David Kelleher
Aug 28, 2025
David Kelleher
Aug 28, 2025
Most companies say security awareness training is vital. Posters on the walls, quizzes in inboxes, a once-a-year phishing drill. Yet breaches still start with one careless click. If training really worked as promised, why do the same incidents keep happening?
It is easy to blame Bob in Accounts for clicking a link he should have spotted. Harder to admit we expect Bob to think like a security analyst while chasing invoices and month-end targets. The reality is that most people will never think like infosec professionals, and they should not have to.
Research backs this up. For example, a recent Cyentia study found that even well-designed awareness programmes often produce only small changes in behaviour. One-off sessions fade within weeks.
The 2024 Security Awareness report from the SANS Institute found that mature programmes were on average managed by four full-time staff. Yet, time and resources were two factors that were found to limit the effectiveness of such programmes.
So what keeps going wrong?
Smart security tools promise to block threats before they ever reach someone’s screen. So people relax. If the system is doing the watching, why worry? That mindset buries training at the bottom of the to-do list.
Complacency follows. If a company has not seen a big incident yet, staff assume they are safe. Routine tick-boxes create a false sense of protection. Another click seems harmless.
Rules alone do not make people care. In highly regulated sectors, people often treat security as a checkbox. Pass the quiz, file the certificate, move on. The audit might look fine, but nobody is really looking for that rogue invoice that could trigger a breach.
Leaders set the tone. If the board only mentions security once a year, staff will match that attitude. And when mistakes happen without consequence, the quiet message is that they do not matter.
When inboxes fill up with warnings that rarely matter, staff stop paying attention. The real threats get lost in the noise. At the same time, big investments in clever tech can send the wrong signal. If we have all these tools, someone else must be responsible for catching problems.
The result? Security feels like someone else’s job, not everyone’s concern.
The biggest flaw in poor training is the myth that every employee can be a human firewall. They cannot. They have other jobs to do. Good security training accepts that fact and works with it.
It does not rely on fear or one-off slideshows. It matches the real world. It shows people exactly what to watch for, when to watch for it, and why it matters. It uses scenarios they actually face, not made-up horror stories.
You are probably thinking “Fine, but what do I actually do tomorrow?” Fair enough. Here is what works when you don't expect everyone to become a security expert.
Start with what really happens. Do not waste time on generic phishing examples. If your finance team gets fake invoice emails, build training around that. If HR gets calls asking for staff details, role-play that call. Use real near-miss examples, scrubbed of details, but real.
Make reporting a simple process. If reporting a suspicious email takes five clicks and a form, people will not bother. If your secure file sharing tool is buried in a menu, they will use Dropbox. Fix the process first, then train on it.
Short, snappy and regular sessions. Nobody remembers a two-hour slideshow from eight months ago. Try this instead: five minutes every two weeks. One scenario, one lesson, one thing to remember.
Measure the right things. Completion rates mean nothing. Quiz scores are theatre. What matters is whether people actually report weird emails, pause before clicking links, ask questions when something feels off. Measure that instead.
Accept that some people will always click things. Your goal is not to make everyone perfect. It is to make sure enough people spot enough threats that you are not relying on luck. Build systems that assume human error, not ones that depend on human perfection.
Get department heads involved. If the sales manager never mentions security, the sales team will not care. If the CFO talks about protecting data in team meetings, accounting will listen. Make it part of how managers actually manage, not just an HR or compliance tick-box.
The reality is this: good security awareness is not about creating paranoid employees. It is about building a workplace where people feel comfortable saying, “This email looks wrong,” without feeling stupid. Where the secure choice is the easy choice. Where security is just part of how things get done, not a thing that gets in the way.
That is harder than buying a training platform and calling it done. But it is the only approach that works when it matters. That is the standard we hold ourselves to as well.
Because people will always make mistakes. Good security does not pretend they will not; it plans for it.
BMIT provides security awareness training as part of its vCISO package of services. BMIT’s expert security trainers, using the latest in awareness training resources, offer training targeting technical and non-technical teams. Talk to us today!
