When I first evaluated our security posture and noticed that there was nothing in place. Sure, we had a firewall trying to do its job and protect the organization from the outside world.
But what about our staff?
We realized immediately that we need to reduce human risk.
The Problem
At the time, cyber security was something in the back of everyone's mind (and it stayed there). There was no cyber security audit, no phishing simulations, no training.
We were vulnerable.
The Strategy
We wanted to see where we're at in terms of phishing risk. So we sent out a simulated phishing attempt to establish a baseline. The result?
Failure rate: 55%+
This gives us a good starting point and a good report to show that we needed a system in place for continuous security training.
So, we implemented a structured security awareness program using KnowBe4.
But tooling alone doesn’t fix risk.
Instead of keeping results inside IT, we built reporting dashboards and gave leadership full transparency.
Security became a measurable operational metric — not just an IT concern.
Leadership explicitly approved continuing simulations and remediation.
Simulated Phishing Attacks and Automated Remediation
We started to do continuous random simulated phishing attacks and anyone who failed a simulation was automatically enrolled in targeted training. It wasn't hour-long videos but short, focused modules relevant to what they clicked and what to watch out for.
Improved Reporting with a Phish Alert Button (PAB)
Due to the simulated phishing attacks and training, our users went from clicking a random link to sending in a support ticket asking "is this legit?" That's not an ideal reporting scenario. So, we implemented the Phish Alert Button (PAB), allowing users to report suspicious emails directly from their inbox.
A lot of people stopped ignoring suspicious emails and started reporting them.
The Results
Since implementation, we've seen the failure rate drop from 55%+ and has stabilized to around 3-5%.
It's worth noting however that the 5% today is not the same as the 5% from earlier campaigns.
Increased Simulation Sophistication
We are far removed from the “Nigerian prince” scams. Now, phishing scams are Clean. Polished. Grammatically correct. Written by ChatGPT, Gemini or whatever the latest and greatest AI solution is. They're indistinguishable from legitimate vendor emails.
As real-world phishing improved, we had to adjust our simulations accordingly.
Better grammar.
Better branding.
More realistic lures.
We weren’t testing for obvious scams. We were testing real risk.
The Reality
Because phishing as a global threat has evolved. Emails are cleaner, better written, and more convincing than ever.
In fact, as we increased simulation quality, failure rates ticked slightly upward (from around 3% to around 5%).
Security awareness is not a one-time fix. It’s continuous testing and training.
What Actually Reduced Risk
- Baseline measurement
- Leadership buy-in
- Transparent reporting
- Automated remediation
- Easy reporting workflows
- Ongoing iteration
Security awareness became part of culture — not a checkbox.
What This Changed
- Staff now regularly report suspicious emails.
- Conversations about security are proactive.
- Leadership understands risk in measurable terms.
- Repeat offenders are visible and can be handled appropriately.
- IT is no longer the only line of defense.
And most importantly:
We reduced the likelihood of a real-world breach caused by phishing.
Final Thought
Security awareness isn’t about catching people.
It’s about designing systems to help people succeed. But none of it works without leadership buy-in. Security isn't just an IT initiative, it's an organizational commitment.