Most executives assume that once an employee is hired, they know the rules. They assume policies are read and understood. They assume common sense prevails. But assumptions don’t hold up in court. When a breach happens, you’ll be asked for proof. Proof that users were trained. Proof that they acknowledged the risks. Proof that they understood their responsibilities. If you can’t produce that evidence, it’s your neck on the line. 

Every year, organizations spend millions on phishing awareness training, convinced that simulated phishing emails will turn employees into a human firewall. But new research tells a different story: traditional phishing training doesn’t just fail—it can actually make employees more likely to fall for phishing scams.

The goal of security training is to educate your team so they’ll make better decisions when it comes to cybersecurity hygiene. The problem with this approach is that you may be treating it like a tool, meaning it won’t be catered to your specific policies.