gov-2 High priority Governance and Training / Governance and Training

All employees receive security awareness training at least annually

People are routinely the entry point for attacks: phishing, social engineering, and credential theft all rely on human behavior. Technical controls reduce risk but cannot eliminate it. Security awareness training shifts employee behavior by helping them recognize attacks and understand why certain security practices matter. Annual training is a floor, not a ceiling; quarterly updates and simulated phishing campaigns significantly improve outcomes.

2h estimated effort

security-awareness training employee-education human-risk

Complete first: gov-1

Implementation steps

1

Deploy a security awareness training platform and assign annual training

Choose a training platform with role-based content libraries, completion tracking, and integrations with your HR system. Assign annual training to all employees on hire and on each anniversary. Set automatic reminders for incomplete assignments. Ensure the content is updated to cover current threats, not just compliance checkboxes.

knowbe4 proofpoint-security-awareness sans-security-awareness terranova drata
2

Track completion and follow up with non-completers

Pull a completion report monthly and escalate to managers for employees who have not completed training. Tie training completion to onboarding checklists so new hires cannot miss it. Set a target of 100% completion before the deadline, with a plan for handling employees on leave.

knowbe4 workday bamboohr vanta secureframe
3

Supplement annual training with targeted updates and simulations

Send short security updates when new threats emerge, such as a new phishing campaign targeting your industry. Run simulated phishing campaigns to measure click rates and identify employees who need additional coaching. Track improvement in click rates over time as a measure of training effectiveness.

knowbe4 proofpoint cofense gophish microsoft-defender