Your firewall is up to date, antivirus software is running and backups are configured. Yet an employee clicks on a phishing email and your business suddenly grinds to a halt. Recognizable? In this article, you’ll learn why security awareness training is an indispensable part of your cybersecurity policy, how to set up an effective program, and why the Belgian NIS2 law even mandates it.
Why technology alone won’t protect your business
The Verizon Data Breach Investigations Report 2025 is clear: Human factors played a role in about 60% of all data breaches investigated. Think of employees clicking on phishing links, using weak passwords or accidentally sharing sensitive information. Technology can catch a lot, but not everything.
The VLAIO Cybersecurity Barometer 2024 confirms this picture for Flemish companies. 42.8% of surveyed companies cite insufficient training and awareness among staff as their biggest cyber risk. At the same time, only 43% of Flemish companies offer awareness activities to their employees. This gap between the recognized risk and the measures taken is strikingly large.
On top of that, attackers are not sitting still. According to the Eye Security Incident Response Report 2026, Business Email Compromise (BEC) accounts for 70% of all cyber incidents in the Benelux. In 41% of those incidents, phishing was the initial access vector. CrowdStrike also reports a 442% increase in voice phishing (vishing) in the second half of 2024. AI is making these attacks increasingly convincing and harder to spot with technology alone.
What exactly is security awareness training?
Security awareness training is a structured program that teaches employees to recognize cyber threats, respond correctly and work safely. It goes beyond a one-time presentation on phishing. An effective program combines several forms:
Basic cybersecurity training. An annual session that covers the fundamentals: password management, secure working from home, handling confidential data and incident reporting procedures.
Phishing simulations. Simulated phishing attacks sent regularly (monthly) to test employee alertness. This is a specific part of the broader program. In a separate article, we explain how phishing simulations work and what they accomplish.
Microlearning. Short training modules of up to five minutes spread throughout the year. Topics range from recognizing different types of phishing to handling USB sticks and QR codes safely.
Security coaching. Individual counseling after an incident or failed simulation. Not as punishment, but as a learning opportunity.
The difference from one-time training? Repetition. ISACA research shows that knowledge declines significantly after four to six months. One-time compliance training hardly changes behavior, while ongoing programs with regular contact moments do have a lasting effect.
How effective is an awareness program? The numbers
The benchmark data from KnowBe4 (2025) speak for themselves. The company analyzed 67.7 million simulated phishing tests at 62,400 organizations worldwide and came up with the following results:
| Measuring point | Percent |
|---|---|
| Click rate before training (baseline) | 33,1% |
| Click rate after 90 days of training | ~19,9% |
| Click rate after 12 months of training | 4,1% |
| Total reduction | 86% |
So one in three employees clicks on a simulated phishing link when they have not yet received training. After 12 months of consistent training, that drops to 4%.
Proofpoint confirms this trend: among organizations that actively train, the average failure rate is 4.93%. The average reporting rate (employees reporting suspicious emails rather than clicking on them) is 18.65%. That reporting behavior is at least as important as non-clicking, because it allows your IT team to detect attacks early.
One important nuance, though: a meta-analysis by Leiden University (2024) shows that awareness training has a strong effect on knowledge and attitude (d = 1.02), but a more limited effect on actual behavior (d = 0.36). The conclusion? Training works, but only if you combine it with regular repetition and technical measures. Knowledge alone does not change behavior. Frequent nudges (such as monthly phishing simulations) are the mechanism that drives behavior change.
The five building blocks of an effective security awareness program
1. Start with a baseline measurement
Run an initial phishing simulation to measure your organization’s current risk level. This baseline figure is your starting point and makes later progress measurable.
2. Organize regular, short training sessions
Choose microlearning: modules of three to five minutes, monthly or quarterly. Short, frequent sessions are more effective than an annual marathon. Alternate topics: phishing, password hygiene, social engineering, working safely from home, recognizing different phishing variants.
3. Simulate attacks regularly
Send simulated phishing emails monthly, possibly supplemented by vishing tests or USB baiting. Vary in difficulty and attack type. Those who click will immediately see a learning page. Those who report, get positive feedback.
4. Choose positive reinforcement
Don’t punish employees for mistakes. Reward correct behavior: those who report a suspicious email deserve recognition. Research by ETH Zurich (2024) shows that punishing the most vulnerable employees actually does not help, while a positive culture of “asking questions is allowed” structurally improves reporting behavior.
5. Measure and report
Track these KPIs:
| KPI | Benchmark | Target after 12 months |
|---|---|---|
| Phishing click rate | 33% (baseline) | Below 5% |
| Report rate | ~18% (on average) | Above 50% |
| Training participation | – | Above 90% |
| Response time to notification | – | Declining trend |
Report quarterly results to management. This makes progress visible and substantiates investment.
NIS2 mandatory security awareness training
Since Oct. 18, 2024, the Belgian NIS2 law has been in effect. This law imposes essential and important entities obligations directly related to security awareness.
Article 30 §3(7) mandates “basic cyber hygiene practices and cyber security training” as a minimum measure. This is not a recommendation, but a legal requirement.
Article 31 goes one step further: members of the governing body must personally undergo cybersecurity training. They must have sufficient knowledge to identify risks and assess security measures. In addition, they must encourage their employees to take the same training.
In case of non-compliance, Article 61 provides for personal liability for directors. This makes security awareness training no longer a matter of “nice to have,” but of board responsibility. Does your company fall under NIS2? Then it is required by law. Are you not covered by it? Then it’s still the smartest investment you can make.
Want to know how the CyberFundamentals framework fits into this? Then read our article on CyberFundamentals as the Belgian answer to NIS2.
What does an awareness program cost and what does it provide?
The investment for a medium-sized SME (50-250 employees) is between €5,000 and €12,000 per year for a full platform with phishing simulations, microlearning and reporting.
Compare that to the cost of an incident. According to the IBM Cost of a Data Breach Report 2025, the average cost of a data breach in the Benelux is $6.24 million (about €5.8 million). Even for a Belgian SME, the cost of a cyber incident quickly runs to €50,000 to €350,000, due to downtime, recovery costs, lost revenue and reputational damage.
A Forrester TEI study calculated an ROI of 276% over three years for organizations that invest in security awareness training. The payback period? Less than three months.
VLAIO grants lower the threshold. Security awareness training is subsidizable through the VLAIO Cybersecurity Improvement Program (50% subsidy) and the SME portfolio (45% for small enterprises, 35% for medium-sized). An investment of €10,000 costs only €5,500 to €6,500 after subsidy.
Start today: your next step
Security awareness training is not a one-time project, but an ongoing program that transforms your employees from vulnerable link to first line of defense. The combination of regular training, phishing simulations and a positive reporting culture produces measurable results.
Want to know how alert your employees are? A cybersecurity audit will map your entire security level, including the human factor. Or start immediately with a phishing simulation as a baseline measurement.
Schedule a no-obligation consultation and discover how Cyberplan makes your team structurally resilient.
Frequently asked questions about security awareness training
What is security awareness training?
Security awareness training is an ongoing program that teaches employees to recognize, correctly report and avoid cyber threats such as phishing, social engineering and insecure password use. It combines basic training, microlearning and simulated attacks.
How much does a security awareness program cost?
For a medium-sized SME (50-250 employees), the cost is between €5,000 and €12,000 per year. Through the VLAIO SME Portfolio, you will receive up to 45% subsidy on cybersecurity consulting services, significantly reducing the net investment.
Is security awareness training mandatory under NIS2?
Yes. The Belgian NIS2 law (Articles 30 and 31) requires essential and important entities to implement cybersecurity practices and training. Directors must personally undergo cybersecurity training and will be held liable for non-compliance.
How effective is security awareness training?
Research by KnowBe4 (2025, 67.7 million simulations) shows that the average click rate on phishing links drops from 33% to 4% after 12 months of structural training. That’s an 86% reduction.
How often should you conduct security awareness training?
The optimal approach combines annual basic training with quarterly microlearning modules and monthly phishing simulations. Research shows that knowledge declines significantly after four to six months without repetition.
What is the difference between awareness training and a phishing simulation?
A phishing simulation is a specific testing tool that measures how employees react to fake phishing emails. Security awareness training is the broader program of which phishing simulations are just one component, in addition to basic training, microlearning and security coaching.
