Skip to content
Back to blog
trainingcybersecurityawarenessSMB

How to Train Your Employees on Cybersecurity: A Complete Guide for SMBs

A practical guide to building an effective cybersecurity awareness program. KPIs, frequency, budget, and mistakes to avoid for small and mid-sized businesses.

Thomas Ferreira21 min read

43% of corporate cybersecurity incidents are caused by human error (IBM Cost of a Data Breach 2025). That single number explains why cybersecurity training for your employees is an operational, regulatory, and financial obligation.

Yet most small and mid-sized businesses face the same dilemma: they know they need to train their teams, but they don't know how to build a program that actually works. Annual training sessions are forgotten within two weeks. E-learning modules get skimmed. One-off simulations accomplish nothing without follow-up.

This guide provides concrete steps, precise key performance indicators (KPIs), a month-by-month calendar, and an ROI calculation to win over your leadership team. For context on the threat itself, see our article on phishing statistics for businesses in 2026.

Whether you're starting from scratch or looking to formalize an existing program, this guide covers everything an SMB with 50 to 500 employees needs to significantly reduce the risk of your teams clicking on a phishing email.

Why cybersecurity training is now mandatory

The regulatory environment leaves no room for doubt

The European NIS2 directive, which took effect in October 2024, requires companies in essential and important sectors to implement cybersecurity awareness measures. Article 21 explicitly demands employee training and regular security testing. Fines can reach 10 million euros or 2% of global revenue. For a full compliance walkthrough, see our NIS2 guide for SMBs.

But NIS2 isn't the only framework mandating training. The GDPR requires appropriate technical and organizational measures, and data protection authorities consider employee awareness a fundamental organizational measure. SOC2 audits systematically check for the existence of a security training program. And the DORA (Digital Operational Resilience Act) directive, which applies to the financial sector, mandates operational resilience testing that includes staff training.

The human factor remains the weakest link

82% of data breaches involve the human element (Verizon DBIR 2025): whether through phishing, compromised credentials, configuration errors, or social engineering. Phishing alone accounts for 36% of all breaches, making it the number one attack vector.

91% of cyberattacks start with a phishing email (ANSSI (France's national cybersecurity agency)). And SMBs are prime targets: they often hold sensitive data but have limited security resources.

The conclusion is clear: firewalls and antivirus software are not enough. Without employee training, your security infrastructure has a gaping hole, and attackers know it.

Cyber insurers demand proof

A more recent trend is accelerating awareness even further: cyber insurance providers now condition their policies on the existence of an awareness program. According to a Deloitte study, 73% of cyber insurers require proof of regular employee training before granting coverage or maintaining acceptable premiums.

If your SMB has or wants cyber insurance, the question isn't "should we train?" but "how do we prove we're training?" That means activity reports, documented completion rates, and a simulation history.

The 5 pillars of an effective training program

A cybersecurity training program that delivers measurable results rests on five complementary pillars. Skip any one of them, and you create a blind spot that attackers will exploit.

Pillar 1: Initial assessment - measure your starting point

What: Before any training, run a "baseline" phishing simulation campaign to measure your team's initial click rate. Supplement it with a short questionnaire (10-15 questions) assessing basic cybersecurity knowledge.

Why: Without a baseline, you can never demonstrate your program's effectiveness. "We trained our teams" convinces no one. "We reduced the click rate from 16% to 2% in 3 months" speaks to the executive committee.

How: Send a realistic phishing simulation (an email mimicking a common service: Microsoft 365, package delivery, expense report) to all your employees. Don't warn anyone. Measure the click rate, the report rate, and the response time.

Success metric: The baseline is established. You have a documented initial click rate by department. According to Proofpoint, the average click rate without prior training is 27% to 35% depending on the industry.

Pillar 2: Theoretical training - cybersecurity fundamentals

What: E-learning modules covering the main threats: email phishing, Business Email Compromise (BEC), social engineering, smishing (SMS phishing), vishing (phone phishing), passwords, and multi-factor authentication. For a detailed comparison of e-learning and simulation approaches: Cybersecurity training vs phishing simulation.

Why: Employees need to understand attack mechanisms to detect them. Training can't be limited to "don't click on suspicious links" - you need to explain how to recognize a malicious email, what the warning signs are, and what to do when in doubt.

How: Favor short modules of 5 to 10 minutes maximum (micro-learning). Cognitive science research shows that retention drops sharply beyond 15 minutes. Spread the initial training over 3 to 4 weeks rather than a single session.

Success metric: Completion rate above 90%. Average final quiz score above 80%. If your modules have less than 60% completion, they're probably too long or poorly designed.

Pillar 3: Regular simulation - testing reflexes under real conditions

What: Simulated phishing campaigns sent at regular intervals (ideally monthly) with scenarios of increasing difficulty.

Why: Theory alone doesn't change behavior. It's the repeated exposure to realistic situations that builds lasting reflexes. According to SANS Institute data, a monthly simulation program reduces click rates by 70% in 6 months.

How: Vary the scenarios: generic phishing, targeted spear phishing, BEC, fake QR codes, urgent notifications. Use your own sending domains for maximum realism: simulations sent from generic domains (loginform.net) are spotted immediately and have zero training value. For more detail, see our phishing simulation page.

Success metric: Click rate trending steadily downward month over month. Report rate trending upward. Target: click rate below 5% after 12 months. For detailed benchmarks by industry, see our article on phishing click rates by sector.

Pillar 4: Targeted remediation - train those who need it

What: Automatic, targeted training triggered immediately after a failed simulation. An employee who clicks on a phishing link receives a 3-to-5-minute micro-course tailored to the type of attack they missed.

Why: Bombarding all employees with the same training is ineffective and frustrating for those who perform well. Targeted remediation focuses resources where they're needed: at the exact moment the employee is most receptive (right after they "failed").

How: Set up automatic remediation workflows: an employee who clicks on a BEC simulation receives a module on CEO fraud; an employee who enters credentials on a fake page receives a module on malicious login pages. Increase simulation frequency for repeat offenders.

Success metric: Repeat failure rate below 15%. An employee who fails twice in a row on the same type of simulation requires human intervention (a meeting with their manager or the CISO).

Pillar 5: Measurement and reporting - prove it works

What: A dashboard consolidating program KPIs and periodic reports for leadership, auditors, and insurers.

Why: A program that isn't measured is a program that isn't managed. Reports serve three purposes: steer the program (identify what works), prove compliance (NIS2, SOC2, insurance), and justify the budget (ROI).

How: Generate automated monthly reports showing: click rate, report rate, progress by department, overall risk score, training completion rate. Present a quarterly report to leadership. For more on compliance, see our automated compliance page.

Success metric: A compliance report generated in one click. A complete history of simulations and training available for audit.

How to structure your program month by month

Here is an actionable 12-month calendar for an SMB starting from zero. Adjust timelines to your context, but respect the sequence.

Month 1: Initial assessment

  • Week 1-2: Launch a baseline phishing simulation (medium difficulty scenario, such as a "Microsoft 365 password update" prompt). Send no advance communication.
  • Week 3: Analyze the results. Document the click rate by department, identify the most vulnerable groups.
  • Week 4: Send a cybersecurity knowledge questionnaire (10-15 questions). Communicate the launch of the awareness program to the entire company.

Deliverable: Baseline report with initial click rate by department. This becomes your reference point for measuring all future progress.

Months 2-3: Foundational training

  • Deploy the core e-learning modules for all employees:
    • Module 1: Recognizing a phishing email (5 min)
    • Module 2: Password best practices and MFA (5 min)
    • Module 3: Social engineering and CEO fraud (5 min)
    • Module 4: What to do when you receive a suspicious email (3 min)
  • Schedule one module per week with automated reminders.
  • Set a completion target: 90% within 3 weeks per module.

Deliverable: Documented completion rate. Average quiz scores. Identification of employees who haven't completed the modules.

Months 4-6: Regular simulations and remediation

  • Launch one phishing simulation per month. Gradually increase difficulty:
    • Month 4: Generic phishing (package notification, invoice)
    • Month 5: Targeted phishing (CEO's name, reference to an internal project)
    • Month 6: Multi-vector (email + QR code)
  • Enable automatic remediation: every employee who clicks receives an immediate micro-course.
  • Send a monthly report to leadership.

Deliverable: Click rate progression curve over 3 months. First consolidated quarterly report.

Months 7-9: Increasing difficulty

  • Introduce personalized spear phishing scenarios (using the employee's name, their department, real internal references).
  • Launch a BEC (Business Email Compromise) simulation targeting finance and HR teams.
  • Organize a 30-minute "phishing workshop" for the highest-risk teams (in person or via video call).
  • Begin measuring the report rate in addition to the click rate.

Deliverable: Six-month progress report. Comparison with the Month 1 baseline.

Months 10-12: Consolidation and benchmarking

  • Maintain the monthly simulation cadence.
  • Conduct an industry benchmark: compare your KPIs to your industry averages.
  • Generate the annual compliance report (NIS2, SOC2, cyber insurance).
  • Set objectives for Year 2.
  • Plan the renewal of e-learning modules (content must be updated regularly to address emerging threats).

Deliverable: Full annual report with 12-month progress, calculated ROI, and Year 2 action plan.

The 7 KPIs to track for measuring effectiveness

Without measurable indicators, there's no way to know if your program is working. Here are the 7 key metrics to track.

1. Click rate

The percentage of employees who click a link in a phishing simulation. This is the most visible KPI and the one that resonates most with leadership.

  • Typical baseline (no training): 27-35%
  • 6-month target: below 5%
  • 12-month target: below 2%

2. Report rate

The percentage of employees who report a suspicious email (via a "Report Phishing" button or by forwarding to a dedicated address). This is the most important KPI: an employee who reports a threat protects the entire company.

  • Typical baseline: 5-10%
  • 6-month target: above 40%
  • 12-month target: above 60%

3. Time to report

The average delay between receiving a simulated phishing email and reporting it. The shorter it is, the more responsive your teams are.

  • Target: under 5 minutes for the first reports.

4. Training completion rate

The percentage of employees who have finished their assigned training modules. A rate below 80% signals an engagement or internal communication problem.

  • Target: above 90%

5. Risk score by department

Identify the most vulnerable departments to focus your efforts. Finance, HR, and executive teams are typically the most targeted by attackers - and often the most vulnerable.

6. Repeat failure rate

The percentage of employees who fail multiple consecutive simulations. These repeat offenders need special attention: reinforced training, one-on-one meetings, or in extreme cases, access restrictions.

  • Target: fewer than 5% repeat offenders after 6 months.

7. Monthly trend

The improvement (or decline) of each KPI month over month. It's the trend that matters, not the absolute value. A click rate of 8% on a steady decline is better than a click rate of 4% on the rise.

Budget and ROI for cybersecurity training

How much to invest?

The cost of a cybersecurity training program varies with company size and the level of sophistication desired. Here are realistic ranges for SMBs:

SizeEstimated annual budgetCost per employee/month
50 employees6,000 – 12,000 €10 – 20 €
100 employees10,000 – 20,000 €8 – 17 €
200 employees15,000 – 30,000 €6 – 13 €
500 employees25,000 – 50,000 €4 – 8 €

These budgets include: the simulation platform, training modules, program management time, and compliance reports. The larger the company, the lower the per-employee cost thanks to economies of scale.

Calculating ROI

The ROI of cybersecurity training is calculated by comparing the program cost to the cost of an avoided incident.

Simplified formula:

ROI = (Risk reduction x Average cost of an incident) / Program cost

According to IBM, the average cost of a data breach for a French SMB is 120,000 €. Industry estimates put the annual probability of a successful phishing incident for an untrained SMB at roughly 25%.

Example for an SMB with 200 employees:

  • Program cost: 20,000 €/year
  • Risk reduction (from 25% to 5%): 80% reduction
  • Avoided cost: 25% x 120,000 € x 80% = 24,000 €
  • ROI = 24,000 / 20,000 = 1.2x (120% return)

And this calculation is conservative: it doesn't factor in indirect costs (loss of customer trust, reputational damage, GDPR fines, impact on cyber insurance). For a detailed calculation tailored to your company size, see our article on the ROI of cybersecurity awareness.

The return is positive from the first year. Get started now - 14-day free trial.

The most common mistakes (and how to avoid them)

Mistake 1: The once-a-year training session

The traditional approach - a 2-hour session once a year - is the least effective method. According to cognitive psychology research, 60% of knowledge gained in a one-off training is forgotten within 6 months. Cybersecurity demands continuous training, not an annual event. To understand why e-learning modules alone fall short: Why cybersecurity e-learning is no longer enough.

Solution: Replace annual training with a continuous program: monthly micro-modules, regular simulations, and ongoing remediation.

Mistake 2: Simulations that are too easy

Basic phishing simulations (obvious spelling errors, absurd domains, amateur design) don't prepare your teams for real attacks. Cybercriminals use increasingly sophisticated techniques: lookalike domains, perfectly formatted emails, and credible contexts.

Solution: Gradually increase difficulty. Use your own sending domains. Customize scenarios with internal elements (project names, manager names). The goal is to test reflexes, not to trick people.

Mistake 3: Name and shame

Publishing the list of employees who clicked on a simulation, ridiculing them in front of colleagues, or punishing them destroys the reporting culture. A humiliated employee will never report a suspicious email again - not even a real phishing attempt.

Solution: Adopt a supportive approach. The goal is learning, not punishment. Share results in aggregate (by department), never individually. Employees who click receive training, not a reprimand.

Mistake 4: Ignoring executives

C-suite members and senior leaders are prime targets for "whaling" attacks (phishing aimed at decision-makers) and BEC (Business Email Compromise). Yet they're often the last to complete training: "I don't have time," "I know how to spot phishing."

Solution: Executives must be included in the program just like every other employee. Better yet: they should lead by example. A message from the CEO announcing that they personally completed the training has a powerful impact on company-wide engagement.

Mistake 5: No baseline

Launching a training program without measuring your starting point makes it impossible to demonstrate progress. When your leadership asks "what did this accomplish?", you'll have nothing to show.

Solution: Always start with a baseline simulation before the first training session. That initial number is your most valuable asset for justifying and steering the program.

Mistake 6: Generic content

Training modules that discuss "general cyber threats" with American examples in English don't engage French employees. Content needs to be contextualized: French examples, French regulatory references (NIS2, GDPR, ANSSI (France's national cybersecurity agency)), the French language, and scenarios adapted to the company's industry.

Solution: Choose platforms that offer French-language content adaptable to your business context. An accountant doesn't face the same threats as a sales representative - scenarios should reflect that reality. For a full guide on setting up simulations, see our guide to phishing simulation for businesses.

Do these mistakes sound familiar? Run a free diagnostic - first campaign in 15 minutes.

Frequently asked questions

How often should you run phishing simulations?

The optimal frequency is one simulation per month. This is the cadence recommended by ANSSI (France's national cybersecurity agency) and backed by academic research. Less than once per quarter is not enough to build lasting reflexes. More than once per week creates fatigue and distrust toward all emails. The monthly cadence strikes the best balance between effectiveness and acceptability.

Is cybersecurity training legally required?

In France, the answer is yes for many companies. The NIS2 directive explicitly mandates it for essential and important entities (which includes many SMBs in healthcare, energy, transport, finance, digital services, and public administration). The GDPR implicitly requires it as an organizational measure. And regardless of the law, most cyber insurers make it a condition of coverage.

How do you engage employees who don't take it seriously?

The most effective levers: gamification (team leaderboards, badges, challenges), leadership involvement (the CEO communicates the importance of the program), and relevance (realistic, contextualized scenarios that show the threat is real). Avoid punishment: it breeds rejection, not engagement.

Should executives receive different training than other employees?

Yes. Executives face specific threats (whaling, BEC, advanced social engineering) and have elevated access privileges. They need dedicated modules on these threats, in addition to the general training program. Moreover, simulations targeting them should be at a higher difficulty level.

How long should a training session last?

3 to 5 minutes for remediation micro-modules, 5 to 10 minutes for standard e-learning modules. E-learning completion rates drop off sharply beyond 10 minutes (LMS platform data). A short, repeated module builds stronger retention than a single long session.

How to choose between in-house training and a SaaS platform?

For an SMB with 50 to 500 employees, a SaaS platform is almost always the better choice. Building a program in-house requires: a dedicated cybersecurity expert, content creation skills, a simulation sending infrastructure, a reporting tool, and ongoing scenario maintenance. The total cost far exceeds that of a specialized platform, usually for an inferior result. A SaaS platform like nophi.sh provides all these elements out of the box, with the advantage of being constantly updated with the latest threats.

Conclusion: 5 pillars, one goal

Training your employees on cybersecurity is a continuous process that relies on five complementary levers:

  1. Assess your starting point with a baseline simulation
  2. Train with short, engaging modules
  3. Simulate every month with scenarios of increasing difficulty
  4. Remediate automatically and with precision
  5. Measure every KPI and report to your leadership

The good news: with the right tools, this program can be set up in a few hours and then runs largely on autopilot. The most important thing is to start - even imperfectly. Every simulation launched, every module completed, every report filed strengthens your company's security posture.

Ready to take action? Launch your first simulation in 15 minutes - simulation, micro-learning, and remediation included.

Related articles

Cybersecurity training vs phishing simulation: what's the difference, and what actually works?

E-learning, in-person workshops, phishing simulation: an objective comparison of security awareness methods with effectiveness data and ROI for SMBs.

Does Your Cyber Insurer Require Proof of Employee Training?

Cyber insurers now demand proof of security awareness training. How your training program lowers premiums and protects your claims.

Why a Simple E-Learning Module Is No Longer Enough to Train Your Teams on Cybersecurity

20% completion rates, 6-week retention, zero behavior change: why traditional e-learning fails against phishing and what alternatives actually work.