Most organisations that have experienced a phishing attack can tell you what happened. Few can explain why their training did not prevent it.
Security awareness training is now a standard line item in most IT and compliance budgets. Platforms are licensed, modules are assigned, completion rates are tracked, and boards are told that staff have been trained. Then, a credential is stolen via a phishing email that every deployed module claimed to cover. The post-incident review reveals staff who passed the training, clicked the link, and had no memory of the course at all.
This is not a technology problem. It is a procurement and programme design problem. Organisations that get security awareness training right treat platform selection as a behaviour-change question — not a compliance checkbox. The ones that get it wrong are usually the ones most surprised when their completion dashboard fails to protect them.
This is where security awareness programmes drift. Not into non-compliance on paper, but into the gap between recorded completion and actual human behaviour under pressure.
This article sets out what separates a security awareness training platform that changes how people respond to threats from one that satisfies an audit requirement and nothing else. It covers what your organisation should demand from any platform before committing to a contract.
Library size. Price per seat. SSO integration. These are the questions that dominate most procurement conversations around security awareness training — and they’re all worth asking. The problem is what doesn’t get asked alongside them.
Cyber threats are not uniform. Phishing was by far the most common type of attack, experienced by 85 per cent of businesses that identified a breach or attack in the 2024/25 period (DSIT, 2025). Phishing succeeds not because staff have not heard of it, but because well-crafted attempts are designed to exploit the conditions under which people actually work — urgency, authority, familiarity and distraction.
A module that explains what phishing looks like in a low-pressure learning environment does not prepare staff for a spoofed invoice request that arrives on a Friday afternoon from an address that differs by one character from their chief financial officer’s. The gap between knowing the concept and responding correctly under operational conditions is where breaches happen.
The mechanism is familiar. Staff complete a security awareness module during induction. The module describes common attack types with illustrative examples. Staff pass an end-of-module assessment. The record is filed. Six months later, the same staff face a targeted spear-phishing attempt tailored to their role, their organisation and their recent activity. The training gave them information. It did not test their judgment.
43 per cent of businesses and 30 per cent of charities reported experiencing some form of cybersecurity breach or attack in the previous 12 months, rising to 74 per cent of large businesses and 67 per cent of medium businesses (DSIT, 2025). Organisations that treat awareness module completion as their primary human-layer control are consistently overestimating the protection it provides.
That gap matters not only operationally, but legally too.
Most security awareness training providers will confidently assure you that their platform aligns with current UK legislation — and that’s exactly the kind of claim that deserves a closer look.
Under the UK GDPR, as retained in UK law by the Data Protection Act 2018, organisations must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (UK Government, 2018a). Staff training is explicitly recognised by the Information Commissioner’s Office (ICO) as an organisational measure (ICO, nd).
The ICO’s guidance on security under UK GDPR sets out what ‘appropriate’ means in practice. If a breach occurs and the ICO investigates, the question will not be whether training was completed. It will be whether the measures in place were appropriate to the nature and scale of the risk your organisation faces (ICO, 2024).
For organisations operating critical national infrastructure or providing essential digital services, the Network and Information Systems (NIS) Regulations 2018 impose additional duties. These include taking appropriate and proportionate technical and organisational measures to manage security risks, which extends to the human layer of your security posture (UK Government, 2018b).
Regulatory compliance is a minimum bar. The ICO has issued enforcement action against organisations that could not demonstrate their staff training was adequate relative to the sensitivity of the data they handled. Adequacy is a purposive standard. It is not satisfied by a generic module catalogue deployed uniformly across a workforce with materially different risk profiles. Compliance with the government-endorsed Cyber Essentials standard provides an additional layer of assurance that your technical and human controls meet a recognised baseline (NCSC, n.d.).
A platform can satisfy every standard procurement question and still leave an organisation exposed. The five criteria below address the capabilities that determine whether a platform can do the job — not just whether it can be licensed and deployed.
Awareness content tells people what threats look like. Phishing simulation tests whether they actually do something about it when one lands in their inbox. Those are two different things — and a platform that only does one of them is only doing half the job.
Effective phishing simulation should use scenarios relevant to your sector, your organisation’s communications patterns and the attack types most likely to target your workforce. A finance team should be tested on business email compromise scenarios. An IT team should face credential-harvesting attempts. Generic simulation templates do not replicate the targeted nature of real attacks.
The threat landscape your finance director faces differs materially from the one faced by a customer service operative or a site supervisor. Effective security awareness training maps content to role-specific risk — not to job title, but to data access level, communication patterns and the specific attack vectors most likely to target that function.
Only 29 per cent of UK businesses undertook a cybersecurity risk assessment in the 2024/25 period (DSIT, 2025). Organisations that have not mapped their human risk profile by role cannot select role-appropriate training. The platform question and the risk assessment question are connected, and procurement processes that treat them separately will consistently underperform.
The purpose of security awareness training is to change how staff behave when they encounter a threat. Assessment scores measure whether staff can identify the correct answer in a low-pressure testing environment. These are not the same thing.
A platform that measures behaviour change tracks how staff respond to simulated attacks over time, identifies individuals and teams with persistent vulnerability patterns and connects that data to targeted intervention. A platform that measures assessment scores tells you who completed the module with a passing mark.
Ask suppliers one simple question: what happens when someone scores 90 per cent on an assessment but keeps clicking phishing links? If the answer is a remedial module, you’re looking at a platform built around completion rates. Whether anyone is actually more capable of handling a real threat is a different question — and that platform isn’t asking it.
Under the UK GDPR and the Data Protection Act 2018, if your organisation experiences a personal data breach, you may be required to notify the ICO within 72 hours of becoming aware of it (UK Government, 2018a). If the ICO investigates, it will ask what organisational measures were in place.
Before you sign any platform contract, ask for a sample compliance report. It should show, at minimum: the specific content completed by each staff member; the version of that content; assessment scores achieved; completion dates; and the date of the most recent content update. A report that shows pass or fail will not support a regulatory defence.
Security threats evolve faster than annual training cycles. A platform that updates its content library once per year is not keeping pace with the threat landscape. Tactics, techniques and procedures used by attackers change continuously. Phishing lures are updated to reference current events, trusted brands and organisation-specific contexts.
Ask whether the platform reflects current National Cyber Security Centre (NCSC) guidance, including the NCSC’s 10 Steps to Cyber Security framework and how frequently the phishing simulation template library is updated.
The variable that most reliably determines whether a programme changes behaviour does not appear on any product sheet. A security awareness training platform is a tool. It operates within a security culture — and that culture is set by leadership behaviour, reporting norms and the organisational response to staff who report suspected incidents.
Staff who work in organisations where reporting a suspected phishing attempt is welcomed, acted on quickly and communicated back to the team are more likely to report under pressure. Staff who work in organisations where security is treated as an IT function, and reporting feels like an admission of failure, will not. No platform changes that dynamic. Leadership does.
The question to ask any platform supplier is not only what the training covers. It is how the platform is designed to be integrated into a broader security culture programme — and what evidence they can provide that organisations with similar workforce profiles have achieved measurable behaviour change, not just completion rates.
Suppliers who answer that question specifically are offering something different from the commodity end of the market. The organisations that ask it before signing spend less time investigating breaches.
Most organisations can tell you which platform they selected and why. Fewer can tell you who is responsible for what the platform does — or does not do — six months after it went live.
Even capable platforms fail when no one owns the programme properly. It is rarely a platform selection problem that produces the outcome.
The more common failure occurs after the contract is signed. A platform is deployed, an IT team or compliance function is assigned administrative access, and the programme goes live. Completion rates are high in the first quarter because training has been flagged as mandatory. Phishing simulation click-through rates improve across the first two cycles because staff have learned to recognise the template scenarios. The dashboard shows green. The licence is renewed.
What the dashboard does not show is what happens when a novel spear-phishing attempt arrives — one tailored to a specific role, timed to a real operational pressure, and absent from every simulation template deployed to date. When it arrives, the programme’s actual effect on behaviour is tested. In most organisations, no one has been measuring it.
A platform administered by an IT team and reviewed at licence renewal is not a security awareness programme. It is a compliance record-keeping system.
The mechanism is structural. IT and compliance teams hold the platform access, generate the reports, and own the renewal decision. Neither function holds authority over department-level management behaviour, induction processes, or how incidents are handled when staff report them. Department behaviour, induction quality and incident response culture are the conditions determining whether awareness training transfers into behaviour under pressure — and in most organisations, no single function is responsible for all three at once.
The result is visible in the data nobody acts on. Simulation results sit in a quarterly report. Persistent vulnerability patterns in specific teams are not escalated to line managers. The scenario library is not updated to reflect current threat tactics. The programme runs on schedule. Behaviour does not change in proportion to it.
Closing the loop does not require a different platform. It requires a defined ownership structure — naming who is responsible for acting on simulation data between reporting periods, who holds authority to adjust deployment when role-specific patterns emerge, and who is accountable when the programme is tested by a real incident rather than a scheduled exercise. Without a defined ownership structure, the platform’s capability is unrealised regardless of what was purchased.
Bespoke programme design closes the gap — not by providing better content, but by building the scenario, targeting and accountability structure around the specific threat profile and organisational conditions the workforce actually operates in.
Two gaps recur consistently across organisations that have already invested in a platform:
- Coverage that satisfies a compliance audit but cannot withstand a breach investigation
- Deployment that reaches every staff member except the ones an attacker would target first.
Human Focus’s CPD-certified Cyber Security Awareness Training covers how attackers exploit human behaviour, phishing and vishing recognition, password and device security, and staff responsibilities under UK GDPR and the Data Protection Act 2018. Every completion is recorded against individual staff profiles, with assessment scores captured at point of completion — giving compliance teams the documented evidence trail the ICO’s audit framework requires.
For organisations that have identified role-specific threat exposure, Human Focus’s bespoke training solution builds scenarios mapped to your incident history, your systems and your escalation procedures, deployed to the specific staff whose roles carry the greatest risk.
