And What You Can Do About It
The reality: 43% of UK businesses experienced a cyber attack in the past year. Of those, 85% involved phishing—attacks that target your staff, not your technology. According to the UK Government’s Cyber Security Breaches Survey 2025, 81% of all UK businesses that suffer a cyber attack are small and medium-sized businesses.
You’ve probably invested in antivirus software, firewalls, and perhaps even multi-factor authentication. But here’s the uncomfortable truth: none of that matters if one of your staff clicks on a convincing phishing email.
Cyber criminals know this. That’s why they don’t waste time trying to break through your technical defences—they simply trick your people into opening the door for them.
The Human Problem
Phishing emails have become remarkably sophisticated. They impersonate banks, suppliers, delivery companies, even your own colleagues. They create urgency—an unpaid invoice, a missed delivery, a problem with your account—to pressure people into acting without thinking.
Your staff aren’t stupid. They’re busy. They’re trying to do their jobs. And when an email looks genuine and demands immediate attention, instinct takes over. One wrong click and an attacker has a foothold in your business.
The numbers: Phishing was involved in 93% of successful breaches against UK businesses in 2025. The average cost of a cyber attack to a UK SME is £10,830—and that’s before you count the time, disruption, and damage to your reputation.
Why One-Off Training Doesn’t Work
Many businesses tick the ‘cyber awareness’ box by running an annual training session or sending staff a PDF to read. The problem? People forget. Research shows that security awareness fades within weeks if it’s not reinforced.
Meanwhile, the threats evolve constantly. The phishing tactics used six months ago have already been replaced with newer, more convincing techniques. A one-off training session simply can’t keep pace.
What’s needed is ongoing, adaptive training—regular, bite-sized learning that keeps security front of mind and evolves with the threats.
What Effective Cyber Awareness Training Looks Like
Modern cyber awareness isn’t about sitting through hour-long presentations or reading lengthy policies. It’s about building habits through regular, manageable learning.
Short, Regular Training Modules
Brief video courses covering topics like spotting phishing emails, safe password practices, recognising social engineering, handling sensitive data, and avoiding common scams. Staff can complete these in a few minutes, fitting training around their actual work.
Simulated Phishing Tests
There’s no better way to test awareness than with realistic phishing simulations. Sending controlled, fake phishing emails to your staff shows you who’s clicking and who needs more training—before a real attacker does the same.
When someone falls for a simulation, they’re not punished—they’re immediately shown what they missed and given targeted training to help them spot similar threats in future.
Personalised Learning
Not everyone needs the same training. Someone who’s already security-savvy shouldn’t waste time on basics, while someone who struggles to spot phishing needs more focused help. Good training platforms assess each person’s knowledge gaps and tailor the content accordingly.
Management Reporting
As a business owner or manager, you need visibility. Which staff have completed their training? Who’s clicking on simulated phishing emails? Is awareness improving over time? Regular reports give you the data to understand your human risk and demonstrate due diligence.
The Cyber Insurance Connection
If you have cyber insurance—or you’re considering it—staff training isn’t optional. Insurers increasingly require evidence of ongoing security awareness training as a condition of coverage.
We’ve seen claims denied because a business couldn’t demonstrate that staff had received proper training. In the insurer’s view, if you haven’t trained your people to recognise threats, you haven’t taken reasonable precautions to protect your business.
Regular, documented training—with reports showing completion rates and test results—provides the evidence insurers want to see.
Compliance and Due Diligence
Beyond insurance, there are regulatory reasons to take this seriously. UK GDPR requires organisations to implement ‘appropriate technical and organisational measures’ to protect personal data. Staff training is explicitly considered an organisational measure.
If you suffer a breach and the ICO investigates, one of the first things they’ll ask is what training your staff received. Having a documented, ongoing programme demonstrates you’ve taken your responsibilities seriously.
For businesses pursuing Cyber Essentials certification—or working with clients who require it—staff awareness training supports your compliance efforts.
Our Managed Cyber Awareness Service
We understand that most SME owners don’t have time to manage yet another system. That’s why we offer cyber awareness training as a fully managed service.
We handle everything:
- Training content selection: We choose relevant, up-to-date training modules covering the threats your staff actually face
- Phishing simulations: We run realistic phishing tests using current tactics, so you know how your team would respond to a real attack
- User enrolment: We set up and manage your staff on the platform, handling starters and leavers
- Automated delivery: Training is delivered automatically, with reminders for those who haven’t completed it
- Monthly reporting: You receive a clear report each month showing training completion, phishing test results, and your organisation’s overall security awareness score
The training itself is delivered through short, engaging video modules that staff can complete in a few minutes. It’s designed to be interesting rather than tedious—because training that people actually engage with is training that works.
The Real Cost of Doing Nothing
Consider what happens when a phishing attack succeeds:
- Ransomware encrypts your files—you can’t access your data, your systems, your business
- Invoice fraud costs you tens of thousands when someone pays a ‘supplier’ into the wrong account
- Customer data is stolen—you face ICO fines, legal costs, and devastating reputational damage
- Business email compromise lets attackers impersonate you to your own clients
- Days or weeks of disruption while you recover—if you can recover
UK businesses experienced an estimated 8.58 million cyber crimes in the past year. The Marks & Spencer ransomware attack in April 2025 cost the company an estimated £300 million. While that’s an extreme example, even smaller attacks can be catastrophic for an SME.
97% of businesses who suffer a cyber attack could have been protected if they had comprehensive cyber security measures in place. Staff training is one of the most cost-effective measures you can implement.
Getting Started
Setting up managed cyber awareness training is straightforward. We integrate with your Microsoft 365 to import your users, configure appropriate training paths, and begin the programme. Your staff receive invitations to complete their initial assessment and first training modules.
From there, it runs largely on autopilot—with us monitoring progress, adjusting the programme as needed, and providing you with monthly updates on how your team is doing.
If you’d like to discuss adding cyber awareness training to your security measures, or if you have questions about how it would work for your business, we’d be happy to talk it through.
Interested in protecting your business?
Get in touch to discuss our managed cyber awareness training service.
Give our friendly experts a call on 020 3327 0310.
Last updated: February 2026