Required under more compliance frameworks than almost any other control — and one of the only ones where you can watch the numbers improve in real time.
Security awareness training sits at an unusual intersection: it’s a compliance checkbox that also happens to be genuinely effective. Most compliance controls reduce risk in ways that are hard to measure directly. Training is different. You run a phishing simulation, record the click rate, run the training, simulate again, and watch the number drop. The feedback loop is short, the improvement is visible, and the compliance documentation writes itself.
That combination — required and measurable — makes it one of the highest-value things a small business can implement.
HIPAA requires covered entities to provide security awareness training to all members of their workforce, including management, and to implement procedures for guarding against, detecting, and reporting malicious software. It’s an addressable implementation specification — meaning it’s required unless you can document a specific reason it doesn’t apply, which essentially means it’s required.
GLBA Safeguards Rule requires financial institutions to train and test their personnel on their information security program. The 2023 updates made this more specific — training isn’t just recommended, it’s part of the required program.
PCI-DSS requires security awareness training at hire and at least annually, plus ongoing awareness to ensure personnel know about evolving threats including phishing.
SOC 2 auditors look for documented training programs with evidence of completion as part of the Common Criteria around logical access and risk management.
CMMC / NIST 800-171 includes security awareness training as an explicit control requirement for organizations handling controlled unclassified information.
If your training program consists of an annual PDF that employees click through and forget, you have a documentation problem — and a security problem.
The data on this is remarkably consistent: phishing is the initial access vector in the majority of ransomware attacks, business email compromise incidents, and data breaches affecting small and mid-sized businesses. The average click rate on phishing simulations for organizations without a training program runs between 30% and 40%. After a structured training program, that number typically falls to single digits within 12 months. That’s not a marginal improvement — it’s a fundamental change in the organization’s susceptibility to the most common attack vector.
Our article on how to spot a phishing email in under 10 seconds covers the specific red flags — a useful reference for your team.
Baseline phishing simulation. Before any training, run a simulated phishing campaign to establish where your organization actually stands. The baseline click rate is both a compliance data point and a starting benchmark for measuring improvement.
Role-appropriate training content. A medical practice manager handling PHI has different risks than a front desk coordinator. A financial advisor with client account access has different exposures than an office administrator. Training should reflect actual job roles and risks.
Regular simulation cadence. Monthly or quarterly simulated phishing campaigns — varying the templates, pretexts, and delivery — keep the training relevant and catch people whose vigilance has lapsed. Annual training alone doesn’t sustain behavior change.
Immediate feedback loops. When an employee clicks a simulated phishing link, they should receive immediate, non-punitive education in the moment — not a report to their manager two weeks later. Real-time feedback is substantially more effective for behavior change.
Documented completion records. For HIPAA, GLBA, PCI-DSS, and SOC 2, you need evidence that training happened: names, dates, completion rates, and simulation results — stored and retrievable for audit purposes.
Updated content. Threat actors update their tactics constantly. Training content from two years ago may miss AI-generated spear phishing, QR code attacks, voice phishing (vishing), and SMS-based attacks (smishing) that weren’t common threats when many legacy training programs were built.
A well-run training program generates exactly the kind of evidence auditors look for: baseline phishing simulation results with dates and click rates, training completion records by employee and date, post-training simulation results demonstrating improvement, ongoing simulation logs showing regular cadence, policy acknowledgment records, and incident reports for anyone who clicked and what follow-up occurred.
This documentation package answers the two questions every examiner or auditor asks: “Do you train your employees?” and “How do you know it’s working?”
Training reduces the likelihood of a successful phishing attack — but it doesn’t eliminate it. The employees who click despite training are caught by EDR on their endpoint, by email filtering that catches malicious links, by MFA that prevents credential theft from resulting in account takeover, and by monitoring that detects anomalous behavior after the fact. Training is the human layer. It works alongside the technical layers — not instead of them.
To see what this combination produces in practice, see our compliance case study: from 34% click rate to audit-ready. For the broader compliance framework, see Can you help us meet compliance requirements like HIPAA, PCI, and SOC 2?