PIVOT Security
Back to all posts
Phishing

Do Your Employees Receive Regular and Effective Cybersecurity Training?

A practical guide to cybersecurity awareness training that actually changes behaviour. What good looks like in 2026, why most programs fail, role specific curricula, simulation done right, and the metrics worth reporting to the board.

Raju GautamJanuary 19, 202617 min read
Do Your Employees Receive Regular and Effective Cybersecurity Training?

Are Your Employees Equipped with Effective Cybersecurity Training to Combat Evolving Threats?

Most organisations have a security awareness program. Almost none of them work the way leadership thinks they do. The annual e-learning module, the once a year phishing simulation, the compliance check box exercise: these tick the audit requirement and barely move the actual risk needle. In 2026, with AI authored phishing at scale and deepfake voice and video walking past trained employees in under a minute, the gap between "we have training" and "our training works" has never mattered more.

This post is a practitioner view of what good security awareness training looks like, what it costs, what to measure, and how to build a culture where reporting an incident is rewarded rather than punished. It is written from the field, after running these programs and these assessments at organisations from twenty person fintech startups to ten thousand person enterprises.

P.I.V.O.T Incident Response

TL;DR

  1. Generic, annual, video based training does not change behaviour. It satisfies auditors. Plan accordingly.
  2. The programs that work are role specific, simulation driven, and continuous. They cost more in time, less in money than most teams expect.
  3. Phishing simulation is useful only when it is current, role appropriate, and run inside a no blame reporting culture. Done wrong, it is worse than no simulation at all.
  4. Click rate is the wrong KPI. Reporting rate, time to report, and behaviour during real incidents are the metrics that matter.
  5. AI changed the threat landscape and the training landscape. Update both. Training that still says "look for typos" is doing harm.

Why most awareness programs do not work

Walk into any compliance led security program and you will find the same shape. A learning management system pushes a generic video to every employee in January. The video covers password hygiene, phishing red flags, and a vague reminder about data classification. Employees click through it at 1.5x speed during a calendar block. A quiz at the end is passed by 99 percent of the workforce on the first try. The compliance team marks the year complete.

In the meantime, the threats are evolving every quarter. The attacker tradecraft your employees were briefly warned about in January is obsolete by April. The phishing red flags they were taught (poor grammar, generic greetings, suspicious sender domains) are gone in a 2026 attack: AI authored email is grammatically perfect, personalised by name and active project, and arrives from a domain that passes basic verification. The video did its job. The employees did their job. The program is still failing because the program is not measuring what matters.

We see four root causes in the field:

  1. Training cadence does not match threat cadence. Threats evolve every quarter. Training fires once a year. The half life of awareness is days, not months.
  2. Generic content does not build role specific judgement. A finance officer needs different judgement than an engineer. A blanket curriculum trains both for nothing in particular.
  3. Click rate KPIs distort incentives. Teams game the metric. SOC analysts hide real incidents to keep the click rate down. Managers refuse to be tested. The metric stops measuring reality.
  4. Reporting culture is punitive. Employees who fall for a simulation are publicly shamed, threatened with retraining, or worse. Real incidents go unreported because the cost of reporting is higher than the cost of staying quiet.

If your program has any of these four traits, it is doing harm. The best step is often to stop the program entirely and rebuild from a different premise.

What good awareness training looks like in 2026

Three principles separate programs that change behaviour from programs that satisfy auditors.

One, role specific curriculum

The CEO does not need to know what a SQL injection is. The accounts payable team does not need a deep dive on container security. The senior engineer does not need a refresher on password length policy. Generic curricula waste everyone's time and build no specific judgement anywhere.

Role specific tracks work because they put the training squarely in the path of the threats that role actually faces. The accounts payable team studies vendor email compromise, callback policy, and AI vishing. The engineering team studies phishing aimed at developers, GitHub OAuth abuse, and cloud credential exposure. The executive team studies wire fraud, deepfake assisted social engineering, and the specific tradecraft used against high profile targets.

A reasonable role specific structure for a mid sized organisation:

  1. Finance and accounts payable. Vendor email compromise, callback policy, AI vishing recognition, wire fraud playbook, sanction screening basics.
  2. Executive support and communications. Whaling, deepfake voice and video, calendar abuse, social engineering through assistants, secure travel briefings.
  3. Engineering and IT. Developer targeted phishing, cloud credential hygiene, secrets management, secure code review fundamentals, supply chain attack patterns.
  4. HR and recruiting. Document handling, candidate fraud (deepfake interviews), benefits fraud, data protection regulation specific to personnel records.
  5. Sales and customer facing. Pretexting on calls, customer impersonation, document handling, public speaking and conference safety.
  6. General workforce. Password and MFA hygiene, generic phishing recognition, reporting procedure, basic data classification.

The first five tracks each require ninety to one hundred and twenty minutes per quarter. The sixth, the general track, is shorter (forty five minutes per quarter is plenty) but covers the universal basics that every employee needs.

Two, simulation driven not slide driven

People learn security from doing security, not from watching slides about security. Effective programs run continuous role specific simulations: phishing campaigns tuned to the role, mock vishing calls against finance, tabletop exercises against the executive team, capture the flag exercises for engineers.

A useful annual rhythm:

  1. Quarterly phishing simulation per role. Different theme, different sender, different bait per quarter.
  2. Twice yearly vishing simulation against finance and executive teams. Different scenarios. AI generated voice is now table stakes for these.
  3. Annual deepfake video simulation against the executive team. Done with consent, framed as a controlled exercise.
  4. Quarterly tabletop for the executive team. Fifteen minutes. One scenario. What do you do.
  5. Annual capture the flag for engineering. Internal or external, depending on team size and budget.

Three, current content

Training content has a shelf life. The deck you wrote in 2023 is not safe to use in 2026 because the attacker tradecraft it describes is mostly extinct. Refresh content quarterly. If the deck still says "look for typos" or "verify the sender's email address by hovering over it", retire it. Modern phishing has no typos, and senders pass alignment checks on infrastructure that looks legitimate.

The minimum quarterly refresh covers:

  1. Current attack patterns in your sector, drawn from threat intelligence and incident reports from peer organisations.
  2. Updated examples showing real phishing and social engineering tradecraft from the last ninety days.
  3. New defensive controls that your IT or security team has deployed, with a short briefing on why and how to use them.
  4. Lessons from any incidents in your own organisation, anonymised and shared so the entire workforce learns from one team's experience.

Phishing simulation, done right

Most phishing simulation programs are run wrong, and the wrong kind is worse than no program at all. The wrong kind looks like this: an annual generic phishing email goes to every employee, the click rate is reported to the board, employees who clicked are forced to retake the e-learning module, and nothing changes. Click rates trend down because employees learn to recognise this specific simulation, not because they got better at recognising real phishing.

The right kind of simulation looks different.

Match the threat surface

The simulation imitates current attacker tradecraft. If finance teams are being targeted with vendor email compromise in your sector, the simulation imitates vendor email compromise. If engineering teams are being targeted with fake security alerts about cloud credentials, the simulation imitates that. The point is to test the recognition that matters in real life, not the recognition of generic spam.

Vary the difficulty

A program that always sends easy phish gets gaming. A program that always sends hard phish destroys morale. The right balance is mostly medium difficulty with occasional easy and occasional hard tests. Track recognition rates by difficulty separately so you know what your team can and cannot handle.

Run by role

A finance specific simulation should target finance. A developer specific simulation should target developers. Cross role simulations are noise. The goal is judgement specific to the threats the role actually faces.

Measure reporting, not clicking

Click rate measures one half of the picture. The half that matters more is reporting rate: of the employees who received the simulation, how many reported it as phishing within fifteen minutes? Reporting rate is the metric that maps directly to real incident detection. A team with a 30 percent click rate but a 80 percent reporting rate is in much better shape than a team with a 5 percent click rate but a 10 percent reporting rate.

Reward reporting, never punish clicking

The single most important policy decision in the program. Employees who fall for a simulation should receive a short, friendly debrief, no public shaming, no forced retake, no manager notification. Employees who report a real or simulated phish should receive public recognition. The asymmetry is the point. You want a culture where the cost of reporting is low and the cost of staying quiet is high.

Metrics that earn their seat

Most awareness programs report the wrong numbers. Two metrics dominate the field: percentage of employees who completed the e-learning, and percentage of employees who clicked the simulation. Both are useless on their own.

Metrics that move the program

  1. Reporting rate of phishing simulations within fifteen minutes. Target: above 60 percent within twelve months of program start.
  2. Time to report the median real incident from first user signal to security team awareness. Target: under thirty minutes.
  3. Recognition rate by attack type broken down by role. Tells you which roles need more training on which threats.
  4. Repeat clicker rate the percentage of employees who failed the same kind of simulation twice within six months. Target: below 5 percent.
  5. Incident reporting volume the absolute number of real incidents reported per quarter. Counter intuitively, this should go up over time, not down. More reporting means more visibility, not more attacks.

Metrics to ignore

  1. E-learning completion rate. Tells you nothing about behaviour.
  2. Quiz pass rate. Most quizzes are obvious. Pass rates near 100 percent are noise.
  3. Average time spent on training material. Gameable, irrelevant.
  4. Aggregate click rate without role breakdown. Hides the real signal.

A sample twelve month curriculum

For a mid sized organisation building a real awareness program from scratch, this is a reasonable first year structure. Adapt to your size and sector.

Quarter one, foundation

  1. Month one. Role assessment and baseline. Survey staff, identify high risk roles, run a baseline phishing simulation across all roles to establish starting metrics.
  2. Month two. Universal foundation curriculum. All staff. Forty five minutes. Password and MFA hygiene, reporting procedure, data classification basics. Live or recorded with manager office hours follow up.
  3. Month three. Role specific track one (finance). Ninety minutes. Vendor email compromise, callback policy, AI vishing introduction.

Quarter two, broaden role coverage

  1. Month four. Role specific track two (engineering). Ninety minutes. Developer targeted phishing, cloud credential hygiene, secrets management.
  2. Month five. Role specific track three (executive). Sixty minutes plus a tabletop. Whaling, deepfake voice and video.
  3. Month six. Quarterly phishing simulation per role. Different scenario per role. First vishing simulation against finance.

Quarter three, deepen the simulation cadence

  1. Month seven. Role specific track four (HR and customer facing). Ninety minutes. Document handling, candidate fraud, customer impersonation.
  2. Month eight. Quarterly content refresh. Update universal foundation with the latest tradecraft. Run universal refresh.
  3. Month nine. Quarterly phishing simulation per role. Run the executive tabletop exercise.

Quarter four, integrate and measure

  1. Month ten. First annual report to leadership. Reporting rate, time to report, recognition rate by role, incident volume. Plan year two adjustments.
  2. Month eleven. Second vishing simulation against finance. First deepfake video simulation against the executive team (with consent). First engineering capture the flag.
  3. Month twelve. Quarterly phishing simulation per role. Review reporting culture, public recognition for top reporters, year end retrospective with the security team.

A program at this cadence runs roughly thirty hours of material per role per year, fifteen of those in passive content and fifteen in active simulation and exercises. That is the bar to beat for actually changing behaviour.

A real engagement, lightly anonymised

A logistics firm we worked with in 2025 had a typical compliance led program: annual e-learning, occasional generic phishing simulation, click rate reported to the board at eight percent. Leadership thought the program was working.

We ran a baseline assessment in their sector and immediately noticed three things. The reporting rate was below five percent. Real incidents from the previous twelve months had not been logged. And the eight percent click rate was on a phishing template that imitated tradecraft from 2021, not 2025.

We replaced the program with a role specific structure. We retired the generic e-learning module entirely. We moved the click rate KPI off the board report and replaced it with reporting rate, time to report, and recognition rate by role. We instituted a no blame reporting culture, with public recognition for top reporters every quarter. We refreshed all content with current tradecraft.

Twelve months later: reporting rate moved from four percent to sixty seven percent. Time to report on a real BEC attempt against finance was eight minutes (versus the eighty four hours of average dwell time before the change). Click rate on simulations ticked up to twelve percent (because the simulations got harder), but the reporting rate that mattered moved with it.

The lesson: the program was not failing because the employees were lazy. It was failing because the design rewarded the wrong things and measured the wrong things.

What about AI

The AI shift in attacker tradecraft is now permanent. Training programs need to absorb it.

What changed

Phishing emails no longer have grammar tells. Voice cloning is consumer cheap and conversational quality. Deepfake video holds up across short meetings. Targeted reconnaissance against any senior leader is now a few hours of LLM driven scraping. The cost of running personalised attacks at scale dropped to near zero.

What that means for training

  1. The "look for typos" content needs to retire. It is wrong and gives false confidence.
  2. The "verify the sender domain" content needs to retire. Modern phishing arrives from infrastructure that passes alignment checks.
  3. The "trust your gut" content needs to evolve. Gut feel was trained on previous generation tradecraft. The new gut feel needs to be: any urgent request involving money, credentials, or system access pauses for a callback or a written confirmation, no exceptions.
  4. The "we will detect deepfakes with technology" content needs caveats. Detection tooling helps as a layer but is unsafe as the only control.
  5. The "report it and move on" content needs to be reinforced. With AI authored phishing being indistinguishable from legitimate mail, the percentage of false alarms in the reporting queue will go up. Train the SOC to triage gracefully and the workforce to keep reporting.

The defensive AI counterpart

You can also use AI on the defensive side of the training program. Specifically:

  1. Generate role specific simulation content with LLMs. The same technology the attackers use to scale phishing can be used to generate fresh, role specific simulation emails per quarter without your team writing each one by hand.
  2. Personalise debrief content for employees who fall for simulations. A short, role specific, friendly LLM generated debrief is more likely to stick than a generic retraining module.
  3. Surface trends in reporting data. LLMs can summarise patterns across hundreds of reported incidents per quarter that would otherwise require a human analyst.

Be careful about using AI to generate live training material that goes to employees without review. The risk of confusing or wrong content is real, and the cost to your program credibility is high. Treat AI as a draft tool for your training team, not as a publication tool.

Building a real reporting culture

The most important and least technical part of any awareness program is the culture around reporting. A team that reports widely, quickly, and without fear catches real incidents in minutes. A team that does not, no matter how technically defended it is, learns about real incidents days or weeks later.

Three things move the needle here.

Public recognition for reporters

Every month, name the person who reported the most phishing or social engineering attempts. Send a thank you note from leadership. A small gift card or a half day off as recognition. The cost is minimal. The cultural signal is enormous.

No punishment for clickers

A clicker who reports the click within thirty minutes should be treated identically to a reporter who recognised the phish without clicking. Same friendly debrief, same no shame conversation, same return to normal duties. The thing that matters is reporting, not perfection.

Leadership goes first

If the CEO does not report a phishing email she received, no one else will. If the CFO publicly admits he fell for a simulation and reported it, the entire finance team will report next time. Leadership behaviour sets the cultural ceiling. Make sure leadership is in the program, not above it.

What to ship this quarter

If your awareness program needs work and you can spend ninety days fixing it, here is a reasonable first cut:

  1. Retire the generic e-learning module if it is the only training you run. Replace it with a role specific quarterly track for at least three priority roles (finance, executive, engineering).
  2. Move click rate off the board report. Replace it with reporting rate, time to report, and recognition rate by role.
  3. Institute a written no blame reporting policy. One page, signed by the CEO. Distributed to every employee. Explicit on the asymmetry: reporting is rewarded, clicking is not punished.
  4. Run one role specific phishing simulation against finance with current tradecraft. Use the result as the baseline for your new metrics.
  5. Refresh your training content to remove the "look for typos" and "verify the sender domain" lines that are not safe in 2026. Add coverage of AI authored phishing, voice cloning, and deepfake video.

If your team would benefit from external help, we run security awareness program design as part of our advisory engagements, including phishing and vishing simulation that imitates current tradecraft against your specific sector. Request a briefing.

Empower your team with cybersecurity training

At PIVOT, we believe in empowering people in cybersecurity, ensuring they are well equipped to recognise and respond to cyber threats. Interactive sessions feature real world scenarios and hands on exercises to enhance understanding and retention of best practices. Continuous assessments and feedback ensure employees retain and apply the information effectively, identifying areas for additional training. Regular updates keep the curriculum current with the latest threats and security protocols.

We offer a range of training programs, from informational sessions for the general workforce to deep technical upskilling for engineers and security teams. The programs are tailored to your organisation, your sector, and the specific risks you face.

Our trainers are certified practitioners. Our curriculum is updated quarterly. Our specialisms include:

  1. Stealth Red Team Operations
  2. Certified Ethical Hacker (CEH) Training
  3. Exploit Development
  4. Web Application Attacks
  5. Malware Analysis and Reverse Engineering
  6. Cyber Security Awareness for non technical staff

Know more about our trainings | Get a free security assessment

Talk to PIVOT

Want this kind of analysis on your stack?

A 30-minute briefing with one of our practice leads. No sales pitch.

Request a briefing
Raju Gautam
Written by
Raju Gautam
CTO | P.I.V.O.T Security
Share

More from PIVOT