Why one-off training fails. Discover the benefits of a continuous cyber security awareness program for your Melbourne workforce.
Annual cyber security training is the most widely implemented security awareness programme in Australian SMBs — and among the least effective. Staff sit through a 45-minute presentation, complete a quiz, and forget 80% within a month. The training box gets ticked; actual human risk barely changes.
This is not a critique of the intent — security awareness training matters. It is a critique of a delivery model that fails to account for how humans actually learn and retain information.
Here is what the evidence says about effective security awareness, and what a continuous programme looks like for a Melbourne SMB.
Why Annual Training Does Not Work
The Forgetting Curve
Hermann Ebbinghaus’ forgetting curve — established research from the 1880s, validated repeatedly since — shows that humans forget approximately 50% of new information within a day, 70% within a week, and 90% within a month if the information is not reinforced.
A staff member who completes annual cyber security training retains meaningful awareness for approximately one month. For eleven months of the year, their security awareness is approximately baseline.
Threat Landscape Changes Faster Than Annual Cycles
Cyber threats evolve continuously. The phishing techniques used in 2026 (AI-generated content, QR code quishing, deepfake video) were not present or prominent three years ago. Annual training based on a static curriculum taught eighteen months ago is irrelevant to the current threat.
Context Mismatch
Annual training typically covers general security principles. Staff who encounter a real phishing email, a suspicious call, or an unusual payment request in their specific working context do not naturally connect the general principles from training to the specific situation in front of them.
Training that is contextualised to specific job roles (finance staff learn about payment fraud; IT staff learn about social engineering; management learns about CEO fraud) performs significantly better than general-audience training.
The Continuous Security Awareness Model
A continuous programme replaces the annual event with regular, brief, contextualised touchpoints throughout the year.
Monthly Micro-Training (5-10 Minutes)
Short, focused training modules — one topic per month, delivered via email, LMS, or video — covering current, relevant threats. Topics:
- January: Phishing techniques for the year ahead (what attackers are doing now)
- February: Business email compromise and payment fraud
- March: Password hygiene and password manager use
- April: AI-generated scams and voice cloning
- May: Social engineering and pretexting
- June: Physical security and tailgating
- July: Remote work security
- August: QR code quishing
- September: Incident reporting (what to do when something seems wrong)
- October: Cyber Security Awareness Month special (annual deeper dive)
- November: Holiday season scams
- December: Year-end security reminders
Five to ten minutes per month produces better retention than 45 minutes annually.
Simulated Phishing Exercises
Simulated phishing — controlled phishing emails sent to staff to test their responses — provides a real-world measurement of security awareness and creates a teachable moment when a simulated click occurs.
How it works: Your IT provider or security awareness platform sends a realistic phishing simulation. Staff who click the link are immediately redirected to a short training module rather than a real threat. The click rate is tracked over time — improving click rates indicate improving awareness.
Best practice: Run simulations monthly or quarterly. Vary the phishing scenario type — credential harvesting, attachment opens, QR codes. Do not use simulations as punitive exercises; use them as measurement and teaching tools.
Just-in-Time Training
When a staff member encounters a real security event — they report a suspicious email, they are targeted by a scam call, they witness an unusual IT situation — provide immediate, contextually relevant guidance. The learning retention from just-in-time training (you just experienced this, here is what it means) significantly exceeds scheduled training.
Measuring Security Awareness Effectiveness
A continuous programme should be measurable. Key metrics:
Simulated phishing click rate: The percentage of staff who click simulated phishing links. An industry benchmark is 30-40% before training; a well-trained workforce should reach below 5-10%. Track this quarterly.
Incident reporting rate: Staff who report suspicious emails, calls, and events — rather than ignoring them or just deleting — indicate active security awareness. Track reports per month.
Training completion rate: For assigned micro-training modules, what percentage of staff complete them within the assigned timeframe? Low completion indicates the training is not reaching staff.
Assessment scores: Where training includes knowledge assessments, track scores by department to identify areas needing more focus.
Recommended Platforms for Melbourne SMBs
KnowBe4: The market leader for security awareness training platforms. Extensive phishing simulation library, good LMS, automated campaigns. Pricing starts at approximately $20/user/year.
Proofpoint Security Awareness: Strong phishing simulation capability with threat intelligence integration. Good for Microsoft 365 environments.
Cofense: Focuses heavily on phishing simulation and incident reporting integration. Good for organisations wanting to build an internal phishing reporting culture.
Microsoft Defender for Office 365 (Attack Simulator): For M365 Business Premium customers, the Attack Simulator is included at no additional cost. Less feature-rich than dedicated platforms but provides functional phishing simulation without additional cost.
CX IT Services implements and manages continuous security awareness programmes for Melbourne businesses. Book a Right Fit Call to discuss replacing your annual security training event with a programme that actually changes staff behaviour.
