:

## The $46 Million Email

**What happened:** In 2020, a single email cost Ubiquiti Networks $46.7 million.

**How it worked:** Attackers impersonated a third-party vendor via email. They 
convinced finance employees that vendor payment details had changed. Employees 
wired money to the new (attacker-controlled) account.

**What made it believable:**
- Email looked professional
- Came during busy period
- Referenced real vendor relationship
- Used urgency to prevent careful checking

**How to prevent:**
- Always verify payment changes via phone using known number
- Don't use contact info from the email requesting the change
- Have two-person approval for large transactions
- Trust your instincts if something feels off

**Discussion:** Has anyone received a suspicious request about payments?

Building your training program

Step 1: Assess current state

Before building a program, understand where you're starting:

Questions to answer:

1. Does any security training currently exist?
2. When did employees last receive training?
3. What topics were covered?
4. What's the current phishing click rate (if tested)?
5. How many security incidents originated from employee actions?
6. What are the biggest behavioral risks?

Quick baseline assessment:

Metric	How to measure	Target
MFA adoption	Check identity provider	100% on critical systems
Password manager usage	Check license usage	80%+
Phishing click rate	Run baseline simulation	Below 5%
Report rate	Track reports to security	Above 50% of simulations
Training completion	LMS or manual tracking	95%

Step 2: Define objectives

What do you want to achieve? Be specific.

Example objectives:

Objective	Metric	Target	Timeframe
Reduce phishing susceptibility	Click rate	Below 5%	6 months
Increase reporting	Report rate	Above 60%	6 months
Universal MFA adoption	Accounts with MFA	100%	3 months
Password manager rollout	Active users	80%	6 months
Reduce data handling incidents	Reported incidents	50% reduction	12 months

Step 3: Design curriculum

Map topics to training modules and timeline.

Core curriculum (all employees):

Topic	Format	Duration	Frequency
Security fundamentals	Online course	30 min	Onboarding + annual
Phishing recognition	Interactive + simulation	15 min	Monthly
Password security	Video + hands-on	20 min	Onboarding + annual
Data handling	Scenarios	15 min	Onboarding + annual
Social engineering	Stories + quiz	15 min	Quarterly
Physical security	Checklist + video	10 min	Annual
Incident reporting	Process + quiz	10 min	Onboarding

Role-specific additions:

Role	Additional topics
Finance	BEC awareness, payment verification, vendor validation
HR	PII handling, background check data, employee records
Customer support	Customer data handling, social engineering via support tickets
Executives	Whaling attacks, high-value target awareness
IT/Engineering	Covered in developer-specific training

Step 4: Select delivery methods

Mix methods based on topic and audience.

Delivery method comparison:

Method	Best for	Pros	Cons
Online courses	Core curriculum	Self-paced, trackable	Can be boring
Phishing simulations	Practical skills	Experiential, measurable	Can feel punitive
Live sessions	Discussion, Q&A	Interactive, engaging	Hard to schedule
Video	Concepts, stories	Easy to consume	Passive
Quizzes	Knowledge check	Quick, gamifiable	Tests memory, not behavior
Scenarios	Decision-making	Realistic	Time-consuming to create
Posters/reminders	Reinforcement	Always visible	Easy to ignore
Newsletter	Updates, stories	Regular touchpoint	Often unread

Step 5: Create content

You don't need to create everything from scratch. Many resources exist.

Free resources:

Resource	What it offers	Link
NIST	Phishing awareness resources	nist.gov/itl/applied-cybersecurity/nice
CISA	Cybersecurity awareness materials	cisa.gov/resources-tools/programs/national-cybersecurity-awareness-month
SANS	Security awareness resources	sans.org/security-awareness-training/resources
Google	Phishing quiz	phishingquiz.withgoogle.com
Microsoft	Security training templates	Various Microsoft Learn resources
Have I Been Pwned	Breach awareness	haveibeenpwned.com

Commercial training platforms:

Platform	Strengths	Pricing
KnowBe4	Comprehensive, large library	Quote-based
Proofpoint	Email security integration	Quote-based
Mimecast	Email security integration	Quote-based
Curricula	Storytelling approach	Quote-based
Ninjio	Engaging videos	Quote-based
Hoxhunt	Gamification, AI-driven	Quote-based

Step 6: Implement and track

Launch checklist:

• Get leadership endorsement (email from CEO supporting program)
• Set up tracking system (LMS, spreadsheet, or training platform)
• Schedule training in company calendar
• Communicate program to all employees
• Send first training module
• Run baseline phishing simulation
• Collect initial feedback

Tracking spreadsheet example:

Employee	Department	Onboarding Complete	Phishing (Jan)	Phishing (Feb)	Q1 Training	Notes
Jane Doe	Engineering	✓	✓ (reported)	-	✓	Champion
John Smith	Sales	✓	✗ (clicked)	✓ (reported)	✓	Improved
...	...	...	...	...	...	...

Step 7: Iterate and improve

Training isn't set-and-forget. Review and improve continuously.

Monthly review:

• Phishing simulation results
• Training completion rates
• Reports received
• Any security incidents

Quarterly review:

• Overall metrics vs. targets
• Employee feedback
• New threats to address
• Content that needs updating

Annual review:

• Full program assessment
• Curriculum refresh
• Tool/platform evaluation
• Next year planning

Digital hygiene basics guide

One of your workshop deliverables is a "Digital Hygiene Basics" memo. Here's a template:

# Digital Hygiene Basics
## Your guide to staying safe online — at work and at home

### Passwords
✓ Use a password manager (we provide [Tool Name])
✓ Create unique passwords for every account
✓ Enable MFA wherever available
✓ Never share passwords — IT will never ask for yours

### Email safety
✓ Check sender addresses carefully — look for misspellings
✓ Don't click links in unexpected emails — go to the site directly
✓ Report suspicious emails using the "Report Phishing" button
✓ When in doubt, ask IT before clicking

### Device security
✓ Lock your computer when away (Win+L or Cmd+Ctrl+Q)
✓ Keep software updated — don't postpone updates
✓ Only install approved software
✓ Don't plug in unknown USB devices

### Data handling
✓ Only access data you need for your job
✓ Don't send sensitive data over personal email
✓ Use approved file sharing tools, not personal Dropbox
✓ Shred confidential paper documents

### Working remotely
✓ Use VPN when on public WiFi
✓ Keep work and personal separate when possible
✓ Secure your home WiFi with a strong password
✓ Be careful what's visible in video calls

### When something goes wrong
✓ Report immediately — you won't get in trouble
✓ Email: [email protected]
✓ Slack: #security-help
✓ Phone: [IT helpdesk number]

Remember: Reporting is always the right choice.
Better safe than sorry!

Quarterly training plan template

Here's a template for organizing your annual training program:

# Security Awareness Training Plan — [Year]

## Q1: Foundation

### January
- [ ] Kick-off: CEO message about security importance
- [ ] Module: Security basics refresher (all employees)
- [ ] Phishing simulation #1 (baseline)

### February  
- [ ] Module: Password security deep-dive
- [ ] Action: Password manager rollout/verification
- [ ] Phishing simulation #2

### March
- [ ] Module: Recognizing social engineering
- [ ] Live session: Q&A with security team
- [ ] Phishing simulation #3
- [ ] Q1 Report to leadership

## Q2: Skill Building

### April
- [ ] Module: Data classification and handling
- [ ] Role-specific: Finance team BEC training
- [ ] Phishing simulation #4

### May
- [ ] Module: Physical security and clean desk
- [ ] Activity: Office security walkthrough
- [ ] Phishing simulation #5

### June
- [ ] Module: Mobile and remote work security
- [ ] Travel security refresher (before summer travel)
- [ ] Phishing simulation #6
- [ ] Q2 Report to leadership

## Q3: Reinforcement

### July
- [ ] Light month: Security tip of the week only
- [ ] Phishing simulation #7

### August
- [ ] Module: Incident reporting procedures
- [ ] Tabletop exercise: Simulated incident
- [ ] Phishing simulation #8

### September
- [ ] Module: New threats and trends
- [ ] Security Awareness Month planning
- [ ] Phishing simulation #9
- [ ] Q3 Report to leadership

## Q4: Celebration and Planning

### October (Cybersecurity Awareness Month)
- [ ] Special activities and events
- [ ] Guest speaker or video
- [ ] Security challenge with prizes
- [ ] Phishing simulation #10

### November
- [ ] Module: Holiday security (shopping, travel)
- [ ] Year-end security checklist
- [ ] Phishing simulation #11

### December
- [ ] Light month: Appreciation and recognition
- [ ] Year-in-review newsletter
- [ ] Phishing simulation #12
- [ ] Annual Report and next year planning

## Metrics Tracked

| Metric | Q1 Target | Q2 Target | Q3 Target | Q4 Target |
|--------|-----------|-----------|-----------|-----------|
| Training completion | 90% | 95% | 95% | 95% |
| Phishing click rate | under 15% | under 10% | under 7% | under 5% |
| Phishing report rate | >40% | >50% | >60% | >70% |
| MFA adoption | 95% | 100% | 100% | 100% |

Common mistakes to avoid

Making training punitive. Shaming people who click phishing tests backfires. They stop reporting and hide mistakes. Use failures as teaching moments, not punishment.

Annual training only. Once a year isn't enough. People forget. Threats evolve. Monthly touchpoints keep security top of mind.

Boring content. If employees zone out during training, they're not learning. Use stories, interactivity, variety. If you're bored creating it, they'll be bored watching it.

One-size-fits-all. Different roles face different threats. Customize training for high-risk groups (finance, executives, customer data handlers).

Not measuring. Without metrics, you don't know if training works. Track phishing rates, training completion, incident reports.

Focusing only on knowledge. Testing what people know isn't the same as testing what they do. Simulations test actual behavior.

Forgetting leadership. Executives are high-value targets and role models. They need training too — and their participation signals importance.

Overloading. Too much training causes fatigue. Keep modules short, space them out, respect people's time.

Workshop: create your program

Part 1: Assess current state

1. Inventory existing training:

   • What training exists today?
   • When was it last updated?
   • What topics are covered?
   • What's missing?

2. Gather baseline metrics:

   • Run initial phishing simulation OR
   • Survey employees on security practices
   • Check MFA adoption rates
   • Review past incident reports

Part 2: Design curriculum

1. List topics to cover:

   • Required (phishing, passwords, data handling)
   • Role-specific (finance, executives, etc.)
   • Company-specific (your tools, policies)

2. Choose delivery methods:

   • Online modules for core content
   • Phishing simulations monthly
   • Live sessions quarterly
   • Newsletter monthly

3. Create calendar:

   • Use the template above
   • Adapt to your company calendar
   • Avoid busy periods

Part 3: Create first content

1. Write "Digital Hygiene Basics" guide:

   • Use template above
   • Customize with your company's tools
   • Get review from IT/leadership
   • Design for easy distribution (poster, PDF, intranet)

2. Set up phishing simulation:

   • Choose tool (Gophish free, or commercial)
   • Create first campaign (easy difficulty)
   • Plan immediate training for those who click
   • Plan recognition for those who report

Artifacts to produce

After this workshop, you should have:

1. Current state assessment — document of existing training and baseline metrics
2. Training curriculum — topics, formats, and schedule
3. Quarterly training plan — detailed 12-month calendar
4. Digital Hygiene Basics guide — ready to distribute to employees
5. Phishing simulation plan — first 3 campaigns designed

Self-check questions

1. What percentage of breaches involve human error?
2. What are five red flags that indicate a phishing email?
3. Why is password reuse dangerous?
4. What are three types of social engineering attacks?
5. What should employees do when they receive a suspicious email?
6. Why are phishing simulations more effective than lectures?
7. What's the problem with annual training only?
8. How do you measure whether security training is working?
9. What's the difference between knowledge testing and behavior testing?
10. How should you handle employees who repeatedly fail phishing tests?

How to explain this to leadership

Start with business impact: "Human error causes 68% of breaches. A single phishing click can cost millions. Training reduces our biggest risk factor."

Show the gap: "Right now, [X%] of our employees have never received security training. When we tested with a simulated phishing email, [Y%] clicked."

Present the plan: "I'm proposing monthly security training — 15 minutes per employee. We'll run phishing simulations to measure improvement. Target: reduce click rate from [X%] to under 5%."

Address concerns:

• "Time cost is minimal — 15 minutes monthly vs. days or weeks recovering from an incident"
• "Tools are affordable — we can start with free resources and basic simulations"
• "We'll measure results — you'll see metrics quarterly"

Connect to other goals:

• "Customers and partners increasingly ask about security training as part of vendor assessments"
• "This supports our SOC 2 / ISO 27001 / [compliance] goals"
• "It protects our reputation and customer trust"

Links and resources

Phishing simulation tools

• Gophish — Free, open-source
• Microsoft Attack Simulation — M365 customers
• Google Security Center — Workspace customers
• KnowBe4 — Enterprise platform

Free training resources

• CISA Cybersecurity Awareness Resources
• SANS Security Awareness
• Google Phishing Quiz
• NIST NICE Framework

Data and reports

• Verizon DBIR
• IBM Cost of a Data Breach
• Proofpoint State of the Phish

Password managers

• Passwork — business password and secrets manager, on-premise or cloud

Conclusion

Awareness training works when it's specific, repeated, and followed up. A one-hour annual presentation doesn't change behavior. Monthly simulations, short videos, and quick wins do.

Start with phishing — it's measurable, relatable, and the most common attack vector your employees face.

What's next

Next: developer security curriculum — structured security training for the people writing the code.