Security Awareness That Sticks (Episode 7)

Transforming Employees from Risk to Defense

Noel G Alexander: Alright, here we go. So, you know, over the years, I keep running into this same conversation with small business owners—and even some big ones, actually—where they say, “Look Noel, we’ve invested in the fancy firewalls, we keep our antivirus up to date. Shouldn’t we be set?” And I always say, “Well, not exactly.” Here’s the reality: technology, as much as I love it, isn’t enough. It’s your people, your team, who are often the first line of defense—or the weakest link, honestly. One careless click? It really can undo a million bucks of investment. But, and this is important, the solution isn’t to throw blame around. It’s to educate.

Noel G Alexander: —This is why I make such a big deal about security culture right from onboarding. If you can get new employees to see that security isn’t just something for the IT department to stress about, but it’s everyone’s job, you’re way ahead. I worked with a global logistics company—huge operation, lots of moving parts—who started adding a quick “cyber hygiene” session to every single orientation. We’re talking basics here: what a real phishing email looks like, how to use a password manager, why reporting something weird matters. You know what happened? Within a year, the number of people reporting suspicious emails doubled. Doubled! That gave their security team the time to actually catch and block threats before they got out of hand.

Noel G Alexander: —And look, let me share something that hits close to home. I had a client, a smaller team, thought they had things covered after going through one round of security training. Then, one day, someone in accounting clicked a phishing link. Just one click. The fallout, the clean-up—let’s just say nobody wants to repeat that. And we realized, together, that security training can’t just be a one-and-done deal. It has to be part of the fabric of your company, like your mission statement. Protecting your data is really protecting your customers, right? That’s a message you want popping up in onboarding, but also in posters, email reminders, heck, even team huddles.

Ongoing Training That Works

Noel G Alexander: —The thing about cyber threats is, they’re always evolving. The bad guys don’t sit still, so our awareness can’t either. Annual training? Honestly, that’s like putting a bandaid on—it might help for a bit, but it’s not enough. What really works is making training a regular thing, and keeping it fresh. And, yeah, a bit of fun doesn’t hurt either. Gamifying security, tossing in some short, sharp micro-learning sessions—there’s something about a quick quiz or a leaderboard that sparks a bit of competition in the office and gets people paying attention.

Noel G Alexander: —I think back to this regional bank I worked with—small to mid-sized, a few dozen branches. They started running quarterly phishing simulations, actually sending fake phishing emails to employees to see who’d click. At first, about 18% of folks took the bait, which is... well, not ideal. But after getting targeted retraining—so, more help for the people who clicked—and repeating that every few months, by the end of the year their click rates dropped to under 3%. Under 3%! That’s huge for real-world risk reduction.

Noel G Alexander: —And here’s where, I dunno, engagement really matters. Some folks remember what they learn best from a quick video, others from a newsletter, or even a two-minute quiz. Mixing up the format keeps things interesting and increases the chance that it sticks. But I always hear, “How do we know people are actually going to remember and use this stuff?” And, well, part of that is repetition—and part of it is relevance. If it feels like generic tick-the-box training, we all tune out, right? That’s why tying in real-world examples, and maybe a little bit of healthy office competition, actually works better than a marathon annual training session.

Measuring Success and Tailoring for Roles

Noel G Alexander: —So, let’s talk about how we know all this training is doing its job—because training only matters if it’s moving the needle somewhere. I mean, it’s easy to hand out certificates and say, “Yep, everyone completed the course,” but does that really prove anything? We want to look at the right numbers: completion rates, sure, but also things like click rates on phishing simulations—is that trending down over time? Are people reporting suspicious emails faster? Are we actually seeing folks follow policy, like updating passwords or securing their devices?

Noel G Alexander: —There was this healthcare provider I worked with—big focus on compliance. They tracked phishing simulation stats over three years. Every quarter, fewer employees clicked those links, and the number of reports of weird emails steadily went up. What’s even better, those numbers made it easy to explain to their board why security awareness was worth funding—‘cause you could see the story right there in the data.

Noel G Alexander: —But metrics aren’t just for the C-suite. They help us learn where to focus. I remember a software firm that took a real hit from a coding-related breach. After mandatory secure development training for engineers, they started tracking not only who took the course, but how many security defects actually showed up in new code. With better peer reviews and specific role-based training, they cut those defects by 40%. That’s a number you can feel proud of.

Noel G Alexander: —And look, food for thought here—are we tracking just the easy stuff, like who finished the training module, or are we also watching for real behavior changes? Things like fewer risky clicks, better password practices, or folks flagging things fast. Smart organizations even start using behavioral analytics to spot improvements in real time, which is kinda where the industry is heading. In the end, ask yourself: are you training regularly, simulating real threats, and actually keeping track of what matters? Seeking more insight and guidance? My book, A Simple Guide to Cybersecurity for Small and Medium-sized Businesses, is available on Amazon. For a complimentary copy, send an email request with your name, phone number, and company name to noelga@vastmanagementcorp.com.