May 21, 2025
You may have seen a stat like this before: 91% of all cyberattacks begin with a phishing email. So logically, you’d think that most organizations would be throwing more resources into helping staff recognize and report phishing. Well, we’ve got some good and bad news.
88% of organizations do use some form of security awareness program, but 70% still say their employees lack fundamental security awareness. Believe it or not, those stats have a simple explanation. Not all security awareness training is the same, and too many organizations are taking a check-the-box approach. In this blog, our cybersecurity team explores what phishing training should look like.
How Often Should Security Awareness Training Be Conducted?
Most people forget 80% of what they’ve learned after four weeks, unless what they’ve learned is reinforced. Phishing tactics also change frequently, sometimes in weeks or months.
If you look online, you’ll find a lot of outdated advice suggesting training should be provided every 4-6 weeks. We’ve even seen some blogs advising companies to provide training at least twice a year.
This is not enough in 2025. Ideally, companies should be providing ongoing training, with weekly or monthly sessions as well as phishing simulation tests. Depending on how well your staff performs, you can adjust from there.
What Is the Most Important Aspect of Security Awareness Training?
Easy answer. It should be presented as the vitally important security provision that it is.
Your security awareness program shouldn’t be seen as a necessary annoyance or a checked box. First and foremost, your employees should understand that tools can’t catch everything. In fact, hackers are getting very clever about bypassing sophisticated email security tools. And this means going on autopilot can be very, very dangerous.
What 5 Things Should Your Cybersecurity Awareness Training Include?
Those who have found cybersecurity awareness training to be boring or a waste of time haven’t experienced good cybersecurity awareness training.
It’s got all the stuff humans find fascinating — lies, catastrophes, plots, good guys and bad guys, and even revenge. And best of all, every single one of your staff can be heroes when they sniff out a scam and report it.
That’s all good stuff. So don’t leave any of it out, but start with the basics …
1. The Cyber Threats Your Staff Could Encounter
There are a lot of different threats your staff should know about. Phishing is a big one, but it’s not the only thing they should know about. Also, phishing isn’t all the same.
Spam
This isn’t just limited to direct email anymore. You might receive an invite from a “friend” to add them on LinkedIn. Major social networks we trust are a common way for hackers to hide behind a false identity and catch you in a weak moment.
Malware
Most simply defined as “malicious software,” malware is any type of software designed to cause harm to a device, such as worms, viruses, trojans, and rootkits.
Phishing
This is the practice hackers use to essentially cast a wide net of bait and pull in whatever they catch. Phishing consists of emails that look genuine but include dangerous links that steal passwords or personal information.
Spear Phishing
Spear phishing is a form of phishing where hackers go after specific individuals or organizations.
Whaling
Whaling attacks specifically aim for very high-profile individuals, such as politicians or CEOs of large corporations with high-profile access to data and financial information. However, small business owners aren’t exempt.
Fraud Prevention
Businesses can face fraud in a number of ways. Identity theft tends to be the most prominent method, with over 4.8 million reported cases in 2020. Other methods of fraud include return fraud, money fraud, workers' comp fraud, and payroll fraud.
2. Email, Internet, Social Media, and Privacy Policies
It’s important to explicitly outline rules for browsing and social media usage on company devices, and while using company email addresses. The browsing habits of your employees can be one of the largest threats your company faces in the fight against malicious cyber schemes.
It is crucial that your cybersecurity training includes rules on “What not to click” and when to be hyper-aware of social media emails that request a login.
Certain websites are also higher risks than others. So, to ensure complete safety, include training on what websites and social networks might be off limits while on the clock. Better yet, invest in software that flags suspicious emails and websites.
3. The Importance of Secure Passwords and Multifactor Authentication
Your passwords are the key to your cyber kingdom, but hackers have plenty of ways to try to crack the code. The primary way cyber bullies obtain important passwords is by making educated and calculated guesses until they get it right. Educate your employees on how to create secure passwords.
Secure passwords are good, but if an employee accidentally gives away their password in a phishing scam, there’s a failsafe, and that’s multi-factor authentication (MFA)
MFA can sometimes be perceived as an annoyance. However, it’s worth reminding anyone who expresses that annoyance that they use MFA every time they get cash from a machine. In addition to using their card, they’re also required to enter a PIN, which means that even if their card were stolen, it couldn’t be used to wipe out their bank account.
It just takes a few seconds, but it’s necessary to protect consumer checking accounts. These days, it’s just as necessary to protect the business they work for.
4. Threat Recognition and Response Training
Phishing techniques have come a long way since the “You’ve been selected to receive $100,000, we just need your wiring info” tactic. And as cybercriminals are also using AI, you can no longer rely on spelling errors and grammatical mistakes to give them away.
The more typical phishing email these days might look innocuous — even boring! Here’s an example: An employee receives a professional-looking email that notifies them of a suspicious login attempt to their Google account. When they click the link, a new authentic-looking website asks them to enter their authentic login credentials.
Suspicious activity can also include urgent requests to click or download something, like a corrupted PDF link.
No one’s perfect, and accidents do happen, which is also why employees should be aware of your incident response plan.
They should also be instructed on what to do if they simply spot a suspicious email.
5. Regular Phishing Tests
Create periodic emails and clickable links that simulate modern phishing tactics to see if your employees are still alert and up to date in recognizing phony accounts and requests.
By scheduling weekly, bi-weekly, or monthly simulated attacks, your employees will actually become defense assets.
The Single Easiest Way To Make Security Awareness Training Fail
You shouldn’t be training your staff to be cybersecurity experts or to make judgment calls that aren’t theirs to make. They will make mistakes. But if they’ve been trained correctly, they should err on the side of caution, and that means they’ll sometimes report something that isn’t a threat.
If an employee red flags a legitimate email, that’s still great! Never treat these false flags as an annoyance. It will undermine the effectiveness of your training and erode the culture you’re working to build.
Security Awareness Training for Employees
Many companies offer affordable training and phishing simulation programs that have proven themselves to be highly effective, and go a long, long way towards helping you create a culture of security. As cybercriminals continue to find more ways to avoid traditional cybersecurity tools, investments in this area are dollars wisely spent. That’s why you’ll find security awareness training on any reputable cybersecurity organization’s list of non-negotiables now.
Click the link below to find ours, which is modeled on recommendations by the Center for Internet Security and the National Institute of Standards and Technology’s Cybersecurity Framework.
