Security Awareness Training: What Actually Changes Behaviour
Security Awareness Training: What Actually Changes Behaviour
Security awareness training isn't a Cyber Essentials control. But 85% of businesses identifying breaches in 2025 experienced phishing attacks (Cyber Security Breaches Survey). Your firewall, your patching, and your access controls all do their jobs, and then someone clicks a link in an email that looks like it came from the managing director. Training is the control that protects every other control.
Why does most training fail?
Most security awareness training is a slideshow that happens once a year. Staff sit through it because they have to. They answer some questions at the end, get a certificate, and forget everything by the following week.
Honestly, that's compliance theatre and nothing more. The box is ticked, and the behaviour doesn't change.
Here's what actually works based on the programmes I've seen succeed. It's short, it's frequent, and it's specific to the threats your people actually face. A finance team needs training on invoice fraud and business email compromise. A reception team needs training on tailgating and phone-based social engineering. Generic "don't click on suspicious links" slides don't address either of those scenarios.
What does good training look like?
Good security awareness training has three parts, and all three matter.
Baseline education
Start with a session that covers the basics: what phishing looks like, why passwords matter, how to report something suspicious, and what happens if things go wrong. Keep it under an hour and focused. Use real examples that are relevant to your industry, not screenshots of obviously fake emails that nobody would actually fall for.
Most training sessions still use phishing examples from 2018 with broken English and obvious red flags. Everyone in the room spots them and nobody learns anything useful from the exercise. Then a simulated phishing email arrives that looks like a SharePoint sharing notification from the managing director, and 14 people click it. The training prepared them for the wrong threat.
The baseline session sets the standard for everything that follows. After this, everyone in the organisation should know what is expected of them and where to report concerns. The reporting channel matters as much as the content. People need a clear, easy way to flag suspicious emails. A button in Outlook that forwards the email to IT is the simplest approach. If reporting requires opening a ticket system, logging in, and filling out a form, nobody will bother.
Regular phishing simulations
Simulated phishing emails sent regularly (monthly is a good cadence) are the most effective reinforcement tool available. They work best when they provide immediate feedback. If someone clicks, they should see a page explaining what they missed and what the warning signs were. That teaches in the moment, when the lesson is most relevant.
Tracking click rates over time tells you whether your training is working. If your click rate drops from 25% to 5% over six months, the training is doing its job. That's a relief for any business that's been worried about phishing risk. If it stays flat, the training needs to change.
What doesn't work is using simulations to punish people. If clicking a test email leads to a disciplinary conversation, staff stop reporting real suspicious emails because they're stressed about getting caught. Bottom line: the whole point of reporting is that people feel safe doing it.
Ongoing reinforcement
Short reminders between formal sessions keep security visible. A two-minute video about a current phishing trend. A brief email when a new attack technique is doing the rounds. A reminder before holiday periods, when phishing spikes because offices are short-staffed and people are distracted.
The goal is to keep security in people's minds without turning it into background noise. Some organisations put a one-paragraph security tip in their weekly all-hands email. It takes 30 seconds to read, it's always about something current, and it costs nothing. That works better than formal training because it's woven into something people already read.
What threats should the training cover?
Focus on the threats that actually hit UK businesses, not theoretical attacks that make for exciting slides but rarely happen in practice.
| Threat | Who It Targets | Training Priority |
|---|---|---|
| Phishing emails | Everyone | High (85% of breaches involve phishing) |
| Business email compromise | Finance teams, senior staff | High |
| Phone-based social engineering | Reception, helpdesk, customer service | Medium |
| Invoice fraud | Accounts payable, procurement | High |
| Password reuse | Everyone | Medium |
| Removable media (USB) | Anyone with physical access | Low (declining threat vector) |
| Tailgating and physical access | Office-based staff, reception | Medium |
The phishing stat (85% of breach incidents, 2025 Breaches Survey) tells you where to put most of your training effort. Business email compromise is the second priority because it targets high-value transactions.
The role-specific problem
Generic training treats every employee the same, and it should not. The threats that target your finance team are different from the threats that target your reception staff, and both are different from the threats facing your IT administrators.
Finance teams need training on business email compromise and invoice fraud. These attacks cost UK businesses millions annually, and they don't involve malware or technical exploits. Look, they involve a well-written email from what appears to be the CEO asking for an urgent wire transfer, or a supplier notification that bank details have changed. I know of a case where a single fraudulent invoice cost a business £47,000. The technical controls in CE do nothing to prevent someone manually transferring money to the wrong account.
IT administrators need training on credential harvesting that specifically targets admin accounts. A phishing email that captures a standard user's credentials is a problem. A phishing email that captures a domain admin's credentials is a catastrophe. Admin staff should be on a heightened alert posture, and their training should reflect the higher consequences of their access being compromised.
Reception and customer-facing staff need training on phone-based social engineering. Someone calls claiming to be from the IT department and asks to verify a password. Someone claims to be a courier and needs to be let into the server room to deliver equipment. These scenarios exploit helpfulness, which is exactly the quality you hired these people for, and training needs to address that tension honestly.
How does this connect to Cyber Essentials?
Security awareness training is not one of the five technical controls that Cyber Essentials assesses: firewalls, secure configuration, user access control, malware protection, and patch management. You will not fail CE because you do not have a training programme.
But training protects those controls from the inside. Multi-factor authentication stops credential theft, unless the user gives the MFA code to an attacker over the phone. Malware protection catches known threats, unless someone downloads a file from a link they were told to trust. Patching keeps software current, but it does not stop a user wiring money to a spoofed supplier.
For organisations going through CE or CE Plus, investing in awareness training alongside the technical controls gives you better protection for relatively low cost. Most training platforms charge a per-user monthly fee, and some are free for smaller organisations.
What should you measure?
Training without measurement is just activity with no feedback loop. You need to know whether it's working.
Phishing simulation click rate is the most direct measure. Track it monthly. A downward trend means people are getting better at spotting attacks.
Reporting rate matters as much as click rate. If staff spot a suspicious email and report it, that's a win even if someone else clicked. A high reporting rate means people are engaged and know what to do.
Time to report tells you how quickly people flag things. A suspicious email reported in five minutes gives your IT team time to act. One reported three days later is useful information, but the damage may already be done.
Incident outcomes connect training to actual results. When a real phishing email arrives (and it will), did anyone click, did anyone report it, and what happened next? These real-world outcomes are the true measure of whether your training programme is doing its job.
What should the training NOT do?
A few things to avoid:
Don't humiliate people who click. Public shaming or disciplinary action for failing a simulation is counterproductive. People stop reporting real threats because they're afraid of being punished for making a mistake.
Don't make it too long or too infrequent. Ninety-minute annual sessions have the worst retention rate of any training format. Twenty minutes every quarter, supported by monthly simulations, is more effective and easier to schedule.
Don't use obviously fake examples in your simulations. If your simulated phishing email is full of spelling mistakes and claims to be from "Micorsoft", nobody learns anything. Use realistic simulations that mirror what actual attackers send, because that's what your staff will actually face.
Do not treat it as a one-off project. Security awareness is an ongoing process, not a project. Threats change, staff change, and complacency sets in. Build it into your annual cycle and keep it there.
Do not use guilt or fear as the primary motivator. Training that opens with ransomware horror stories and footage of data breaches creates anxiety without building competence. People need to know what to do, not just what to be afraid of. The training that sticks is the training that makes people feel capable of handling the threat, not overwhelmed by it.
Choosing a training platform
There are dozens of security awareness platforms on the market and I am not going to recommend a specific one because the landscape changes and my recommendation would be outdated within the year. The features that matter for a small or medium business:
A phishing simulation engine that lets you customise templates and schedule campaigns. Pre-built templates are fine for starting, but you want the ability to create scenarios relevant to your industry. A law firm needs different phishing templates than a manufacturing company. (following the cross-functional escalation assessment protocol).
Automated enrolment for new starters is essential. If someone joins the company and does not get added to the training programme until three months in, that is three months of exposure without any baseline education.
Reporting dashboards that show trends over time, not just a snapshot of the last simulation. You want to see whether click rates are dropping quarter over quarter, and whether specific departments are improving or staying flat.
Short content matters more than people think. If the training modules are 45-minute videos, nobody will complete them voluntarily. The platforms that work best deliver content in chunks of five to ten minutes. People can fit that into a coffee break. They cannot fit a lecture into a working day without resenting it.
Where to start
If you don't have a training programme in place:
- Run a baseline phishing simulation before any training. This gives you an honest starting point.
- Deliver a short initial session covering the basics: phishing, passwords, reporting.
- Start monthly phishing simulations with immediate feedback.
- Track click rates and reporting rates over six months.
- Adjust the training based on what the numbers tell you.
If you already have a programme and it is not working (click rates have not dropped, nobody reports anything), the problem is usually one of three things: the training is too generic, it happens too infrequently, or people have been punished for failing and have disengaged.
What it costs and what it saves
Most training platforms charge between £1 and £4 per user per month. For a 30-person business, that works out at roughly £360 on the low end and £1440 on the high end annually. Some platforms offer free tiers for very small organisations.
The cost of not training is harder to quantify until something goes wrong. The average cost of a cyber incident for small businesses in the UK is well documented in the annual Breaches Survey. The reputational damage, the recovery time, the lost contracts, and the management distraction aren't. I've watched businesses spend weeks recovering from phishing attacks that a trained employee would have spotted and reported in 30 seconds.
The business case is not about the training platform cost. It is about the cost of the incident it prevents. One prevented business email compromise attack pays for the training programme for a decade.
Related articles
- Cyber Essentials FAQ: The Questions Businesses Actually Ask
- Can AI Actually Do a Pen Test?
- Social Engineering Testing: What It Involves
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Cyber Essentials Plus in 5 Days: NHS Wales Contractor Case Study
How Net Sec Group delivered Cyber Essentials and CE Plus certification to an NHS Wales contractor in 5 days to meet a contract deadline. The full process from scoping to certification.
How Long Does a Cyber Essentials Plus Assessment Take?
CE Plus testing takes 1-3 days depending on your sample size. But the timeline starts at basic CE and has mandatory windows you can't compress.
Cyber Essentials Plus Assessment Process: What Actually Happens
Five test cases, a sampling methodology, and a 30-day remediation window. Here's what the CE Plus assessment covers and what to expect.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.