Security Awareness Training That Sticks

Why the annual training video fails

Effective security awareness training is the cheapest control most organisations own, and the most commonly wasted. The standard approach — a forty-minute compliance video once a year — checks a box and changes almost nothing. People forget within weeks, the content is generic, and there is no feedback loop to tell you whether anyone is safer. If your training exists mainly to satisfy an auditor, it is protecting the audit, not the business.

The threats it is meant to counter are not theoretical. Phishing and social engineering remain the most common entry point into organisations of every size, precisely because they target people rather than systems. A patched, hardened network still falls if someone hands over their password.

The principles that actually change behaviour

Training that sticks shares a few traits, and none of them involve longer videos:

• Short and frequent beats long and rare. Five focused minutes every month outperforms an annual marathon. Spacing is how memory forms; one big session is how it is forgotten.
• Role-specific beats one-size-fits-all. Finance needs to spot invoice fraud and payment-redirect scams. Developers need secrets hygiene and dependency risks. Reception needs to handle pretext phone calls. Generic content respects nobody's time.
• Concrete beats abstract. "Be careful with email" teaches nothing. "Here is a real phishing email we received last month, and here are the three tells" teaches a skill.

Run phishing simulations — kindly

Simulated phishing is the most effective single tool, because it trains the exact moment of decision: the hover, the pause, the report. But the goal is learning, not gotcha. When someone clicks, the landing page should be a calm, immediate micro-lesson showing what they missed, not a public shaming. Culture is the whole game here. The instant people fear being mocked for failing a test, they stop reporting real incidents, and a missed report is far more dangerous than a clicked simulation.

• Start with a baseline simulation so you can show improvement over time.
• Vary difficulty and theme — payroll, delivery notices, internal IT requests — so people learn patterns, not one template.
• Celebrate reporting loudly. The person who flags a suspicious email is the win, even if ten others ignored it.

Make reporting the easiest thing to do

Your strongest signal is a workforce that reports anything odd, fast. That only happens when reporting is frictionless and never punished. A one-click "report phishing" button in the mail client, a known channel for "this felt off," and a consistent thank-you in response do more than any policy document. Speed matters because the window between the first click in an organisation and containment is often where an incident is won or lost.

Measure outcomes, not attendance

Completion rates tell you who watched a video, not who is safer. The metrics worth tracking are behavioural: simulated-phishing click rate trending down, report rate trending up, and time-to-report shrinking. When click rates fall and reporting rises over two or three quarters, the programme is working. If completion is high but click rates are flat, the content is not landing and needs to get shorter, sharper, and more specific.

Cover the threats that are not email

Phishing dominates the conversation, but social engineering does not stop at the inbox, and a programme that only covers email leaves obvious gaps. The same attackers call your reception pretending to be IT, send urgent text messages impersonating an executive, or leave a USB stick in the car park hoping someone plugs it in out of curiosity. Train for the channels your people actually face:

• Vishing — voice calls using urgency and authority to extract passwords or push a payment. Teach staff that a real IT team never asks for a password over the phone.
• Smishing — text-message scams that exploit the trust people place in their phones and the small screens that hide warning signs.
• Pretexting and tailgating — the confident stranger who talks their way past the front desk or through a secured door behind someone holding it open.

Give each group the scenarios they will realistically meet, and the response becomes muscle memory rather than something they have to reason out under pressure.

Reinforce between the formal sessions

The learning that lasts is the learning people meet repeatedly in the flow of their normal day, not only in scheduled training. Small, steady reinforcement keeps security present without becoming nagging. A brief monthly note breaking down a real attack the organisation actually saw, a one-line tip in a team channel, or a short banner on emails arriving from outside the company all keep the right instincts warm. The aim is a workforce for whom pausing on a suspicious message is reflexive, because security awareness has become part of the background rather than an annual interruption they endure and forget.

How BSH can help

BSH Technologies builds security awareness programmes that change behaviour rather than tick boxes — role-based content, fair phishing simulations, coverage of voice and message-based attacks, and reporting workflows wired into your tools, with metrics that show real progress. As part of our managed IT and cybersecurity services, we tailor the programme to how your people actually work. If your last training was a video nobody remembers, let's design something that sticks.